Ingress NetworkPolicy accepts all traffic when specifying both IPBlock and port

[kitt1987]

What you expected to happen?

Only traffic with source IP in the specified IPBlock could be forwarded to the Pod.

What happened?

All traffic to the Pod is forwarded.

How to reproduce it?

1. Run an Nginx Pod and expose port 80 via kubectl run nginx --image=nginx:alpine --port=80 and kubectl expose deploy nginx --port=80 --type=NodePort
2. Apply the following NetworkPolicy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: service-acl
spec:
  podSelector:
    matchLabels:
      run: nginx
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 127.0.0.1/32
    ports:
    - protocol: TCP
      port: 80

Anything else we need to know?

After checked the code, I believe it is a bug innpc/analyser.go. The 3rd third argument of newRuleSpec should be srcRuleHost rather than srcSelector.

weave/npc/analyser.go

Line 109 in b05c5f6

rule := newRuleSpec(policyTypeIngress, &proto, srcSelector, targetSelector, &port)

Versions:

$ weave version
INFO: 2019/06/25 04:31:33.620067 weave  2.5.1

$ docker version
Client:
 Version:           18.09.1
 API version:       1.39
 Go version:        go1.10.6
 Git commit:        4c52b90
 Built:             Wed Jan  9 19:35:23 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.1
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       4c52b90
  Built:            Wed Jan  9 19:02:44 2019
  OS/Arch:          linux/amd64
  Experimental:     false

$ uname -a
Linux m1.weave.env.lab.io 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-24T06:54:59Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-24T06:43:59Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}

Network:

# iptables -S | grep default
-A WEAVE-NPC-DEFAULT -m set --match-set weave-;rGqyMIl1HN^cfDki~Z$3]6!N dst -m comment --comment "DefaultAllow ingress isolation for namespace: default" -j ACCEPT
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j RETURN
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-KN[_+Gl.dlb1q$;v4h!E_Sg)( dst -m tcp --dport 80 -m comment --comment "anywhere -> pods: namespace: default, selector: run=nginx (ingress)" -j ACCEPT

[murali-reddy]

@kitt1987 I can confirm the issue. Since you already figured the fix as well, would you mind raising a PR?

[kitt1987]

Of course not. I'll submit the PR.
Thanks for the quick reply.