Skip to content

Instantly share code, notes, and snippets.

@trozet

trozet/np_portrange.txt

Last active June 5, 2023 19:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save trozet/0c343d357d00ccab57baaed51ee4407f to your computer and use it in GitHub Desktop.
Save trozet/0c343d357d00ccab57baaed51ee4407f to your computer and use it in GitHub Desktop.
Download ZIP
NP with port range vs individual ports
Raw
np_portrange.txt
## NP with port range
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector:
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.244.0.0/16
ports:
- protocol: TCP
port: 2000
endPort: 2005
# created NP ACL
_uuid : 05eeee1f-1fcc-4aec-9882-5ed5702821ce
action : allow-related
direction : from-lport
external_ids : {direction=Egress, gress-index="0", ip-block-index="0", "k8s.ovn.org/id"="default-network-controller:NetworkPolicy:default:default-deny-egress:Egress:0:0:0", "k8s.ovn.org/name"="default:default-deny-egress", "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=NetworkPolicy, port-policy-index="0"}
label : 0
log : false
match : "ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579"
meter : acl-logging
name : "NP:default:default-deny-egress:Egress:0"
options : {apply-after-lb="true"}
priority : 1001
severity : []
# Logical flows in SBDB (2)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579)), action=(next;)
_uuid : f5924248-11e5-4945-8c50-0c0579f054b9
actions : "reg0[1] = 1; next;"
controller_meter : []
external_ids : {source="northd.c:6429", stage-hint="05eeee1f", stage-name=ls_in_acl_after_lb}
logical_datapath : e233833e-52d0-4126-bb95-a8860a233a63
logical_dp_group : []
match : "reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579)"
pipeline : ingress
priority : 2001
table_id : 17
tags : {}
hash : 0
_uuid : 89cbd0b3-b3d6-4d97-b6f6-353f474d5c47
4058 actions : "next;"
4059 controller_meter : []
4060 external_ids : {source="northd.c:6454", stage-hint="05eeee1f", stage-name=ls_in_acl_after_lb}
4061 logical_datapath : e233833e-52d0-4126-bb95-a8860a233a63
4062 logical_dp_group : []
4063 match : "reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579)"
4064 pipeline : ingress
4065 priority : 2001
4066 table_id : 17
4067 tags : {}
4068 hash : 0
# OpenFlow Flows (10)
[root@ovn-worker ~]# ovs-ofctl dump-flows br-int | grep f5924248
cookie=0xf5924248, duration=203.806s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=0x7d2/0xfffe actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0xf5924248, duration=203.806s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2005 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0xf5924248, duration=203.806s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2000 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0xf5924248, duration=203.805s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2004 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0xf5924248, duration=203.805s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2001 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
[root@ovn-worker ~]# ovs-ofctl dump-flows br-int | grep 89cbd0b3
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2004 actions=resubmit(,26)
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2000 actions=resubmit(,26)
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2001 actions=resubmit(,26)
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2005 actions=resubmit(,26)
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=0x7d2/0xfffe actions=resubmit(,26)
## NP with individual ports
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector:
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.244.0.0/16
ports:
- protocol: TCP
port: 2000
endPort: 2005
[trozet@fedora ~]$ cat network_policy_many_ports.yml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector:
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.244.0.0/16
ports:
- protocol: TCP
port: 2000
- protocol: TCP
port: 2001
- protocol: TCP
port: 2002
- protocol: TCP
port: 2003
- protocol: TCP
port: 2004
- protocol: TCP
port: 2005
# Created 6 NP ACLs in NBDB (only showing 2 in the output below)
_uuid : 5fa02ca1-2925-44ac-bf8e-bd5785b75b99
action : allow-related
direction : from-lport
external_ids : {direction=Egress, gress-index="0", ip-block-index="0", "k8s.ovn.org/id"="default-network-controller:NetworkPolicy:default:default-deny-egress:Egress:0:5:0", "k8s.ovn.org/name"="default:default-deny-egress", "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=NetworkPolicy, port-policy-index="5"}
label : 0
log : false
match : "ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2005 && inport == @a4596619555129805579"
meter : acl-logging
name : "NP:default:default-deny-egress:Egress:0"
options : {apply-after-lb="true"}
priority : 1001
severity : []
_uuid : 923069ba-e8cc-4c9c-bc47-06ac0dc0c945
action : allow-related
direction : from-lport
external_ids : {direction=Egress, gress-index="0", ip-block-index="0", "k8s.ovn.org/id"="default-network-controller:NetworkPolicy:default:default-deny-egress:Egress:0:1:0", "k8s.ovn.org/name"="default:default-deny-egress", "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=NetworkPolicy, port-policy-index="1"}
label : 0
log : false
match : "ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2001 && inport == @a4596619555129805579"
meter : acl-logging
name : "NP:default:default-deny-egress:Egress:0"
options : {apply-after-lb="true"}
priority : 1001
severity : []
# logical flows (SBDB) (12)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2000 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2001 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2002 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2003 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2004 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2005 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2000 && inport == @a4596619555129805579)), action=(next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2001 && inport == @a4596619555129805579)), action=(next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2002 && inport == @a4596619555129805579)), action=(next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2003 && inport == @a4596619555129805579)), action=(next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2004 && inport == @a4596619555129805579)), action=(next;)
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2005 && inport == @a4596619555129805579)), action=(next;)
# OpenFlow Flows (12)
cookie=0xa8d875f0, duration=139.678s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2000 actions=resubmit(,26)
cookie=0xb2ff3b50, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2003 actions=resubmit(,26)
cookie=0x770402da, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2005 actions=resubmit(,26)
cookie=0x2ac5696c, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2004 actions=resubmit(,26)
cookie=0x8c10f68f, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2001 actions=resubmit(,26)
cookie=0x458b5a7f, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2002 actions=resubmit(,26)
priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2001 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0x2dfe89d3, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2002 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0x3dfcbff7, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2000 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0xb23703a9, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2004 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0xc976141b, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2003 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
cookie=0xae75df8f, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2005 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment