in cns/hnsclient/hnsclient_windows.go [378:491]
func configureAclSettingHostNCApipaEndpoint(
protocolList []string,
networkContainerApipaIP string,
hostApipaIP string,
allowNCToHostCommunication bool,
allowHostToNCCommunication bool,
ncRequestedPolicies []cns.NetworkContainerRequestPolicies) ([]hcn.EndpointPolicy, error) {
var (
err error
endpointPolicies []hcn.EndpointPolicy
)
if allowNCToHostCommunication {
logger.Printf("[Azure CNS] Allowing NC (%s) to Host (%s) connectivity", networkContainerApipaIP, hostApipaIP)
}
if allowHostToNCCommunication {
logger.Printf("[Azure CNS] Allowing Host (%s) to NC (%s) connectivity", hostApipaIP, networkContainerApipaIP)
}
// Iterate thru the protocol list and add ACL for each
for _, protocol := range protocolList {
// Endpoint ACL to block all outbound traffic from the Apipa IP of the container
outBlockAll := hcn.AclPolicySetting{
Protocols: protocol,
Action: hcn.ActionTypeBlock,
Direction: hcn.DirectionTypeOut,
LocalAddresses: networkContainerApipaIP,
RuleType: hcn.RuleTypeSwitch,
Priority: aclPriority2000,
}
if err = addAclToEndpointPolicy(outBlockAll, &endpointPolicies); err != nil {
return nil, err
}
if allowNCToHostCommunication {
// Endpoint ACL to allow the outbound traffic from the Apipa IP of the container to
// Apipa IP of the host only
outAllowToHostOnly := hcn.AclPolicySetting{
Protocols: protocol,
Action: hcn.ActionTypeAllow,
Direction: hcn.DirectionTypeOut,
LocalAddresses: networkContainerApipaIP,
RemoteAddresses: hostApipaIP,
RuleType: hcn.RuleTypeSwitch,
Priority: aclPriority1000,
}
if err = addAclToEndpointPolicy(outAllowToHostOnly, &endpointPolicies); err != nil {
return nil, err
}
}
// Endpoint ACL to block all inbound traffic to the Apipa IP of the container
inBlockAll := hcn.AclPolicySetting{
Protocols: protocol,
Action: hcn.ActionTypeBlock,
Direction: hcn.DirectionTypeIn,
LocalAddresses: networkContainerApipaIP,
RuleType: hcn.RuleTypeSwitch,
Priority: aclPriority2000,
}
if err = addAclToEndpointPolicy(inBlockAll, &endpointPolicies); err != nil {
return nil, err
}
if allowHostToNCCommunication {
// Endpoint ACL to allow the inbound traffic from the apipa IP of the host to
// the apipa IP of the container only
inAllowFromHostOnly := hcn.AclPolicySetting{
Protocols: protocol,
Action: hcn.ActionTypeAllow,
Direction: hcn.DirectionTypeIn,
LocalAddresses: networkContainerApipaIP,
RemoteAddresses: hostApipaIP,
RuleType: hcn.RuleTypeSwitch,
Priority: aclPriority1000,
}
if err = addAclToEndpointPolicy(inAllowFromHostOnly, &endpointPolicies); err != nil {
return nil, err
}
}
}
if ncRequestedPolicies != nil {
// Iterate thru the requested endpoint policies where policy type is ACL, endpoint type is APIPA
// include the raw json message in the endpoint policies
for _, requestedPolicy := range ncRequestedPolicies {
if strings.EqualFold(requestedPolicy.Type, aclPolicyType) && strings.EqualFold(requestedPolicy.EndpointType, apipaEndpointType) {
var requestedAclPolicy hcn.AclPolicySetting
if err = json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil {
return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %+v", requestedPolicy.Settings, err)
}
// Using {NetworkContainerIP} as a placeholder to signal using Network Container IP
if strings.EqualFold(requestedAclPolicy.LocalAddresses, "{NetworkContainerIP}") {
requestedAclPolicy.LocalAddresses = networkContainerApipaIP
}
// Using {HostApipaIP} as a placeholder to signal using Host Apipa IP
if strings.EqualFold(requestedAclPolicy.RemoteAddresses, "{HostApipaIP}") {
requestedAclPolicy.RemoteAddresses = hostApipaIP
}
logger.Printf("ACL Policy requested in NcGoalState %+v", requestedAclPolicy)
if err = addAclToEndpointPolicy(requestedAclPolicy, &endpointPolicies); err != nil {
return nil, err
}
}
}
}
return endpointPolicies, nil
}