Skip to content

Commit 1b7ae13

Browse files
jimmy-zhmurali-reddy
jimmy-zh
authored and
murali-reddy
committed
make the comments of the iptables rules more accurate and reasonable (#527)
1 parent 7496b00 commit 1b7ae13

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

pkg/controllers/netpol/network_policy_controller.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -397,7 +397,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
397397
// so match on all sources, with specified port and protocol
398398
if ingressRule.matchAllSource && !ingressRule.matchAllPorts {
399399
for _, portProtocol := range ingressRule.ports {
400-
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
400+
comment := "rule to ACCEPT traffic from all sources to dest pods selected by policy name: " +
401401
policy.name + " namespace " + policy.namespace
402402
args := []string{"-m", "comment", "--comment", comment,
403403
"-m", "set", "--set", targetDestPodIpSetName, "dst",
@@ -414,7 +414,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
414414
// case where nether ports nor from details are speified in the ingress rule
415415
// so match on all ports, protocol, source IP's
416416
if ingressRule.matchAllSource && ingressRule.matchAllPorts {
417-
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
417+
comment := "rule to ACCEPT traffic from all sources to dest pods selected by policy name: " +
418418
policy.name + " namespace " + policy.namespace
419419
args := []string{"-m", "comment", "--comment", comment,
420420
"-m", "set", "--set", targetDestPodIpSetName, "dst",
@@ -428,7 +428,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
428428
for _, cidr := range ingressRule.cidrs {
429429
if !ingressRule.matchAllPorts {
430430
for _, portProtocol := range ingressRule.ports {
431-
comment := "rule to ACCEPT traffic from specified CIDR's to dest pods selected by policy name: " +
431+
comment := "rule to ACCEPT traffic from specified CIDR to dest pods selected by policy name: " +
432432
policy.name + " namespace " + policy.namespace
433433
args := []string{"-m", "comment", "--comment", comment,
434434
"-m", "set", "--set", targetDestPodIpSetName, "dst",
@@ -443,7 +443,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
443443
}
444444
}
445445
if ingressRule.matchAllPorts {
446-
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
446+
comment := "rule to ACCEPT traffic from specified CIDR to dest pods selected by policy name: " +
447447
policy.name + " namespace " + policy.namespace
448448
args := []string{"-m", "comment", "--comment", comment,
449449
"-m", "set", "--set", targetDestPodIpSetName, "dst",
@@ -532,7 +532,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
532532
// so match on all sources, with specified port and protocol
533533
if egressRule.matchAllDestinations && !egressRule.matchAllPorts {
534534
for _, portProtocol := range egressRule.ports {
535-
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
535+
comment := "rule to ACCEPT traffic from source pods to all destinations selected by policy name: " +
536536
policy.name + " namespace " + policy.namespace
537537
args := []string{"-m", "comment", "--comment", comment,
538538
"-m", "set", "--set", targetSourcePodIpSetName, "src",
@@ -549,7 +549,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
549549
// case where nether ports nor from details are speified in the egress rule
550550
// so match on all ports, protocol, source IP's
551551
if egressRule.matchAllDestinations && egressRule.matchAllPorts {
552-
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
552+
comment := "rule to ACCEPT traffic from source pods to all destinations selected by policy name: " +
553553
policy.name + " namespace " + policy.namespace
554554
args := []string{"-m", "comment", "--comment", comment,
555555
"-m", "set", "--set", targetSourcePodIpSetName, "src",
@@ -563,7 +563,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
563563
for _, cidr := range egressRule.cidrs {
564564
if !egressRule.matchAllPorts {
565565
for _, portProtocol := range egressRule.ports {
566-
comment := "rule to ACCEPT traffic from specified CIDR's to dest pods selected by policy name: " +
566+
comment := "rule to ACCEPT traffic from source pods to specified CIDR selected by policy name: " +
567567
policy.name + " namespace " + policy.namespace
568568
args := []string{"-m", "comment", "--comment", comment,
569569
"-m", "set", "--set", targetSourcePodIpSetName, "src",
@@ -578,7 +578,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
578578
}
579579
}
580580
if egressRule.matchAllPorts {
581-
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
581+
comment := "rule to ACCEPT traffic from source pods to specified CIDR selected by policy name: " +
582582
policy.name + " namespace " + policy.namespace
583583
args := []string{"-m", "comment", "--comment", comment,
584584
"-m", "set", "--set", targetSourcePodIpSetName, "src",

0 commit comments

Comments
 (0)