Fix a bug that created a random egress entry when deleting from ingress-centric policy group. Also added a check to add multiple default entries to prevent deletion of once policy to affect another. (#551)

jaer-tsun · web-flow · commit ef14c8d186ae · 2020-04-29T14:32:22.000-07:00
diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go
@@ -283,15 +283,6 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error {
 func (iptMgr *IptablesManager) Add(entry *IptEntry) error {
 	log.Printf("Adding iptables entry: %+v.", entry)
 
-	exists, err := iptMgr.Exists(entry)
-	if err != nil {
-		return err
-	}
-
-	if exists {
-		return nil
-	}
-
 	if entry.IsJumpEntry {
 		iptMgr.OperationFlag = util.IptablesAppendFlag
 	} else {
diff --git a/npm/nwpolicy.go b/npm/nwpolicy.go
@@ -85,15 +85,14 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
 	}
 
 	if addedPolicy != nil {
-		sets, lists, iptEntries = translatePolicy(addedPolicy)
 		ns.processedNpMap[hashedSelector] = addedPolicy
 	} else {
-		sets, lists, iptEntries = translatePolicy(npObj)
 		ns.processedNpMap[hashedSelector] = npObj
 	}
 
 	ns.rawNpMap[npObj.ObjectMeta.Name] = npObj
 
+	sets, lists, iptEntries = translatePolicy(npObj)
 	ipsMgr := allNs.ipsMgr
 	for _, set := range sets {
 		log.Printf("Creating set: %v, hashedSet: %v", set, util.GetHashedName(set))
diff --git a/npm/parsePolicy.go b/npm/parsePolicy.go
@@ -54,9 +54,8 @@ func addPolicy(old, new *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolic
 	}
 
 	spec := &(addedPolicy.Spec)
-	if len(old.Spec.PolicyTypes) == 1 && old.Spec.PolicyTypes[0] == networkingv1.PolicyTypeEgress &&
-		len(new.Spec.PolicyTypes) == 1 && new.Spec.PolicyTypes[0] == networkingv1.PolicyTypeEgress {
-		spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}
+	if len(old.Spec.PolicyTypes) == 1 && len(new.Spec.PolicyTypes) == 1 && old.Spec.PolicyTypes[0] == new.Spec.PolicyTypes[0] {
+		spec.PolicyTypes = []networkingv1.PolicyType{new.Spec.PolicyTypes[0]}
 	} else {
 		spec.PolicyTypes = []networkingv1.PolicyType{
 			networkingv1.PolicyTypeIngress,
@@ -126,10 +125,8 @@ func deductPolicy(old, new *networkingv1.NetworkPolicy) (*networkingv1.NetworkPo
 	deductedPolicy.Spec.Ingress = deductedIngress
 	deductedPolicy.Spec.Egress = deductedEgress
 
-	if len(old.Spec.PolicyTypes) == 1 && old.Spec.PolicyTypes[0] == networkingv1.PolicyTypeEgress &&
-		len(new.Spec.PolicyTypes) == 1 && new.Spec.PolicyTypes[0] == networkingv1.PolicyTypeEgress &&
-		len(deductedIngress) == 0 {
-		deductedPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}
+	if len(old.Spec.PolicyTypes) == 1 && len(new.Spec.PolicyTypes) == 1 && old.Spec.PolicyTypes[0] == new.Spec.PolicyTypes[0] {
+		deductedPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{new.Spec.PolicyTypes[0]}
 	} else {
 		deductedPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{
 			networkingv1.PolicyTypeIngress,

Original file line number	Diff line number	Diff line change
`@@ -85,15 +85,14 @@ func (npMgr NetworkPolicyManager) AddNetworkPolicy(npObj networkingv1.NetworkP`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`if addedPolicy != nil {`
`88`		`- sets, lists, iptEntries = translatePolicy(addedPolicy)`
`89`	`88`	`ns.processedNpMap[hashedSelector] = addedPolicy`
`90`	`89`	`} else {`
`91`		`- sets, lists, iptEntries = translatePolicy(npObj)`
`92`	`90`	`ns.processedNpMap[hashedSelector] = npObj`
`93`	`91`	`}`
`94`	`92`
`95`	`93`	`ns.rawNpMap[npObj.ObjectMeta.Name] = npObj`
`96`	`94`
	`95`	`+ sets, lists, iptEntries = translatePolicy(npObj)`
`97`	`96`	`ipsMgr := allNs.ipsMgr`
`98`	`97`	`for _, set := range sets {`
`99`	`98`	`log.Printf("Creating set: %v, hashedSet: %v", set, util.GetHashedName(set))`