@@ -953,6 +953,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
953953 cleanupPolicyChains := make ([]string , 0 )
954954 cleanupPolicyIPSets := make ([]* utils.Set , 0 )
955955
956+ // initialize tool sets for working with iptables and ipset
956957 iptablesCmdHandler , err := iptables .New ()
957958 if err != nil {
958959 glog .Fatalf ("failed to initialize iptables command executor due to %s" , err .Error ())
@@ -966,7 +967,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
966967 glog .Fatalf ("failed to initialize ipsets command executor due to %s" , err .Error ())
967968 }
968969
969- // get the list of chains created for pod firewall and network policies
970+ // find iptables chains and ipsets that are no longer used by comparing current to the active maps we were passed
970971 chains , err := iptablesCmdHandler .ListChains ("filter" )
971972 for _ , chain := range chains {
972973 if strings .HasPrefix (chain , kubeNetworkPolicyChainPrefix ) {
@@ -989,37 +990,26 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
989990 }
990991 }
991992
992- // cleanup FORWARD chain rules to jump to pod firewall
993- for _ , chain := range cleanupPodFwChains {
993+ // remove stale iptables podFwChain references from the filter table chains
994+ for _ , podFwChain := range cleanupPodFwChains {
994995
995- forwardChainRules , err := iptablesCmdHandler .List ("filter" , "FORWARD" )
996- if err != nil {
997- return fmt .Errorf ("failed to list rules in filter table, FORWARD chain due to %s" , err .Error ())
998- }
999- outputChainRules , err := iptablesCmdHandler .List ("filter" , "OUTPUT" )
1000- if err != nil {
1001- return fmt .Errorf ("failed to list rules in filter table, OUTPUT chain due to %s" , err .Error ())
1002- }
1003-
1004- // TODO delete rule by spec, than rule number to avoid extra loop
1005- var realRuleNo int
1006- for i , rule := range forwardChainRules {
1007- if strings .Contains (rule , chain ) {
1008- err = iptablesCmdHandler .Delete ("filter" , "FORWARD" , strconv .Itoa (i - realRuleNo ))
1009- if err != nil {
1010- return fmt .Errorf ("failed to delete rule: %s from the FORWARD chain of filter table due to %s" , rule , err .Error ())
1011- }
1012- realRuleNo ++
996+ primaryChains := []string {"FORWARD" , "OUTPUT" , "INPUT" }
997+ for _ , egressChain := range primaryChains {
998+ forwardChainRules , err := iptablesCmdHandler .List ("filter" , egressChain )
999+ if err != nil {
1000+ return fmt .Errorf ("failed to list rules in filter table, %s podFwChain due to %s" , egressChain , err .Error ())
10131001 }
1014- }
1015- realRuleNo = 0
1016- for i , rule := range outputChainRules {
1017- if strings .Contains (rule , chain ) {
1018- err = iptablesCmdHandler .Delete ("filter" , "OUTPUT" , strconv .Itoa (i - realRuleNo ))
1019- if err != nil {
1020- return fmt .Errorf ("failed to delete rule: %s from the OUTPUT chain of filter table due to %s" , rule , err .Error ())
1002+
1003+ // TODO delete rule by spec, than rule number to avoid extra loop
1004+ var realRuleNo int
1005+ for i , rule := range forwardChainRules {
1006+ if strings .Contains (rule , podFwChain ) {
1007+ err = iptablesCmdHandler .Delete ("filter" , egressChain , strconv .Itoa (i - realRuleNo ))
1008+ if err != nil {
1009+ return fmt .Errorf ("failed to delete rule: %s from the %s podFwChain of filter table due to %s" , rule , egressChain , err .Error ())
1010+ }
1011+ realRuleNo ++
10211012 }
1022- realRuleNo ++
10231013 }
10241014 }
10251015 }
@@ -1042,7 +1032,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
10421032 for _ , policyChain := range cleanupPolicyChains {
10431033 glog .V (2 ).Infof ("Found policy chain to cleanup %s" , policyChain )
10441034
1045- // first clean up any references from pod firewall chain
1035+ // first clean up any references from active pod firewall chains
10461036 for podFwChain := range activePodFwChains {
10471037 podFwChainRules , err := iptablesCmdHandler .List ("filter" , podFwChain )
10481038 if err != nil {
@@ -1059,6 +1049,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
10591049 }
10601050 }
10611051
1052+ // now that all stale and active references to the network policy chain have been removed, delete the chain
10621053 err = iptablesCmdHandler .ClearChain ("filter" , policyChain )
10631054 if err != nil {
10641055 return fmt .Errorf ("Failed to flush the rules in chain %s due to %s" , policyChain , err )
0 commit comments