From 74f0bafa0351a08e45bdb735302032ecb2494c9d Mon Sep 17 00:00:00 2001
From: Jacob Tanenbaum <jtanenba@redhat.com>
Date: Tue, 27 Jun 2017 15:15:54 -0400
Subject: [PATCH] add the nodes local IP address to OVS rules

this change adds the nodes local IP address to the ovs rules when using
egressnetworkpolicies to limit egress from the cluster. Adding the nodes
local IP allows for dns resolution when dns is accessable on the node.

bug 1458849

changelog:

 - changed the rules creation to SetupOVS()
 - made both udp and tcp rules the same priority
---
 pkg/sdn/plugin/ovscontroller.go      | 4 +++-
 pkg/sdn/plugin/ovscontroller_test.go | 2 +-
 pkg/sdn/plugin/sdn_controller.go     | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/pkg/sdn/plugin/ovscontroller.go b/pkg/sdn/plugin/ovscontroller.go
index 737b71119aa8..8ebd4e0adb41 100644
--- a/pkg/sdn/plugin/ovscontroller.go
+++ b/pkg/sdn/plugin/ovscontroller.go
@@ -60,7 +60,7 @@ func (oc *ovsController) AlreadySetUp() bool {
 	return false
 }
 
-func (oc *ovsController) SetupOVS(clusterNetworkCIDR, serviceNetworkCIDR, localSubnetCIDR, localSubnetGateway string) error {
+func (oc *ovsController) SetupOVS(clusterNetworkCIDR, serviceNetworkCIDR, localSubnetCIDR, localSubnetGateway, nodeIP string) error {
 	err := oc.ovs.AddBridge("fail-mode=secure", "protocols=OpenFlow13")
 	if err != nil {
 		return err
@@ -177,6 +177,8 @@ func (oc *ovsController) SetupOVS(clusterNetworkCIDR, serviceNetworkCIDR, localS
 	// Table 100: egress network policy dispatch; edited by UpdateEgressNetworkPolicy()
 	// eg, "table=100, reg0=${tenant_id}, priority=2, ip, nw_dst=${external_cidr}, actions=drop
 	otx.AddFlow("table=100, priority=0, actions=output:2")
+	otx.AddFlow("table=100, priority=%d,tcp,tcp_dst=53,nw_dst=%s,actions=output:2", osapi.EgressNetworkPolicyMaxRules+1, nodeIP)
+	otx.AddFlow("table=100, priority=%d,udp,udp_dst=53,nw_dst=%s,actions=output:2", osapi.EgressNetworkPolicyMaxRules+1, nodeIP)
 
 	// Table 110: outbound multicast filtering, updated by UpdateLocalMulticastFlows()
 	// eg, "table=110, priority=100, reg0=${tenant_id}, actions=goto_table:111
diff --git a/pkg/sdn/plugin/ovscontroller_test.go b/pkg/sdn/plugin/ovscontroller_test.go
index a24c4a0037eb..2c17264ba78e 100644
--- a/pkg/sdn/plugin/ovscontroller_test.go
+++ b/pkg/sdn/plugin/ovscontroller_test.go
@@ -17,7 +17,7 @@ import (
 func setup(t *testing.T) (ovs.Interface, *ovsController, []string) {
 	ovsif := ovs.NewFake(BR)
 	oc := NewOVSController(ovsif, 0, true)
-	err := oc.SetupOVS("10.128.0.0/14", "172.30.0.0/16", "10.128.0.0/23", "10.128.0.1")
+	err := oc.SetupOVS("10.128.0.0/14", "172.30.0.0/16", "10.128.0.0/23", "10.128.0.1", "172.17.0.4")
 	if err != nil {
 		t.Fatalf("Unexpected error setting up OVS: %v", err)
 	}
diff --git a/pkg/sdn/plugin/sdn_controller.go b/pkg/sdn/plugin/sdn_controller.go
index 10a90aa42283..47c61018f87f 100644
--- a/pkg/sdn/plugin/sdn_controller.go
+++ b/pkg/sdn/plugin/sdn_controller.go
@@ -155,7 +155,7 @@ func (plugin *OsdnNode) SetupSDN() (bool, error) {
 	}
 	glog.V(5).Infof("[SDN setup] full SDN setup required")
 
-	err = plugin.oc.SetupOVS(clusterNetworkCIDR, serviceNetworkCIDR, localSubnetCIDR, localSubnetGateway)
+	err = plugin.oc.SetupOVS(clusterNetworkCIDR, serviceNetworkCIDR, localSubnetCIDR, localSubnetGateway, plugin.localIP)
 	if err != nil {
 		return false, err
 	}