kubeovn / kube-ovn / 23678567073

26%

Build Type

push

github

Committed by web-flow

Commit Message

fix(controller): prevent invalid ACL generation for named ports and IPBlock except CIDRs (#6536)

* fix(controller): prevent invalid ACL generation for named ports and IPBlock except CIDRs

Fix three security-relevant bugs in NetworkPolicy ACL generation:

1. Named port not found in namedPortMap generates tcp.dst == 0 ACL instead
   of skipping (deny-all). This could allow unintended traffic on port 0.
2. Named port with EndPort range generates 0 <= tcp.dst <= N ACL due to
   IntVal being 0 for string-type ports. Now skipped with error log.
3. IPBlock except CIDRs not contained within the main CIDR are accepted
   without validation, producing semantically incorrect ACL rules. Now
   validated using util.CIDRContainsCIDR() and invalid excepts are skipped.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* fix(controller): improve log context for named port and IPBlock except warnings

Address Copilot review feedback: add pgName/direction context to named
port error logs for easier troubleshooting in multi-policy environments,
and separate CIDRContainsCIDR error from non-containment warning to
preserve the actual error message.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

---------

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Coverage Stats

28 of 36 new or added lines in 1 file covered. (77.78%)

2 existing lines in 1 file now uncovered.

13489 of 55696 relevant lines covered (24.22%)

0.28 hits per line