[NPM] Clearing NPM MARKs on packets before accepting them (#823)

vakalapa · web-flow · commit 37993588e4fe · 2021-03-18T16:16:00.000-07:00
* First pass at creating a new chain to accept and clear marks npm added

* Adding rules to defualt chains
diff --git a/npm/iptm/helper.go b/npm/iptm/helper.go
@@ -10,6 +10,7 @@ import (
 func getAllChainsAndRules() [][]string {
 	funcList := []func() [][]string{
 		getAzureNPMChainRules,
+		getAzureNPMAcceptChainRules,
 		getAzureNPMIngressChainRules,
 		getAzureNPMIngressPortChainRules,
 		getAzureNPMIngressFromChainRules,
@@ -44,7 +45,7 @@ func getAzureNPMChainRules() [][]string {
 		{
 			util.IptablesAzureChain,
 			util.IptablesJumpFlag,
-			util.IptablesAccept,
+			util.IptablesAzureAcceptChain,
 			util.IptablesModuleFlag,
 			util.IptablesMarkVerb,
 			util.IptablesMarkFlag,
@@ -57,7 +58,7 @@ func getAzureNPMChainRules() [][]string {
 		{
 			util.IptablesAzureChain,
 			util.IptablesJumpFlag,
-			util.IptablesAccept,
+			util.IptablesAzureAcceptChain,
 			util.IptablesModuleFlag,
 			util.IptablesMarkVerb,
 			util.IptablesMarkFlag,
@@ -70,7 +71,7 @@ func getAzureNPMChainRules() [][]string {
 		{
 			util.IptablesAzureChain,
 			util.IptablesJumpFlag,
-			util.IptablesAccept,
+			util.IptablesAzureAcceptChain,
 			util.IptablesModuleFlag,
 			util.IptablesMarkVerb,
 			util.IptablesMarkFlag,
@@ -96,6 +97,32 @@ func getAzureNPMChainRules() [][]string {
 	}
 }
 
+// getAzureNPMAcceptChainRules clears all marks and accepts packets
+func getAzureNPMAcceptChainRules() [][]string {
+	return [][]string{
+		{
+			util.IptablesAzureAcceptChain,
+			util.IptablesJumpFlag,
+			util.IptablesMark,
+			util.IptablesSetMarkFlag,
+			util.IptablesAzureClearMarkHex,
+			util.IptablesModuleFlag,
+			util.IptablesCommentModuleFlag,
+			util.IptablesCommentFlag,
+			fmt.Sprintf("Clear-AZURE-NPM-MARKS"),
+		},
+		{
+			util.IptablesAzureAcceptChain,
+			util.IptablesJumpFlag,
+			util.IptablesAccept,
+			util.IptablesModuleFlag,
+			util.IptablesCommentModuleFlag,
+			util.IptablesCommentFlag,
+			fmt.Sprintf("ACCEPT-All-packets"),
+		},
+	}
+}
+
 // getAzureNPMIngressChainRules returns rules for AZURE-NPM-INGRESS-PORT
 func getAzureNPMIngressChainRules() [][]string {
 	return [][]string{
diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go
@@ -28,6 +28,7 @@ var (
 	// IptablesAzureChainList contains list of all NPM chains
 	IptablesAzureChainList = []string{
 		util.IptablesAzureChain,
+		util.IptablesAzureAcceptChain,
 		util.IptablesAzureIngressChain,
 		util.IptablesAzureEgressChain,
 		util.IptablesAzureIngressPortChain,
@@ -182,8 +183,15 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 		return err
 	}
 
+	// For backward compatibility, we should be cleaning older chains
+	allAzureChains := append(
+		IptablesAzureChainList,
+		util.IptablesAzureTargetSetsChain,
+		util.IptablesAzureIngressWrongDropsChain,
+	)
+
 	iptMgr.OperationFlag = util.IptablesFlushFlag
-	for _, chain := range IptablesAzureChainList {
+	for _, chain := range allAzureChains {
 		entry := &IptEntry{
 			Chain: chain,
 		}
@@ -193,7 +201,7 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 		}
 	}
 
-	for _, chain := range IptablesAzureChainList {
+	for _, chain := range allAzureChains {
 		if err := iptMgr.DeleteChain(chain); err != nil {
 			return err
 		}
diff --git a/npm/namespace.go b/npm/namespace.go
@@ -131,6 +131,7 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
 	ns, err := newNs(nsName)
 	if err != nil {
 		metrics.SendErrorLogAndMetric(util.NSID, "[AddNamespace] Error: failed to create namespace %s with err: %v", nsName, err)
+		return err
 	}
 	setResourceVersion(ns, nsObj.GetObjectMeta().GetResourceVersion())
 
diff --git a/npm/nwpolicy.go b/npm/nwpolicy.go
@@ -103,6 +103,7 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
 		ns, err = newNs(npNs)
 		if err != nil {
 			metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: creating namespace %s with err: %v", npNs, err)
+			return err
 		}
 		npMgr.NsMap[npNs] = ns
 	}
@@ -145,6 +146,7 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
 		addedPolicy, err = addPolicy(oldPolicy, npObj)
 		if err != nil {
 			metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: adding policy %s to %s with err: %v", npName, oldPolicy.ObjectMeta.Name, err)
+			return err
 		}
 	}
 
@@ -161,28 +163,33 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
 		log.Logf("Creating set: %v, hashedSet: %v", set, util.GetHashedName(set))
 		if err = ipsMgr.CreateSet(set, append([]string{util.IpsetNetHashFlag})); err != nil {
 			metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: creating ipset %s with err: %v", set, err)
+			return err
 		}
 	}
 	for _, set := range namedPorts {
 		log.Logf("Creating set: %v, hashedSet: %v", set, util.GetHashedName(set))
 		if err = ipsMgr.CreateSet(set, append([]string{util.IpsetIPPortHashFlag})); err != nil {
 			metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: creating ipset named port %s with err: %v", set, err)
+			return err
 		}
 	}
 	for _, list := range lists {
 		if err = ipsMgr.CreateList(list); err != nil {
 			metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: creating ipset list %s with err: %v", list, err)
+			return err
 		}
 	}
 	if err = npMgr.InitAllNsList(); err != nil {
 		metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: initializing all-namespace ipset list with err: %v", err)
+		return err
 	}
 	createCidrsRule("in", npObj.ObjectMeta.Name, npObj.ObjectMeta.Namespace, ingressIPCidrs, ipsMgr)
 	createCidrsRule("out", npObj.ObjectMeta.Name, npObj.ObjectMeta.Namespace, egressIPCidrs, ipsMgr)
 	iptMgr := allNs.iptMgr
 	for _, iptEntry := range iptEntries {
 		if err = iptMgr.Add(iptEntry); err != nil {
 			metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: failed to apply iptables rule. Rule: %+v with err: %v", iptEntry, err)
+			return err
 		}
 	}
 
@@ -227,6 +234,7 @@ func (npMgr *NetworkPolicyManager) DeleteNetworkPolicy(npObj *networkingv1.Netwo
 	for _, iptEntry := range iptEntries {
 		if err = iptMgr.Delete(iptEntry); err != nil {
 			metrics.SendErrorLogAndMetric(util.NetpolID, "[DeleteNetworkPolicy] Error: failed to apply iptables rule. Rule: %+v with err: %v", iptEntry, err)
+			return err
 		}
 	}
 
@@ -239,6 +247,7 @@ func (npMgr *NetworkPolicyManager) DeleteNetworkPolicy(npObj *networkingv1.Netwo
 		deductedPolicy, err := deductPolicy(oldPolicy, npObj)
 		if err != nil {
 			metrics.SendErrorLogAndMetric(util.NetpolID, "[DeleteNetworkPolicy] Error: deducting policy %s from %s with err: %v", npName, oldPolicy.ObjectMeta.Name, err)
+			return err
 		}
 
 		if deductedPolicy == nil {
diff --git a/npm/pod.go b/npm/pod.go
@@ -215,36 +215,42 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error {
 		npMgr.NsMap[podNs], err = newNs(podNs)
 		if err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to create namespace %s with err: %v", podNs, err)
+			return err
 		}
 		log.Logf("Creating set: %v, hashedSet: %v", podNs, util.GetHashedName(podNs))
 		if err = ipsMgr.CreateSet(podNs, append([]string{util.IpsetNetHashFlag})); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: creating ipset %s with err: %v", podNs, err)
+			return err
 		}
 	}
 
 	// Add the pod to its namespace's ipset.
 	log.Logf("Adding pod %s to ipset %s", podIP, podNs)
 	if err = ipsMgr.AddToSet(podNs, podIP, util.IpsetNetHashFlag, podUID); err != nil {
 		metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to add pod to namespace ipset with err: %v", err)
+		return err
 	}
 
 	// Add the pod to its label's ipset.
 	for podLabelKey, podLabelVal := range podLabels {
 		log.Logf("Adding pod %s to ipset %s", podIP, podLabelKey)
 		if err = ipsMgr.AddToSet(podLabelKey, podIP, util.IpsetNetHashFlag, podUID); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to add pod to label ipset with err: %v", err)
+			return err
 		}
 
 		label := podLabelKey + ":" + podLabelVal
 		log.Logf("Adding pod %s to ipset %s", podIP, label)
 		if err = ipsMgr.AddToSet(label, podIP, util.IpsetNetHashFlag, podUID); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to add pod to label ipset with err: %v", err)
+			return err
 		}
 	}
 
 	// Add pod's named ports from its ipset.
 	if err = appendNamedPortIpsets(ipsMgr, podContainerPorts, podUID, podIP, false); err != nil {
 		metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to add pod to namespace ipset with err: %v", err)
+		return err
 	}
 
 	// add the Pod info to the podMap
@@ -291,17 +297,20 @@ func (npMgr *NetworkPolicyManager) UpdatePod(newPodObj *corev1.Pod) error {
 		npMgr.NsMap[newPodObjNs], err = newNs(newPodObjNs)
 		if err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to create namespace %s with err: %v", newPodObjNs, err)
+			return err
 		}
 		log.Logf("Creating set: %v, hashedSet: %v", newPodObjNs, util.GetHashedName(newPodObjNs))
 		if err = ipsMgr.CreateSet(newPodObjNs, append([]string{util.IpsetNetHashFlag})); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error creating ipset %s with err: %v", newPodObjNs, err)
+			return err
 		}
 	}
 
 	cachedPodObj, exists := npMgr.PodMap[podKey]
 	if !exists {
 		if addErr := npMgr.AddPod(newPodObj); addErr != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod during update with error %+v", addErr)
+			return addErr
 		}
 		return nil
 	}
@@ -328,6 +337,7 @@ func (npMgr *NetworkPolicyManager) UpdatePod(newPodObj *corev1.Pod) error {
 	if newPodObj.Status.Phase == v1.PodSucceeded || newPodObj.Status.Phase == v1.PodFailed {
 		if delErr := npMgr.DeletePod(newPodObj); delErr != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod during update with error %+v", delErr)
+			return delErr
 		}
 
 		return nil
@@ -369,10 +379,12 @@ func (npMgr *NetworkPolicyManager) UpdatePod(newPodObj *corev1.Pod) error {
 		)
 		if err = ipsMgr.DeleteFromSet(cachedPodObj.Namespace, cachedPodIP, cachedPodObj.PodUID); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to delete pod from namespace ipset with err: %v", err)
+			return err
 		}
 		// Add the pod to its namespace's ipset.
 		if err = ipsMgr.AddToSet(newPodObjNs, newPodObjIP, util.IpsetNetHashFlag, cachedPodObj.PodUID); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod to namespace ipset with err: %v", err)
+			return err
 		}
 	} else {
 		//if no change in labels then return
@@ -392,6 +404,7 @@ func (npMgr *NetworkPolicyManager) UpdatePod(newPodObj *corev1.Pod) error {
 		log.Logf("Deleting pod %s from ipset %s", cachedPodIP, podIPSetName)
 		if err = ipsMgr.DeleteFromSet(podIPSetName, cachedPodIP, cachedPodObj.PodUID); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to delete pod from label ipset with err: %v", err)
+			return err
 		}
 	}
 
@@ -400,6 +413,7 @@ func (npMgr *NetworkPolicyManager) UpdatePod(newPodObj *corev1.Pod) error {
 		log.Logf("Adding pod %s to ipset %s", newPodObjIP, addIPSetName)
 		if err = ipsMgr.AddToSet(addIPSetName, newPodObjIP, util.IpsetNetHashFlag, cachedPodObj.PodUID); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod to label ipset with err: %v", err)
+			return err
 		}
 	}
 
@@ -411,10 +425,12 @@ func (npMgr *NetworkPolicyManager) UpdatePod(newPodObj *corev1.Pod) error {
 		// Delete cached pod's named ports from its ipset.
 		if err = appendNamedPortIpsets(ipsMgr, cachedPodObj.ContainerPorts, cachedPodObj.PodUID, cachedPodIP, true); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to delete pod from namespace ipset with err: %v", err)
+			return err
 		}
 		// Add new pod's named ports from its ipset.
 		if err = appendNamedPortIpsets(ipsMgr, newPodPorts, cachedPodObj.PodUID, newPodObjIP, false); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod to namespace ipset with err: %v", err)
+			return err
 		}
 	}
 
@@ -470,25 +486,29 @@ func (npMgr *NetworkPolicyManager) DeletePod(podObj *corev1.Pod) error {
 	// Delete the pod from its namespace's ipset.
 	if err = ipsMgr.DeleteFromSet(podNs, cachedPodIP, podUID); err != nil {
 		metrics.SendErrorLogAndMetric(util.PodID, "[DeletePod] Error: failed to delete pod from namespace ipset with err: %v", err)
+		return err
 	}
 
 	// Delete the pod from its label's ipset.
 	for podLabelKey, podLabelVal := range podLabels {
 		log.Logf("Deleting pod %s from ipset %s", cachedPodIP, podLabelKey)
 		if err = ipsMgr.DeleteFromSet(podLabelKey, cachedPodIP, podUID); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[DeletePod] Error: failed to delete pod from label ipset with err: %v", err)
+			return err
 		}
 
 		label := podLabelKey + ":" + podLabelVal
 		log.Logf("Deleting pod %s from ipset %s", cachedPodIP, label)
 		if err = ipsMgr.DeleteFromSet(label, cachedPodIP, podUID); err != nil {
 			metrics.SendErrorLogAndMetric(util.PodID, "[DeletePod] Error: failed to delete pod from label ipset with err: %v", err)
+			return err
 		}
 	}
 
 	// Delete pod's named ports from its ipset. Delete is TRUE
 	if err = appendNamedPortIpsets(ipsMgr, containerPorts, podUID, cachedPodIP, true); err != nil {
 		metrics.SendErrorLogAndMetric(util.PodID, "[DeletePod] Error: failed to delete pod from namespace ipset with err: %v", err)
+		return err
 	}
 
 	delete(npMgr.PodMap, podKey)
diff --git a/npm/util/const.go b/npm/util/const.go
@@ -66,6 +66,7 @@ const (
 	IptablesCommentFlag       string = "--comment"
 	IptablesAddCommentFlag
 	IptablesAzureChain             string = "AZURE-NPM"
+	IptablesAzureAcceptChain       string = "AZURE-NPM-ACCEPT"
 	IptablesAzureKubeSystemChain   string = "AZURE-NPM-KUBE-SYSTEM"
 	IptablesAzureIngressChain      string = "AZURE-NPM-INGRESS"
 	IptablesAzureIngressPortChain  string = "AZURE-NPM-INGRESS-PORT"
@@ -76,10 +77,13 @@ const (
 	IptablesKubeServicesChain      string = "KUBE-SERVICES"
 	IptablesForwardChain           string = "FORWARD"
 	IptablesInputChain             string = "INPUT"
-	IptablesAzureIngressDropsChain string = "AZURE-NPM-INRGESS-DROPS"
+	IptablesAzureIngressDropsChain string = "AZURE-NPM-INGRESS-DROPS"
 	IptablesAzureEgressDropsChain  string = "AZURE-NPM-EGRESS-DROPS"
 	// Below chain exists only in NPM before v1.2.6
+	// TODO delete this below set while cleaning up
 	IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS"
+	// Below chain existing only in NPM before v1.2.7
+	IptablesAzureIngressWrongDropsChain string = "AZURE-NPM-INRGESS-DROPS"
 	// Below chains exists only for before Azure-NPM:v1.0.27
 	// and should be removed after a baking period.
 	IptablesAzureIngressFromNsChain  string = "AZURE-NPM-INGRESS-FROM-NS"
@@ -95,6 +99,7 @@ const (
 	// IptablesAzureEgressMarkHex is for checking the absolute value of the mark
 	IptablesAzureEgressMarkHex string = "0x1000"
 	IptablesAzureAcceptMarkHex string = "0x3000"
+	IptablesAzureClearMarkHex  string = "0x0"
 )
 
 //ipset related constants.

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,7 @@ func (npMgr NetworkPolicyManager) AddNamespace(nsObj corev1.Namespace) error {`
`131`	`131`	`ns, err := newNs(nsName)`
`132`	`132`	`if err != nil {`
`133`	`133`	`metrics.SendErrorLogAndMetric(util.NSID, "[AddNamespace] Error: failed to create namespace %s with err: %v", nsName, err)`
	`134`	`+ return err`
`134`	`135`	`}`
`135`	`136`	`setResourceVersion(ns, nsObj.GetObjectMeta().GetResourceVersion())`
`136`	`137`
Original file line number	Diff line number	Diff line change
`@@ -103,6 +103,7 @@ func (npMgr NetworkPolicyManager) AddNetworkPolicy(npObj networkingv1.NetworkP`
`103`	`103`	`ns, err = newNs(npNs)`
`104`	`104`	`if err != nil {`
`105`	`105`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: creating namespace %s with err: %v", npNs, err)`
	`106`	`+ return err`
`106`	`107`	`}`
`107`	`108`	`npMgr.NsMap[npNs] = ns`
`108`	`109`	`}`
`@@ -145,6 +146,7 @@ func (npMgr NetworkPolicyManager) AddNetworkPolicy(npObj networkingv1.NetworkP`
`145`	`146`	`addedPolicy, err = addPolicy(oldPolicy, npObj)`
`146`	`147`	`if err != nil {`
`147`	`148`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: adding policy %s to %s with err: %v", npName, oldPolicy.ObjectMeta.Name, err)`
	`149`	`+ return err`
`148`	`150`	`}`
`149`	`151`	`}`
`150`	`152`
`@@ -161,28 +163,33 @@ func (npMgr NetworkPolicyManager) AddNetworkPolicy(npObj networkingv1.NetworkP`
`161`	`163`	`log.Logf("Creating set: %v, hashedSet: %v", set, util.GetHashedName(set))`
`162`	`164`	`if err = ipsMgr.CreateSet(set, append([]string{util.IpsetNetHashFlag})); err != nil {`
`163`	`165`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: creating ipset %s with err: %v", set, err)`
	`166`	`+ return err`
`164`	`167`	`}`
`165`	`168`	`}`
`166`	`169`	`for _, set := range namedPorts {`
`167`	`170`	`log.Logf("Creating set: %v, hashedSet: %v", set, util.GetHashedName(set))`
`168`	`171`	`if err = ipsMgr.CreateSet(set, append([]string{util.IpsetIPPortHashFlag})); err != nil {`
`169`	`172`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: creating ipset named port %s with err: %v", set, err)`
	`173`	`+ return err`
`170`	`174`	`}`
`171`	`175`	`}`
`172`	`176`	`for _, list := range lists {`
`173`	`177`	`if err = ipsMgr.CreateList(list); err != nil {`
`174`	`178`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: creating ipset list %s with err: %v", list, err)`
	`179`	`+ return err`
`175`	`180`	`}`
`176`	`181`	`}`
`177`	`182`	`if err = npMgr.InitAllNsList(); err != nil {`
`178`	`183`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: initializing all-namespace ipset list with err: %v", err)`
	`184`	`+ return err`
`179`	`185`	`}`
`180`	`186`	`createCidrsRule("in", npObj.ObjectMeta.Name, npObj.ObjectMeta.Namespace, ingressIPCidrs, ipsMgr)`
`181`	`187`	`createCidrsRule("out", npObj.ObjectMeta.Name, npObj.ObjectMeta.Namespace, egressIPCidrs, ipsMgr)`
`182`	`188`	`iptMgr := allNs.iptMgr`
`183`	`189`	`for _, iptEntry := range iptEntries {`
`184`	`190`	`if err = iptMgr.Add(iptEntry); err != nil {`
`185`	`191`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[AddNetworkPolicy] Error: failed to apply iptables rule. Rule: %+v with err: %v", iptEntry, err)`
	`192`	`+ return err`
`186`	`193`	`}`
`187`	`194`	`}`
`188`	`195`
`@@ -227,6 +234,7 @@ func (npMgr NetworkPolicyManager) DeleteNetworkPolicy(npObj networkingv1.Netwo`
`227`	`234`	`for _, iptEntry := range iptEntries {`
`228`	`235`	`if err = iptMgr.Delete(iptEntry); err != nil {`
`229`	`236`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[DeleteNetworkPolicy] Error: failed to apply iptables rule. Rule: %+v with err: %v", iptEntry, err)`
	`237`	`+ return err`
`230`	`238`	`}`
`231`	`239`	`}`
`232`	`240`
`@@ -239,6 +247,7 @@ func (npMgr NetworkPolicyManager) DeleteNetworkPolicy(npObj networkingv1.Netwo`
`239`	`247`	`deductedPolicy, err := deductPolicy(oldPolicy, npObj)`
`240`	`248`	`if err != nil {`
`241`	`249`	`metrics.SendErrorLogAndMetric(util.NetpolID, "[DeleteNetworkPolicy] Error: deducting policy %s from %s with err: %v", npName, oldPolicy.ObjectMeta.Name, err)`
	`250`	`+ return err`
`242`	`251`	`}`
`243`	`252`
`244`	`253`	`if deductedPolicy == nil {`
Original file line number	Diff line number	Diff line change
`@@ -215,36 +215,42 @@ func (npMgr NetworkPolicyManager) AddPod(podObj corev1.Pod) error {`
`215`	`215`	`npMgr.NsMap[podNs], err = newNs(podNs)`
`216`	`216`	`if err != nil {`
`217`	`217`	`metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to create namespace %s with err: %v", podNs, err)`
	`218`	`+ return err`
`218`	`219`	`}`
`219`	`220`	`log.Logf("Creating set: %v, hashedSet: %v", podNs, util.GetHashedName(podNs))`
`220`	`221`	`if err = ipsMgr.CreateSet(podNs, append([]string{util.IpsetNetHashFlag})); err != nil {`
`221`	`222`	`metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: creating ipset %s with err: %v", podNs, err)`
	`223`	`+ return err`
`222`	`224`	`}`
`223`	`225`	`}`
`224`	`226`
`225`	`227`	`// Add the pod to its namespace's ipset.`
`226`	`228`	`log.Logf("Adding pod %s to ipset %s", podIP, podNs)`
`227`	`229`	`if err = ipsMgr.AddToSet(podNs, podIP, util.IpsetNetHashFlag, podUID); err != nil {`
`228`	`230`	`metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to add pod to namespace ipset with err: %v", err)`
	`231`	`+ return err`
`229`	`232`	`}`
`230`	`233`
`231`	`234`	`// Add the pod to its label's ipset.`
`232`	`235`	`for podLabelKey, podLabelVal := range podLabels {`
`233`	`236`	`log.Logf("Adding pod %s to ipset %s", podIP, podLabelKey)`
`234`	`237`	`if err = ipsMgr.AddToSet(podLabelKey, podIP, util.IpsetNetHashFlag, podUID); err != nil {`
`235`	`238`	`metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to add pod to label ipset with err: %v", err)`
	`239`	`+ return err`
`236`	`240`	`}`
`237`	`241`
`238`	`242`	`label := podLabelKey + ":" + podLabelVal`
`239`	`243`	`log.Logf("Adding pod %s to ipset %s", podIP, label)`
`240`	`244`	`if err = ipsMgr.AddToSet(label, podIP, util.IpsetNetHashFlag, podUID); err != nil {`
`241`	`245`	`metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to add pod to label ipset with err: %v", err)`
	`246`	`+ return err`
`242`	`247`	`}`
`243`	`248`	`}`
`244`	`249`
`245`	`250`	`// Add pod's named ports from its ipset.`
`246`	`251`	`if err = appendNamedPortIpsets(ipsMgr, podContainerPorts, podUID, podIP, false); err != nil {`
`247`	`252`	`metrics.SendErrorLogAndMetric(util.PodID, "[AddPod] Error: failed to add pod to namespace ipset with err: %v", err)`
	`253`	`+ return err`
`248`	`254`	`}`
`249`	`255`
`250`	`256`	`// add the Pod info to the podMap`
`@@ -291,17 +297,20 @@ func (npMgr NetworkPolicyManager) UpdatePod(newPodObj corev1.Pod) error {`
`291`	`297`	`npMgr.NsMap[newPodObjNs], err = newNs(newPodObjNs)`
`292`	`298`	`if err != nil {`
`293`	`299`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to create namespace %s with err: %v", newPodObjNs, err)`
	`300`	`+ return err`
`294`	`301`	`}`
`295`	`302`	`log.Logf("Creating set: %v, hashedSet: %v", newPodObjNs, util.GetHashedName(newPodObjNs))`
`296`	`303`	`if err = ipsMgr.CreateSet(newPodObjNs, append([]string{util.IpsetNetHashFlag})); err != nil {`
`297`	`304`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error creating ipset %s with err: %v", newPodObjNs, err)`
	`305`	`+ return err`
`298`	`306`	`}`
`299`	`307`	`}`
`300`	`308`
`301`	`309`	`cachedPodObj, exists := npMgr.PodMap[podKey]`
`302`	`310`	`if !exists {`
`303`	`311`	`if addErr := npMgr.AddPod(newPodObj); addErr != nil {`
`304`	`312`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod during update with error %+v", addErr)`
	`313`	`+ return addErr`
`305`	`314`	`}`
`306`	`315`	`return nil`
`307`	`316`	`}`
`@@ -328,6 +337,7 @@ func (npMgr NetworkPolicyManager) UpdatePod(newPodObj corev1.Pod) error {`
`328`	`337`	`if newPodObj.Status.Phase == v1.PodSucceeded \|\| newPodObj.Status.Phase == v1.PodFailed {`
`329`	`338`	`if delErr := npMgr.DeletePod(newPodObj); delErr != nil {`
`330`	`339`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod during update with error %+v", delErr)`
	`340`	`+ return delErr`
`331`	`341`	`}`
`332`	`342`
`333`	`343`	`return nil`
`@@ -369,10 +379,12 @@ func (npMgr NetworkPolicyManager) UpdatePod(newPodObj corev1.Pod) error {`
`369`	`379`	`)`
`370`	`380`	`if err = ipsMgr.DeleteFromSet(cachedPodObj.Namespace, cachedPodIP, cachedPodObj.PodUID); err != nil {`
`371`	`381`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to delete pod from namespace ipset with err: %v", err)`
	`382`	`+ return err`
`372`	`383`	`}`
`373`	`384`	`// Add the pod to its namespace's ipset.`
`374`	`385`	`if err = ipsMgr.AddToSet(newPodObjNs, newPodObjIP, util.IpsetNetHashFlag, cachedPodObj.PodUID); err != nil {`
`375`	`386`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod to namespace ipset with err: %v", err)`
	`387`	`+ return err`
`376`	`388`	`}`
`377`	`389`	`} else {`
`378`	`390`	`//if no change in labels then return`
`@@ -392,6 +404,7 @@ func (npMgr NetworkPolicyManager) UpdatePod(newPodObj corev1.Pod) error {`
`392`	`404`	`log.Logf("Deleting pod %s from ipset %s", cachedPodIP, podIPSetName)`
`393`	`405`	`if err = ipsMgr.DeleteFromSet(podIPSetName, cachedPodIP, cachedPodObj.PodUID); err != nil {`
`394`	`406`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to delete pod from label ipset with err: %v", err)`
	`407`	`+ return err`
`395`	`408`	`}`
`396`	`409`	`}`
`397`	`410`
`@@ -400,6 +413,7 @@ func (npMgr NetworkPolicyManager) UpdatePod(newPodObj corev1.Pod) error {`
`400`	`413`	`log.Logf("Adding pod %s to ipset %s", newPodObjIP, addIPSetName)`
`401`	`414`	`if err = ipsMgr.AddToSet(addIPSetName, newPodObjIP, util.IpsetNetHashFlag, cachedPodObj.PodUID); err != nil {`
`402`	`415`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod to label ipset with err: %v", err)`
	`416`	`+ return err`
`403`	`417`	`}`
`404`	`418`	`}`
`405`	`419`
`@@ -411,10 +425,12 @@ func (npMgr NetworkPolicyManager) UpdatePod(newPodObj corev1.Pod) error {`
`411`	`425`	`// Delete cached pod's named ports from its ipset.`
`412`	`426`	`if err = appendNamedPortIpsets(ipsMgr, cachedPodObj.ContainerPorts, cachedPodObj.PodUID, cachedPodIP, true); err != nil {`
`413`	`427`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to delete pod from namespace ipset with err: %v", err)`
	`428`	`+ return err`
`414`	`429`	`}`
`415`	`430`	`// Add new pod's named ports from its ipset.`
`416`	`431`	`if err = appendNamedPortIpsets(ipsMgr, newPodPorts, cachedPodObj.PodUID, newPodObjIP, false); err != nil {`
`417`	`432`	`metrics.SendErrorLogAndMetric(util.PodID, "[UpdatePod] Error: failed to add pod to namespace ipset with err: %v", err)`
	`433`	`+ return err`
`418`	`434`	`}`
`419`	`435`	`}`
`420`	`436`
`@@ -470,25 +486,29 @@ func (npMgr NetworkPolicyManager) DeletePod(podObj corev1.Pod) error {`
`470`	`486`	`// Delete the pod from its namespace's ipset.`
`471`	`487`	`if err = ipsMgr.DeleteFromSet(podNs, cachedPodIP, podUID); err != nil {`
`472`	`488`	`metrics.SendErrorLogAndMetric(util.PodID, "[DeletePod] Error: failed to delete pod from namespace ipset with err: %v", err)`
	`489`	`+ return err`
`473`	`490`	`}`
`474`	`491`
`475`	`492`	`// Delete the pod from its label's ipset.`
`476`	`493`	`for podLabelKey, podLabelVal := range podLabels {`
`477`	`494`	`log.Logf("Deleting pod %s from ipset %s", cachedPodIP, podLabelKey)`
`478`	`495`	`if err = ipsMgr.DeleteFromSet(podLabelKey, cachedPodIP, podUID); err != nil {`
`479`	`496`	`metrics.SendErrorLogAndMetric(util.PodID, "[DeletePod] Error: failed to delete pod from label ipset with err: %v", err)`
	`497`	`+ return err`
`480`	`498`	`}`
`481`	`499`
`482`	`500`	`label := podLabelKey + ":" + podLabelVal`
`483`	`501`	`log.Logf("Deleting pod %s from ipset %s", cachedPodIP, label)`
`484`	`502`	`if err = ipsMgr.DeleteFromSet(label, cachedPodIP, podUID); err != nil {`
`485`	`503`	`metrics.SendErrorLogAndMetric(util.PodID, "[DeletePod] Error: failed to delete pod from label ipset with err: %v", err)`
	`504`	`+ return err`
`486`	`505`	`}`
`487`	`506`	`}`
`488`	`507`
`489`	`508`	`// Delete pod's named ports from its ipset. Delete is TRUE`
`490`	`509`	`if err = appendNamedPortIpsets(ipsMgr, containerPorts, podUID, cachedPodIP, true); err != nil {`
`491`	`510`	`metrics.SendErrorLogAndMetric(util.PodID, "[DeletePod] Error: failed to delete pod from namespace ipset with err: %v", err)`
	`511`	`+ return err`
`492`	`512`	`}`
`493`	`513`
`494`	`514`	`delete(npMgr.PodMap, podKey)`