From 928deedf79564fafe1a8b88a880d0d141291acf6 Mon Sep 17 00:00:00 2001
From: Murali Reddy <muralimmreddy@gmail.com>
Date: Thu, 12 Oct 2017 12:54:17 +0530
Subject: [PATCH] Support CIDR in network policy ingress and egress rules

Fixes #144
---
 app/controllers/network_policy_controller.go | 70 ++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/app/controllers/network_policy_controller.go b/app/controllers/network_policy_controller.go
index 8475a0a6..0dcd0a06 100644
--- a/app/controllers/network_policy_controller.go
+++ b/app/controllers/network_policy_controller.go
@@ -80,6 +80,7 @@ type ingressRule struct {
 	ports          []protocolAndPort
 	matchAllSource bool
 	srcPods        []podInfo
+	cidrs          []string
 }
 
 // internal structure to represent NetworkPolicyEgressRule in the spec
@@ -88,6 +89,7 @@ type egressRule struct {
 	ports                []protocolAndPort
 	matchAllDestinations bool
 	dstPods              []podInfo
+	cidrs                []string
 }
 
 type protocolAndPort struct {
@@ -399,6 +401,37 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
 				return fmt.Errorf("Failed to run iptables command: %s", err.Error())
 			}
 		}
+
+		for _, cidr := range ingressRule.cidrs {
+			if !ingressRule.matchAllPorts {
+				for _, portProtocol := range ingressRule.ports {
+					comment := "rule to ACCEPT traffic from specified CIDR's to dest pods selected by policy name: " +
+						policy.name + " namespace " + policy.namespace
+					args := []string{"-m", "comment", "--comment", comment,
+						"-m", "set", "--set", targetDestPodIpSetName, "dst",
+						"-p", portProtocol.protocol,
+						"--dport", portProtocol.port,
+						"-s", cidr,
+						"-j", "ACCEPT"}
+					err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
+					if err != nil {
+						return fmt.Errorf("Failed to run iptables command: %s", err.Error())
+					}
+				}
+			}
+			if ingressRule.matchAllPorts {
+				comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
+					policy.name + " namespace " + policy.namespace
+				args := []string{"-m", "comment", "--comment", comment,
+					"-m", "set", "--set", targetDestPodIpSetName, "dst",
+					"-s", cidr,
+					"-j", "ACCEPT"}
+				err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
+				if err != nil {
+					return fmt.Errorf("Failed to run iptables command: %s", err.Error())
+				}
+			}
+		}
 	}
 
 	return nil
@@ -505,6 +538,37 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
 				return fmt.Errorf("Failed to run iptables command: %s", err.Error())
 			}
 		}
+
+		for _, cidr := range egressRule.cidrs {
+			if !egressRule.matchAllPorts {
+				for _, portProtocol := range egressRule.ports {
+					comment := "rule to ACCEPT traffic from specified CIDR's to dest pods selected by policy name: " +
+						policy.name + " namespace " + policy.namespace
+					args := []string{"-m", "comment", "--comment", comment,
+						"-m", "set", "--set", targetSourcePodIpSetName, "src",
+						"-p", portProtocol.protocol,
+						"--dport", portProtocol.port,
+						"-d", cidr,
+						"-j", "ACCEPT"}
+					err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
+					if err != nil {
+						return fmt.Errorf("Failed to run iptables command: %s", err.Error())
+					}
+				}
+			}
+			if egressRule.matchAllPorts {
+				comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
+					policy.name + " namespace " + policy.namespace
+				args := []string{"-m", "comment", "--comment", comment,
+					"-m", "set", "--set", targetSourcePodIpSetName, "src",
+					"-d", cidr,
+					"-j", "ACCEPT"}
+				err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
+				if err != nil {
+					return fmt.Errorf("Failed to run iptables command: %s", err.Error())
+				}
+			}
+		}
 	}
 
 	return nil
@@ -1001,6 +1065,7 @@ func buildNetworkPoliciesInfo() (*[]networkPolicyInfo, error) {
 			}
 
 			ingressRule.srcPods = make([]podInfo, 0)
+			ingressRule.cidrs = make([]string, 0)
 
 			// If this field is empty or missing in the spec, this rule matches all sources
 			if len(specIngressRule.From) == 0 {
@@ -1026,6 +1091,8 @@ func buildNetworkPoliciesInfo() (*[]networkPolicyInfo, error) {
 							}
 							matchingPods = append(matchingPods, namespacePods...)
 						}
+					} else if peer.IPBlock != nil {
+						ingressRule.cidrs = append(ingressRule.cidrs, peer.IPBlock.CIDR)
 					}
 					if err == nil {
 						for _, matchingPod := range matchingPods {
@@ -1059,6 +1126,7 @@ func buildNetworkPoliciesInfo() (*[]networkPolicyInfo, error) {
 			}
 
 			egressRule.dstPods = make([]podInfo, 0)
+			egressRule.cidrs = make([]string, 0)
 
 			// If this field is empty or missing in the spec, this rule matches all sources
 			if len(specEgressRule.To) == 0 {
@@ -1084,6 +1152,8 @@ func buildNetworkPoliciesInfo() (*[]networkPolicyInfo, error) {
 							}
 							matchingPods = append(matchingPods, namespacePods...)
 						}
+					} else if peer.IPBlock != nil {
+						egressRule.cidrs = append(egressRule.cidrs, peer.IPBlock.CIDR)
 					}
 					if err == nil {
 						for _, matchingPod := range matchingPods {