From 7c21e8fbe0bbedc46ecc32953b63b4433b0001d7 Mon Sep 17 00:00:00 2001 From: Nadia Pinaeva Date: Fri, 23 Jun 2023 22:06:07 +0200 Subject: [PATCH] Fix acl sync to properly filter default deny acls. ExternalIDs[defaultDenyPolicyTypeACLExtIdKey] is also used by multicast acls (despite the name), but multicast acl have different priorities. It was not a bug, because multicast acls are updated before default deny, therefore only default deny acls will match the criteria. This commit just makes the filtering more specific. Signed-off-by: Nadia Pinaeva --- go-controller/pkg/ovn/external_ids_syncer/acl/acl_sync.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/go-controller/pkg/ovn/external_ids_syncer/acl/acl_sync.go b/go-controller/pkg/ovn/external_ids_syncer/acl/acl_sync.go index 95053869ed9..ede4295e09f 100644 --- a/go-controller/pkg/ovn/external_ids_syncer/acl/acl_sync.go +++ b/go-controller/pkg/ovn/external_ids_syncer/acl/acl_sync.go @@ -91,7 +91,7 @@ func (syncer *aclSyncer) SyncACLs(existingNodes *v1.NodeList) error { if err != nil { return fmt.Errorf("failed to update stale default deny netpol ACLs: %w", err) } - klog.Infof("Found %d stale default deny netpol ACLs", len(gressPolicyACLs)) + klog.Infof("Found %d stale default deny netpol ACLs", len(defaultDenyACLs)) updatedACLs = append(updatedACLs, defaultDenyACLs...) egressFirewallACLs := syncer.updateStaleEgressFirewallACLs(legacyACLs) @@ -363,7 +363,10 @@ func (syncer *aclSyncer) updateStaleDefaultDenyNetpolACLs(legacyACLs []*nbdb.ACL deleteOps []libovsdb.Operation, err error) { for _, acl := range legacyACLs { // sync default Deny policies - if acl.ExternalIDs[defaultDenyPolicyTypeACLExtIdKey] == "" { + // defaultDenyPolicyTypeACLExtIdKey ExternalID was used by default deny and multicast acls, + // but multicast acls have specific DefaultMcast priority, filter them out. + if acl.ExternalIDs[defaultDenyPolicyTypeACLExtIdKey] == "" || acl.Priority == types.DefaultMcastDenyPriority || + acl.Priority == types.DefaultMcastAllowPriority { // not default deny policy continue }