From 4861021797832efd6013daa0b3955ffe5afc9f4d Mon Sep 17 00:00:00 2001 From: Aaron U'Ren Date: Sun, 11 Jun 2023 17:22:29 -0500 Subject: [PATCH] fix(NPC): update IPBlocks to be ipFamily specific Previously, IPBlocks (like srcIPBlocks) only contained a single IP Family which meant that a len() > 0 would indicate that an IP block had been defined in the NetworkPolicy. However, now the IPBlocks structs are IP family specific which means that they will always contain 2 entries, one for the IPv4 family and one of the IPv6 family. Which means that this condition will evaluate to true for all NetworkPolicies and waste system resources creating empty ipsets and bad iptables rules. --- pkg/controllers/netpol/policy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/controllers/netpol/policy.go b/pkg/controllers/netpol/policy.go index 67c8095313..3ef83cb17b 100644 --- a/pkg/controllers/netpol/policy.go +++ b/pkg/controllers/netpol/policy.go @@ -262,7 +262,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo } } - if len(ingressRule.srcIPBlocks) != 0 { + if len(ingressRule.srcIPBlocks[ipFamily]) != 0 { srcIPBlockIPSetName := policyIndexedSourceIPBlockIPSetName(policy.namespace, policy.name, ruleIdx, ipFamily) activePolicyIPSets[srcIPBlockIPSetName] = true npc.ipSetHandlers[ipFamily].RefreshSet(srcIPBlockIPSetName, ingressRule.srcIPBlocks[ipFamily], utils.TypeHashNet) @@ -407,7 +407,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo, } } - if len(egressRule.dstIPBlocks) != 0 { + if len(egressRule.dstIPBlocks[ipFamily]) != 0 { dstIPBlockIPSetName := policyIndexedDestinationIPBlockIPSetName(policy.namespace, policy.name, ruleIdx, ipFamily) activePolicyIPSets[dstIPBlockIPSetName] = true npc.ipSetHandlers[ipFamily].RefreshSet(dstIPBlockIPSetName, egressRule.dstIPBlocks[ipFamily], utils.TypeHashNet)