From 93fe004ce6ea66b9fe12e267e24af4efe94b01b9 Mon Sep 17 00:00:00 2001
From: Murali Reddy <muralimmreddy@gmail.com>
Date: Fri, 25 Jun 2021 02:51:19 +0530
Subject: [PATCH] bug fixes

---
 pkg/controllers/netpol/network_policy_controller.go |  5 ++++-
 pkg/controllers/netpol/pod.go                       | 12 ++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/pkg/controllers/netpol/network_policy_controller.go b/pkg/controllers/netpol/network_policy_controller.go
index fc88bdce..5b547221 100644
--- a/pkg/controllers/netpol/network_policy_controller.go
+++ b/pkg/controllers/netpol/network_policy_controller.go
@@ -255,7 +255,7 @@ func (npc *NetworkPolicyController) fullPolicySync() {
 	}
 
 	if err := utils.Restore("filter", npc.filterTableRules.Bytes()); err != nil {
-		klog.Errorf("Aborting sync. Failed to run iptables-restore: %v" + err.Error())
+		klog.Errorf("Aborting sync. Failed to run iptables-restore: %v\n%s", err.Error(), npc.filterTableRules.String())
 		return
 	}
 
@@ -433,6 +433,9 @@ func (npc *NetworkPolicyController) cleanupStaleRules(activePolicyChains, active
 	}
 	for _, chain := range chains {
 		if strings.HasPrefix(chain, kubeNetworkPolicyChainPrefix) {
+			if chain == kubeDefaultNetpolChain {
+				continue
+			}
 			if _, ok := activePolicyChains[chain]; !ok {
 				cleanupPolicyChains = append(cleanupPolicyChains, chain)
 			}
diff --git a/pkg/controllers/netpol/pod.go b/pkg/controllers/netpol/pod.go
index 5e10f79b..15a01c57 100644
--- a/pkg/controllers/netpol/pod.go
+++ b/pkg/controllers/netpol/pod.go
@@ -142,8 +142,8 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
 
 		// set mark to indicate traffic from/to the pod passed network policies.
 		// Mark will be checked to explictly ACCEPT the traffic
-		comment := "set mark to ACCEPT traffic that comply to network policies"
-		args := []string{"-A", podFwChainName, "-m", "comment", "--comment", comment, "-j", "MARK", "--set-mark", "0x20000/0x20000"}
+		comment := "\"set mark to ACCEPT traffic that comply to network policies\""
+		args := []string{"-A", podFwChainName, "-m", "comment", "--comment", comment, "-j", "MARK", "--set-mark", "0x20000/0x20000", "\n"}
 		npc.filterTableRules.WriteString(strings.Join(args, " "))
 	}
 
@@ -171,8 +171,8 @@ func (npc *NetworkPolicyController) setupPodIngressRules(pod *podInfo, podFwChai
 	// if pod does not have any network policy which applies rules for pod's ingress traffic
 	// then apply default network policy
 	if !npc.isIngressNetworkPolicyEnabledPod(networkPoliciesInfo, pod) {
-		comment := "run through default ingress policy  chain"
-		args := []string{"-I", podFwChainName, "1", "-d", pod.ip, "-m", "comment", "--comment", comment, "-j", kubeDefaultNetpolChain}
+		comment := "\"run through default ingress policy  chain\""
+		args := []string{"-I", podFwChainName, "1", "-d", pod.ip, "-m", "comment", "--comment", comment, "-j", kubeDefaultNetpolChain, "\n"}
 		npc.filterTableRules.WriteString(strings.Join(args, " "))
 	}
 
@@ -229,8 +229,8 @@ func (npc *NetworkPolicyController) setupPodEgressRules(pod *podInfo, podFwChain
 	// if pod does not have any network policy which applies rules for pod's egress traffic
 	// then apply default network policy
 	if !npc.isEgressNetworkPolicyEnabledPod(networkPoliciesInfo, pod) {
-		comment := "run through default network policy  chain"
-		args := []string{"-I", podFwChainName, "1", "-s", pod.ip, "-m", "comment", "--comment", comment, "-j", kubeDefaultNetpolChain}
+		comment := "\"run through default network policy  chain\""
+		args := []string{"-I", podFwChainName, "1", "-s", pod.ip, "-m", "comment", "--comment", comment, "-j", kubeDefaultNetpolChain, "\n"}
 		npc.filterTableRules.WriteString(strings.Join(args, " "))
 	}