func configureAclSettingHostNCApipaEndpoint()

in cns/hnsclient/hnsclient_windows.go [378:491]


func configureAclSettingHostNCApipaEndpoint(
	protocolList []string,
	networkContainerApipaIP string,
	hostApipaIP string,
	allowNCToHostCommunication bool,
	allowHostToNCCommunication bool,
	ncRequestedPolicies []cns.NetworkContainerRequestPolicies) ([]hcn.EndpointPolicy, error) {
	var (
		err              error
		endpointPolicies []hcn.EndpointPolicy
	)

	if allowNCToHostCommunication {
		logger.Printf("[Azure CNS] Allowing NC (%s) to Host (%s) connectivity", networkContainerApipaIP, hostApipaIP)
	}

	if allowHostToNCCommunication {
		logger.Printf("[Azure CNS] Allowing Host (%s) to NC (%s) connectivity", hostApipaIP, networkContainerApipaIP)
	}

	// Iterate thru the protocol list and add ACL for each
	for _, protocol := range protocolList {
		// Endpoint ACL to block all outbound traffic from the Apipa IP of the container
		outBlockAll := hcn.AclPolicySetting{
			Protocols:      protocol,
			Action:         hcn.ActionTypeBlock,
			Direction:      hcn.DirectionTypeOut,
			LocalAddresses: networkContainerApipaIP,
			RuleType:       hcn.RuleTypeSwitch,
			Priority:       aclPriority2000,
		}

		if err = addAclToEndpointPolicy(outBlockAll, &endpointPolicies); err != nil {
			return nil, err
		}

		if allowNCToHostCommunication {
			// Endpoint ACL to allow the outbound traffic from the Apipa IP of the container to
			// Apipa IP of the host only
			outAllowToHostOnly := hcn.AclPolicySetting{
				Protocols:       protocol,
				Action:          hcn.ActionTypeAllow,
				Direction:       hcn.DirectionTypeOut,
				LocalAddresses:  networkContainerApipaIP,
				RemoteAddresses: hostApipaIP,
				RuleType:        hcn.RuleTypeSwitch,
				Priority:        aclPriority1000,
			}

			if err = addAclToEndpointPolicy(outAllowToHostOnly, &endpointPolicies); err != nil {
				return nil, err
			}
		}

		// Endpoint ACL to block all inbound traffic to the Apipa IP of the container
		inBlockAll := hcn.AclPolicySetting{
			Protocols:      protocol,
			Action:         hcn.ActionTypeBlock,
			Direction:      hcn.DirectionTypeIn,
			LocalAddresses: networkContainerApipaIP,
			RuleType:       hcn.RuleTypeSwitch,
			Priority:       aclPriority2000,
		}

		if err = addAclToEndpointPolicy(inBlockAll, &endpointPolicies); err != nil {
			return nil, err
		}

		if allowHostToNCCommunication {
			// Endpoint ACL to allow the inbound traffic from the apipa IP of the host to
			// the apipa IP of the container only
			inAllowFromHostOnly := hcn.AclPolicySetting{
				Protocols:       protocol,
				Action:          hcn.ActionTypeAllow,
				Direction:       hcn.DirectionTypeIn,
				LocalAddresses:  networkContainerApipaIP,
				RemoteAddresses: hostApipaIP,
				RuleType:        hcn.RuleTypeSwitch,
				Priority:        aclPriority1000,
			}

			if err = addAclToEndpointPolicy(inAllowFromHostOnly, &endpointPolicies); err != nil {
				return nil, err
			}
		}

	}

	if ncRequestedPolicies != nil {
		// Iterate thru the requested endpoint policies where policy type is ACL, endpoint type is APIPA
		// include the raw json message in the endpoint policies
		for _, requestedPolicy := range ncRequestedPolicies {
			if strings.EqualFold(requestedPolicy.Type, aclPolicyType) && strings.EqualFold(requestedPolicy.EndpointType, apipaEndpointType) {
				var requestedAclPolicy hcn.AclPolicySetting
				if err = json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil {
					return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %+v", requestedPolicy.Settings, err)
				}
				// Using {NetworkContainerIP} as a placeholder to signal using Network Container IP
				if strings.EqualFold(requestedAclPolicy.LocalAddresses, "{NetworkContainerIP}") {
					requestedAclPolicy.LocalAddresses = networkContainerApipaIP
				}
				// Using {HostApipaIP} as a placeholder to signal using Host Apipa IP
				if strings.EqualFold(requestedAclPolicy.RemoteAddresses, "{HostApipaIP}") {
					requestedAclPolicy.RemoteAddresses = hostApipaIP
				}
				logger.Printf("ACL Policy requested in NcGoalState %+v", requestedAclPolicy)
				if err = addAclToEndpointPolicy(requestedAclPolicy, &endpointPolicies); err != nil {
					return nil, err
				}
			}
		}
	}
	return endpointPolicies, nil
}