microsoft · dcantah · Jun 10, 2021 · Jun 10, 2021
diff --git a/hcn/hcn.go b/hcn/hcn.go
@@ -249,6 +249,25 @@ func TierAclPolicySupported() error {
 	return platformDoesNotSupportError("TierAcl")
 }
 
+// NetworkACLPolicySupported returns an error if the HCN version does not support NetworkACLPolicy
+func NetworkACLPolicySupported() error {
+	supported := GetSupportedFeatures()
+	if supported.NetworkACL {
+		return nil
+	}
+	return platformDoesNotSupportError("NetworkACL")
+}
+
+// NestedIpSetSupported returns an error if the HCN version does not support NestedIpSet
+func NestedIpSetSupported() error {
+	supported := GetSupportedFeatures()
+	if supported.NestedIpSet {
+		return nil
+	}
+	return platformDoesNotSupportError("NestedIpSet")
+}
+
+
 // RequestType are the different operations performed to settings.
 // Used to update the settings of Endpoint/Namespace objects.
 type RequestType string

diff --git a/hcn/hcnglobals.go b/hcn/hcnglobals.go
@@ -76,6 +76,12 @@ var (
 
 	//HNS 14.0 allows for TierAcl Policy support
 	TierAclPolicyVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 14, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
+
+	//HNS 15.0 allows for NetworkACL Policy support
+	NetworkACLPolicyVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 15, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
+
+	//HNS 15.0 allows for NestedIpSet support
+	NestedIpSetVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 15, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
 )
 
 // GetGlobals returns the global properties of the HCN Service.

diff --git a/hcn/hcnnetwork_test.go b/hcn/hcnnetwork_test.go
@@ -169,6 +169,17 @@ func TestAddRemoveHostRoutePolicy(t *testing.T) {
 	testNetworkPolicy(t, hostRoutePolicy)
 }
 
+func TestAddRemoveNetworACLPolicy(t *testing.T){
+
+	networkACLPolicy, err := HcnCreateNetworkACLs()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testNetworkPolicy(t, networkACLPolicy)
+
+}
+
 func TestNetworkFlags(t *testing.T) {
 
 	network, err := CreateTestOverlayNetwork()

diff --git a/hcn/hcnpolicy.go b/hcn/hcnpolicy.go
@@ -50,6 +50,7 @@ const (
 	SetPolicy           NetworkPolicyType = "SetPolicy"
 	NetworkL4Proxy      NetworkPolicyType = "L4Proxy"
 	LayerConstraint     NetworkPolicyType = "LayerConstraint"
+	NetworkACL          NetworkPolicyType = "NetworkACL"
 )
 
 // NetworkPolicy is a collection of Policy settings for a Network.
@@ -132,7 +133,7 @@ type AclPolicySetting struct {
 	RemotePorts     string        `json:",omitempty"`
 	RuleType        RuleType      `json:",omitempty"`
 	Priority        uint16        `json:",omitempty"`
-}
+} 
 
 // QosPolicySetting sets Quality of Service bandwidth caps on an Endpoint.
 type QosPolicySetting struct {
@@ -154,6 +155,19 @@ type SDNRoutePolicySetting struct {
 	NeedEncap         bool   `json:",omitempty"`
 }
 
+// NetworkACLPolicySetting creates ACL rules on a network
+type NetworkACLPolicySetting struct {
+	Protocols       string        `json:",omitempty"` // EX: 6 (TCP), 17 (UDP), 1 (ICMPv4), 58 (ICMPv6), 2 (IGMP)
+	Action          ActionType    `json:","`
+	Direction       DirectionType `json:","`
+	LocalAddresses  string        `json:",omitempty"`
+	RemoteAddresses string        `json:",omitempty"`
+	LocalPorts      string        `json:",omitempty"`
+	RemotePorts     string        `json:",omitempty"`
+	RuleType        RuleType      `json:",omitempty"`
+	Priority        uint16        `json:",omitempty"`
+} 
+
 // FiveTuple is nested in L4ProxyPolicySetting  for WFP support.
 type FiveTuple struct {
 	Protocols       string `json:",omitempty"`
@@ -271,6 +285,7 @@ type SetPolicyType string
 
 const (
 	SetPolicyTypeIpSet SetPolicyType = "IPSET"
+	SetPolicyTypeNestedIpSet SetPolicyType = "NESTEDIPSET"
 )
 
 // SetPolicySetting creates IPSets on network

diff --git a/hcn/hcnsupport.go b/hcn/hcnsupport.go
@@ -20,6 +20,8 @@ type SupportedFeatures struct {
 	L4Proxy                  bool        `json:"L4Proxy"`    // network policy that applies VFP rules to all endpoints on the network to redirect traffic
 	L4WfpProxy               bool        `json:"L4WfpProxy"` // endpoint policy that applies WFP filters to redirect traffic to/from that endpoint
 	TierAcl                  bool        `json:"TierAcl"`
+	NetworkACL               bool        `json:"NetworkACL"`
+	NestedIpSet              bool        `json:"NestedIpSet"`
 }
 
 // AclFeatures are the supported ACL possibilities.
@@ -71,6 +73,8 @@ func GetSupportedFeatures() SupportedFeatures {
 	features.L4Proxy = isFeatureSupported(globals.Version, L4ProxyPolicyVersion)
 	features.L4WfpProxy = isFeatureSupported(globals.Version, L4WfpProxyPolicyVersion)
 	features.TierAcl = isFeatureSupported(globals.Version, TierAclPolicyVersion)
+	features.NetworkACL = isFeatureSupported(globals.Version, NetworkACLPolicyVersion)
+	features.NestedIpSet = isFeatureSupported(globals.Version, NestedIpSetVersion)
 
 	return features
 }

diff --git a/hcn/hcnsupport_test.go b/hcn/hcnsupport_test.go
@@ -116,6 +116,28 @@ func TestSetPolicySupport(t *testing.T) {
 	}
 }
 
+func TestNestedIpSetSupport(t *testing.T) {
+	supportedFeatures := GetSupportedFeatures()
+	err := NestedIpSetSupported()
+	if supportedFeatures.NestedIpSet && err != nil {
+		t.Fatal(err)
+	}
+	if !supportedFeatures.NestedIpSet && err == nil {
+		t.Fatal(err)
+	}
+}
+
+func TestNetworkACLPolicySupport(t *testing.T){
+	supportedFeatures := GetSupportedFeatures()
+	err := NetworkACLPolicySupported()
+	if supportedFeatures.NetworkACL && err != nil {
+		t.Fatal(err)
+	}
+	if !supportedFeatures.NetworkACL && err == nil {
+		t.Fatal(err)
+	}
+}
+
 func TestVxlanPortSupport(t *testing.T) {
 	supportedFeatures := GetSupportedFeatures()
 	err := VxlanPortSupported()

diff --git a/hcn/hcnutils_test.go b/hcn/hcnutils_test.go
@@ -233,6 +233,35 @@ func HcnCreateAcls() (*PolicyEndpointRequest, error) {
 	return &endpointRequest, nil
 }
 
+func HcnCreateNetworkACLs() (*PolicyNetworkRequest, error) {
+	in := NetworkACLPolicySetting{
+		Protocols:       "6",
+		Action:          ActionTypeAllow,
+		Direction:       DirectionTypeIn,
+		LocalAddresses:  "192.168.100.0/24,10.0.0.21",
+		RemoteAddresses: "192.168.100.0/24,10.0.0.21",
+		LocalPorts:      "80,8080",
+		RemotePorts:     "80,8080",
+		RuleType:        RuleTypeSwitch,
+		Priority:        200,
+	}
+
+	rawJSON, err := json.Marshal(in)
+	if err != nil {
+		return nil, err
+	}
+	inPolicy := NetworkPolicy{
+		Type:     NetworkACL,
+		Settings: rawJSON,
+	}
+
+	networkRequest := PolicyNetworkRequest{
+		Policies: []NetworkPolicy{inPolicy},
+	}
+
+	return &networkRequest, nil
+}
+
 func HcnCreateWfpProxyPolicyRequest() (*PolicyEndpointRequest, error) {
 	policySetting := L4WfpProxyPolicySetting{
 		InboundProxyPort:  "80",