Skip to content

Control Plane Filter#

Filters → CPControl Plane Filters

A ControlPlaneFilter is an ordered list of filter entries that match certain packets destined to the CPU and perform an action for those packets. In contrast to Filters, ControlPlaneFilters are often software-based filters that process packets before they are processed by the CPU. Packets can be matched by their source IP, destination IP, source port, destination port, and many others. There are 2 types of filters:

  • IP filters that can match based on the IP header of an IP packet
  • MAC filters that can match based on the layer 2 (ethernet) header of an ethernet frame

Note

A ControlPlaneFilter resource is deployed system-wide to the nodes specified in the nodes or nodeSelectors properties. To filter data-plane packets as they ingress / egress a particular sub-interface, check out the Filter resource.

The packet is filtered through all filter entries in-order. If there is no match, the packet is evaluated against the next entry and so on. Once a packet matches a particular entry, evaluation of the chain ends and the action specified in the entry is performed on the packet. 

flowchart TB
    packet --> e10[Entry 10]
    e10 --> e20[Entry 20]
    e20 --> e30[Entry 30]
    e30 -.-|stop evaluation| e40[Entry 40]
    e40 -.- e50[Entry 50]
    e10 -.- n10[No match]
    e20 -.- n20[No match]
    e30 --> n30[Match]
    n30 --> Drop

Dependencies#

The ControlPlaneFilter resource has no dependency on other resources.

Referenced resources#

TopoNode#

The ControlPlaneFilter is deployed system-wide to nodes that are specified in the nodes property or whose labels match the nodeSelectors.

PrefixSet#

In the ipEntry context, source and destination prefixes can be entered manually through the sourcePrefix and destinationPrefix properties. If the entry must execute the same action for source / destination IP addresses in multiple discontiguous subnets, consider using a PrefixSet to group those subnets together.

Examples#

apiVersion: filters.eda.nokia.com/v1
kind: ControlPlaneFilter
metadata:
  namespace: eda
  name: my-cp-filter
spec:
  entries:
    - type: Auto
      description: Accept BGP traffic from 10.0.0.1/32 to system IP addresses
      ipEntry:
        sourcePrefix: 10.0.0.1/32
        destinationPrefixSets:
          - bgp-neighbor-system-ips
        destinationPortName: BGP
        destinationPortOperator: Equals
        protocolName: TCP
        action: Accept
    - type: IPv4
      description: Drop all other traffic
      ipEntry:
        action: Drop
        log: true
  nodeSelectors:
    - eda.nokia.com/security-profile = managed

cat << 'EOF' | kubectl apply -f -
apiVersion: filters.eda.nokia.com/v1
kind: ControlPlaneFilter
metadata:
  namespace: eda
  name: my-cp-filter
spec:
  entries:
    - type: Auto
      description: Accept BGP traffic from 10.0.0.1/32 to system IP addresses
      ipEntry:
        sourcePrefix: 10.0.0.1/32
        destinationPrefixSets:
          - bgp-neighbor-system-ips
        destinationPortName: BGP
        destinationPortOperator: Equals
        protocolName: TCP
        action: Accept
    - type: IPv4
      description: Drop all other traffic
      ipEntry:
        action: Drop
        log: true
  nodeSelectors:
    - eda.nokia.com/security-profile = managed
EOF

Custom Resource Definition#

To browse the Custom Resource Definition go to crd.eda.dev.

ControlPlaneFilter

filters.eda.nokia.com / v1

SPEC

ControlPlaneFilter allows for specifying a list of Nodes or Node selectors where the filter should be applied and managing filter entries in order.

  • #
  • #
  • #
  • #

STATUS

ControlPlaneFilterStatus defines the observed state of ControlPlaneFilter