Bug 1952527 - [Multus] multi-networkpolicy does wrong filtering
Summary: [Multus] multi-networkpolicy does wrong filtering
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.8.0
Assignee: Tomofumi Hayashi
QA Contact: Weibin Liang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-22 13:40 UTC by Weibin Liang
Modified: 2021-07-27 23:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:02:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift multus-networkpolicy pull 10 0 None open Bug 1952527: Add namespace check between pod and multi-networkpolicy 2021-04-27 13:55:17 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:03:12 UTC

Description Weibin Liang 2021-04-22 13:40:14 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
4.8.0-0.nightly-2021-04-15-030836

How reproducible:
Sometimes

Steps to Reproduce:
1. In CNO set useMultiNetworkPolicy: true
2. Configure NAD and pods
3. Configure multinetwork policy with ipblock

spec:
    ingress:
    - from:
      - ipBlock:
          cidr: 192.168.10.8/29
      ports:
      - port: 8080
        protocol: TCP
    podSelector:
      matchLabels:
        name: blue-openshift
    policyTypes:
    - Ingress

Actual results:
*filter
:MULTI-INGRESS - [0:0]
:MULTI-EGRESS - [0:0]
:MULTI-0-INGRESS - [0:0]
:MULTI-0-INGRESS-0-PORTS - [0:0]
:MULTI-0-INGRESS-0-FROM - [0:0]
:MULTI-1-INGRESS - [0:0]
:MULTI-1-INGRESS-0-PORTS - [0:0]
:MULTI-1-INGRESS-0-FROM - [0:0]
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j DROP
-A MULTI-INGRESS -m comment --comment "policy:ingress-allow-same-podselector-with-same-namespaceselector net-attach-def:project-c/macvlan-net4" -i net1 -j MULTI-1-INGRESS
-A MULTI-1-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-1-INGRESS -j MULTI-1-INGRESS-0-PORTS
-A MULTI-1-INGRESS -j MULTI-1-INGRESS-0-FROM
-A MULTI-1-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-1-INGRESS -j DROP
-A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-1-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8080 -j MARK --set-xmark 0x10000/0x10000
-A MULTI-1-INGRESS-0-FROM -i net1 -s 192.168.10.8/29 -j MARK --set-xmark 0x20000/0x20000

Expected results:
multiNetworkpolicy should filter based on configured ipblock

Additional info:

Tomofumi Hayashi knew the issue and is working on his upstream PR
Comment 2 Tomofumi Hayashi 2021-04-24 14:18:36 UTC 
Upstream PR: https://github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pull/10
Comment 4 Weibin Liang 2021-05-05 20:17:05 UTC 
Tested and verified in 4.8.0-0.nightly-2021-04-30-201824
Comment 7 errata-xmlrpc 2021-07-27 23:02:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Note You need to log in before you can comment on or make changes to this bug.