Skip to content

Commit c93a403

Browse files
honglianglhongliangl
committed
Fix default reject rule to correctly handle packets that should be reassembled
When using an L7 NetworkPolicy that allows egress HTTP requests, the corresponding Suricata rules may look like the following example: ``` reject ip any any -> any any (msg: "Reject by AntreaNetworkPolicy:default/egress-allow-http"; flow: to_server, established; sid: 1;) pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/egress-allow-http"; http.method; content:"GET"; sid: 2;)` ``` If an HTTP request exceeds the MTU, it will be split into multiple packets. The packets should be reassembled and allowed by the corresponding Suricata rule for the L7 NetworkPolicy. However, there is a default reject rule which is to reject packets which are not matched by the `pass` rule, which will take effect before packets are reassembled and matched by the `pass` rule, causing the connection to fail. To address the issue, the keyword `only_stream` is added to the default reject rule. This ensures that only reassembled packets are matched, preventing premature rejection of packets that should be allowed after reassembly. Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
1 parent e404ccc commit c93a403

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

pkg/agent/controller/networkpolicy/l7engine/reconciler.go

+4-2
Original file line numberDiff line numberDiff line change
@@ -173,8 +173,10 @@ func generateTenantRulesData(policyName string, protoKeywords map[string]sets.Se
173173
rulesData := bytes.NewBuffer(nil)
174174
sid := 1
175175

176-
// Generate default reject rule.
177-
allKeywords := fmt.Sprintf(`msg: "Reject by %s"; flow: to_server, established; sid: %d;`, policyName, sid)
176+
// Generate default reject rule. The keyword `only_stream` is used to match on packets that have been reassembled by
177+
// the Suricata stream engine. Without this keyword, reassembled packets, such as those from HTTP requests split
178+
// across multiple packets, would be rejected by the default rule, causing an otherwise allowed connection to fail.
179+
allKeywords := fmt.Sprintf(`msg: "Reject by %s"; flow: to_server, established, only_stream; sid: %d;`, policyName, sid)
178180
rule := fmt.Sprintf("reject ip any any -> any any (%s)\n", allKeywords)
179181
rulesData.WriteString(rule)
180182
sid++

0 commit comments

Comments
 (0)