fix_base_sg_rule (#2401)

袁又袁 · yuanliu · zbb88888 · commit 81b60ac84ef5 · 2023-04-27T07:19:16.000+08:00
Co-authored-by: yuanliu &lt;yuanliu@cmss.chinamobile.com&gt;
diff --git a/pkg/ovs/ovn-nbctl-legacy.go b/pkg/ovs/ovn-nbctl-legacy.go
@@ -2382,25 +2382,25 @@ func (c LegacyClient) CreateSgBaseEgressACL(sgName string) error {
 	klog.Infof("add base egress acl, sg: %s", portGroupName)
 	// allow arp
 	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority,
-		fmt.Sprintf("outport==@%s && arp", portGroupName), "allow-related"); err != nil {
+		fmt.Sprintf("inport==@%s && arp", portGroupName), "allow-related"); err != nil {
 		return err
 	}
 
 	// icmpv6
 	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority,
-		fmt.Sprintf("outport==@%s && icmp6.type=={130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portGroupName), "allow-related"); err != nil {
+		fmt.Sprintf("inport==@%s && icmp6.type=={130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portGroupName), "allow-related"); err != nil {
 		return err
 	}
 
 	// dhcpv4 res
 	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority,
-		fmt.Sprintf("outport==@%s && udp.src==68 && udp.dst==67 && ip4", portGroupName), "allow-related"); err != nil {
+		fmt.Sprintf("inport==@%s && udp.src==68 && udp.dst==67 && ip4", portGroupName), "allow-related"); err != nil {
 		return err
 	}
 
 	// dhcpv6 res
 	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority,
-		fmt.Sprintf("outport==@%s && udp.src==546 && udp.dst==547 && ip6", portGroupName), "allow-related"); err != nil {
+		fmt.Sprintf("inport==@%s && udp.src==546 && udp.dst==547 && ip6", portGroupName), "allow-related"); err != nil {
 		return err
 	}
 	return nil
@@ -2411,25 +2411,25 @@ func (c LegacyClient) CreateSgBaseIngressACL(sgName string) error {
 	klog.Infof("add base ingress acl, sg: %s", portGroupName)
 	// allow arp
 	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority,
-		fmt.Sprintf("inport==@%s && arp", portGroupName), "allow-related"); err != nil {
+		fmt.Sprintf("outport==@%s && arp", portGroupName), "allow-related"); err != nil {
 		return err
 	}
 
 	// icmpv6
 	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority,
-		fmt.Sprintf("inport==@%s && icmp6.type=={130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portGroupName), "allow-related"); err != nil {
+		fmt.Sprintf("outport==@%s && icmp6.type=={130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portGroupName), "allow-related"); err != nil {
 		return err
 	}
 
 	// dhcpv4 offer
 	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority,
-		fmt.Sprintf("inport==@%s && udp.src==67 && udp.dst==68 && ip4", portGroupName), "allow-related"); err != nil {
+		fmt.Sprintf("outport==@%s && udp.src==67 && udp.dst==68 && ip4", portGroupName), "allow-related"); err != nil {
 		return err
 	}
 
 	// dhcpv6 offer
 	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority,
-		fmt.Sprintf("inport==@%s && udp.src==547 && udp.dst==546 && ip6", portGroupName), "allow-related"); err != nil {
+		fmt.Sprintf("outport==@%s && udp.src==547 && udp.dst==546 && ip6", portGroupName), "allow-related"); err != nil {
 		return err
 	}
 
