How to allow icmp and tcp/udp/sctp at same template

[BurlyLuo]

template details:

[root@rowan> 15-kind-multi-networkpolicy-macvlan]# cat 3-multi-networkpolicy-tcp-srcPort81-dstPort81-.yaml 
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
  annotations:
    k8s.v1.cni.cncf.io/policy-for: macvlan-conf-1 
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.10.0.0/16
        except:
        - 10.10.100.0/24
    ports:
    - protocol: TCP
      port: 80
    - protocol: TCP
      port: 81
  egress:
  - to:
    - ipBlock:
        cidr: 10.10.0.0/16
    ports:
    - protocol: TCP
      port: 80
    - protocol: TCP
      port: 81    
---
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: macvlan-conf-1
spec:
  config: '{
            "cniVersion": "0.3.0",
            "type": "macvlan",
            "master": "eth0",
            "mode": "bridge",
            "ipam": {
                "type": "whereabouts",
                "range": "10.10.0.20-10.10.0.50/16"
            }
        }'
---
apiVersion: v1
kind: Pod
metadata:
  name: mp1
  namespace: default
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-conf-1
spec:
  containers:
  - image: 192.168.2.100:5000/nettool
    imagePullPolicy: IfNotPresent
    name: nettool
    securityContext:
      capabilities:
        add: ["NET_RAW", "NET_ADMIN"]
  nodeName: cni-multus-worker
---
apiVersion: v1
kind: Pod
metadata:
  name: mp2
  namespace: default
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-conf-1
spec:
  containers:
  - image: 192.168.2.100:5000/nettool
    imagePullPolicy: IfNotPresent
    name: nettool
    securityContext:
      capabilities:
        add: ["NET_RAW", "NET_ADMIN"]
  nodeName: cni-multus-worker
[root@rowan> 15-kind-multi-networkpolicy-macvlan]# 

^C[root@rowan> 15-kind-multi-networkpolicy-macvlan]# k exec -it mp1 bash 
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
mp1~$ping 10.10.0.21
PING 10.10.0.21 (10.10.0.21): 56 data bytes
ping: sendto: Operation not permitted
mp1~$curl --local-port 81 10.10.0.21
PodName: mp2 | PodIP: eth0 10.244.171.23/32 net1 10.10.0.21/16
mp1~$curl --local-port 82 10.10.0.21
^C
mp1~$exit
exit
command terminated with exit code 130
[root@rowan> 15-kind-multi-networkpolicy-macvlan]# 

if we spec tcp/udp/sctp the icmp will be blocked.
if with: it can be worked as expected.

[root@rowan> 15-kind-multi-networkpolicy-macvlan]# cat 2-icmp-multi-networkpolicy.yaml 
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
  annotations:
    k8s.v1.cni.cncf.io/policy-for: macvlan-conf-1 
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.10.0.0/16
        except:
        - 10.10.1.0/24
  egress:
  - to:
    - ipBlock:
        cidr: 10.10.0.0/16
---
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: macvlan-conf-1
spec:
  config: '{
            "cniVersion": "0.3.0",
            "type": "macvlan",
            "master": "eth0",
            "mode": "bridge",
            "ipam": {
                "type": "host-local",
                "ranges": [
                    [ {
                         "subnet": "10.10.0.0/16",
                         "rangeStart": "10.10.1.20",
                         "rangeEnd": "10.10.3.50",
                         "gateway": "10.10.0.254"
                    } ]
                ]
            }
        }'
---
apiVersion: v1
kind: Pod
metadata:
  name: mpicmp
  namespace: default
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-conf-1
spec:
  containers:
  - image: 192.168.2.100:5000/nettool
    imagePullPolicy: IfNotPresent
    name: alpine
    securityContext:
      capabilities:
        add: ["NET_RAW", "NET_ADMIN"]
  restartPolicy: Always
[root@rowan> 15-kind-multi-networkpolicy-macvlan]# 

so my question is how to full icmp and l4 protocol.

[zeeke]

Hi @BurlyLuo, AFAIK, there is currently no way to control ICMP traffic with MultiNetworkPolicies, as they implement the same semantics as NetworkPolicies. From https://kubernetes.io/docs/concepts/services-networking/network-policies/ :

When a deny all network policy is defined, it is only guaranteed to deny TCP, UDP and SCTP connections. For other protocols, such as ARP or ICMP, the behaviour is undefined. The same applies to allow rules: when a specific pod is allowed as ingress source or egress destination, it is undefined what happens with (for example) ICMP packets. Protocols such as ICMP may be allowed by some network plugins and denied by others.

What is the specific use case you're trying to achieve? You're application needs to receive both TCP/80 packets and all ICMP traffic?

[BurlyLuo]

@zeeke thanks for you replay.
Yes. we always want to use ping tool to check the network reachable or not. if apply the policy and block the icmp. it will let the ping test difficult. so raise this requirement. As you know for the multi-interface pod which like a vm. the ping tool is very common.

This is iptables related logical. so can we add the icmp as default rule, and provide a parameter to control it enable or disable.

[zeeke]

Have you tried --accept-icmp?

multi-networkpolicy-iptables/pkg/server/options.go

Line 79 in 2879925

fs.BoolVar(&o.acceptICMP, "accept-icmp", false, "accept all ICMP traffic")

It should do the job you're asking for.