From 84d2dcb62462e85f5d89933c2dd45fd68347d88f Mon Sep 17 00:00:00 2001
From: Ole Markus With <o.with@sportradar.com>
Date: Fri, 7 Aug 2020 09:26:31 +0200
Subject: [PATCH] Use SG to SG rule for cni tcp/udp rules

---
 pkg/model/openstackmodel/firewall.go | 43 +++++++++++++++-------------
 1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/pkg/model/openstackmodel/firewall.go b/pkg/model/openstackmodel/firewall.go
index 1021d59e5ee0f..de7e1139eb5d3 100644
--- a/pkg/model/openstackmodel/firewall.go
+++ b/pkg/model/openstackmodel/firewall.go
@@ -369,8 +369,8 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
 		}
 
 		if b.Cluster.Spec.Networking.Cilium != nil {
-			udpPorts = append(udpPorts, 4789)
-			tcpPorts = append(udpPorts, 4240)
+			udpPorts = append(udpPorts, 8472)
+			tcpPorts = append(tcpPorts, 4240)
 		}
 
 		if b.Cluster.Spec.Networking.Weave != nil {
@@ -407,30 +407,33 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
 
 	for _, udpPort := range udpPorts {
 		udpRule := &openstacktasks.SecurityGroupRule{
-			Lifecycle:      b.Lifecycle,
-			Direction:      s(string(rules.DirIngress)),
-			Protocol:       s(string(rules.ProtocolUDP)),
-			EtherType:      s(string(rules.EtherType4)),
-			PortRangeMin:   i(udpPort),
-			PortRangeMax:   i(udpPort),
-			RemoteIPPrefix: s(b.Cluster.Spec.NetworkCIDR),
+			Lifecycle:    b.Lifecycle,
+			Direction:    s(string(rules.DirIngress)),
+			Protocol:     s(string(rules.ProtocolUDP)),
+			EtherType:    s(string(rules.EtherType4)),
+			PortRangeMin: i(udpPort),
+			PortRangeMax: i(udpPort),
 		}
-		addDirectionalGroupRule(c, masterSG, nil, udpRule)
-		addDirectionalGroupRule(c, nodeSG, nil, udpRule)
+		addDirectionalGroupRule(c, masterSG, masterSG, udpRule)
+		addDirectionalGroupRule(c, nodeSG, masterSG, udpRule)
+		addDirectionalGroupRule(c, masterSG, nodeSG, udpRule)
+		addDirectionalGroupRule(c, nodeSG, nodeSG, udpRule)
 	}
 	for _, tcpPort := range tcpPorts {
 		tcpRule := &openstacktasks.SecurityGroupRule{
-			Lifecycle:      b.Lifecycle,
-			Direction:      s(string(rules.DirIngress)),
-			Protocol:       s(string(rules.ProtocolTCP)),
-			EtherType:      s(string(rules.EtherType4)),
-			PortRangeMin:   i(tcpPort),
-			PortRangeMax:   i(tcpPort),
-			RemoteIPPrefix: s(b.Cluster.Spec.NetworkCIDR),
+			Lifecycle:    b.Lifecycle,
+			Direction:    s(string(rules.DirIngress)),
+			Protocol:     s(string(rules.ProtocolTCP)),
+			EtherType:    s(string(rules.EtherType4)),
+			PortRangeMin: i(tcpPort),
+			PortRangeMax: i(tcpPort),
 		}
-		addDirectionalGroupRule(c, masterSG, nil, tcpRule)
-		addDirectionalGroupRule(c, nodeSG, nil, tcpRule)
+		addDirectionalGroupRule(c, masterSG, masterSG, tcpRule)
+		addDirectionalGroupRule(c, nodeSG, masterSG, tcpRule)
+		addDirectionalGroupRule(c, masterSG, nodeSG, tcpRule)
+		addDirectionalGroupRule(c, nodeSG, nodeSG, tcpRule)
 	}
+
 	for _, protocol := range protocols {
 		protocolRule := &openstacktasks.SecurityGroupRule{
 			Lifecycle: b.Lifecycle,