Skip to content

Add directional port groups with allow/reject priority based on default policy #2372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 28, 2025
Merged

Add directional port groups with allow/reject priority based on default policy #2372

merged 3 commits into from
Aug 28, 2025

Conversation

presztak
Copy link
Collaborator

This change adds support for prioritizing allow rules when the default policy for a network or interface is set to allow. By default, the policy is reject, so reject rules have higher priority.
To implement this, the original single port group was replaced with four separate port groups:

  • Ingress (allow-first)
  • Ingress (reject-first)
  • Egress (allow-first)
  • Egress (reject-first)

These groups store rules in the required order, allowing correct rule evaluation based on the default policy.

Fixes: #1833

@presztak presztak force-pushed the acl_allow_order branch 3 times, most recently from f4e0506 to d2316b7 Compare August 11, 2025 09:15
@presztak presztak force-pushed the acl_allow_order branch 4 times, most recently from fd3a6dc to 03ca464 Compare August 22, 2025 13:58
@presztak
incusd/network/ovn: Support for directional port groups
d0815f8 
Signed-off-by: Piotr Resztak <piotr.resztak@futurfusion.io>
@presztak
incusd/network/acl: Support for directional port groups
429d4e5 
Signed-off-by: Piotr Resztak <piotr.resztak@futurfusion.io>
@presztak presztak marked this pull request as ready for review August 22, 2025 15:59
@presztak presztak requested a review from stgraber as a code owner August 22, 2025 15:59
stgraber
stgraber reviewed Aug 27, 2025
View reviewed changes
cmd/incusd/patches.go Outdated
Comment on lines 1386 to 1389
ovnnb, _, err := s.OVN()
if err != nil {
return err
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens when this runs on a system without configured OVS/OVN?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, it will fail with an error saying that it’s unable to connect to OVN. So as solution I'm instantiating ovnnb only if we find ovn network.

@presztak
incusd/patches: Migrate port groups to directional
89c80b2 
Signed-off-by: Piotr Resztak <piotr.resztak@futurfusion.io>
@presztak presztak requested a review from stgraber August 27, 2025 13:37
@stgraber stgraber merged commit acad839 into lxc:main Aug 28, 2025
36 checks passed
@presztak presztak mentioned this pull request Aug 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stgraber stgraber stgraber approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ACL should apply allow first when default action is allow
2 participants
@presztak @stgraber