mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2025-11-19 12:01:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: wrong ipset name used by ip6tables.

Browse Source 
ipset name has prefix "inet6:" for ipv6. so ip6tables rule also need to
convert ipset name.

Signed-off-by: xujunjie-cover <xujunjie37@jd.com>
This commit is contained in:
xujunjie-cover 2024-04-26 17:49:24 +08:00 committed by Aaron U'Ren
parent b423b1feb1
commit ada3179c39
2 changed files with 19 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/controllers/netpol/network_policy_controller.go
View File

@ -684,17 +684,28 @@ func (npc *NetworkPolicyController) cleanupStaleIPSets(activePolicyIPSets map[st
}()
}
for _, ipsets := range npc.ipSetHandlers {
for ipFamily, ipsets := range npc.ipSetHandlers {
cleanupPolicyIPSets := make([]*utils.Set, 0)
if err := ipsets.Save(); err != nil {
klog.Fatalf("failed to initialize ipsets command executor due to %s", err.Error())
}
for _, set := range ipsets.Sets() {
if strings.HasPrefix(set.Name, kubeSourceIPSetPrefix) ||
strings.HasPrefix(set.Name, kubeDestinationIPSetPrefix) {
if _, ok := activePolicyIPSets[set.Name]; !ok {
cleanupPolicyIPSets = append(cleanupPolicyIPSets, set)
if ipFamily == v1core.IPv6Protocol {
for _, set := range ipsets.Sets() {
if strings.HasPrefix(set.Name, fmt.Sprintf("%s:%s", utils.FamillyInet6, kubeSourceIPSetPrefix)) ||
strings.HasPrefix(set.Name, fmt.Sprintf("%s:%s", utils.FamillyInet6, kubeDestinationIPSetPrefix)) {
if _, ok := activePolicyIPSets[set.Name]; !ok {
cleanupPolicyIPSets = append(cleanupPolicyIPSets, set)
}
}
}
} else {
for _, set := range ipsets.Sets() {
if strings.HasPrefix(set.Name, kubeSourceIPSetPrefix) ||
strings.HasPrefix(set.Name, kubeDestinationIPSetPrefix) {
if _, ok := activePolicyIPSets[set.Name]; !ok {
cleanupPolicyIPSets = append(cleanupPolicyIPSets, set)
}
}
}
}

4
pkg/controllers/netpol/policy.go
View File

@ -474,10 +474,10 @@ func (npc *NetworkPolicyController) appendRuleToPolicyChain(policyChainName, com
args = append(args, "-m", "comment", "--comment", "\""+comment+"\"")
}
if srcIPSetName != "" {
args = append(args, "-m", "set", "--match-set", srcIPSetName, "src")
args = append(args, "-m", "set", "--match-set", npc.ipSetHandlers[ipFamily].Name(srcIPSetName), "src")
}
if dstIPSetName != "" {
args = append(args, "-m", "set", "--match-set", dstIPSetName, "dst")
args = append(args, "-m", "set", "--match-set", npc.ipSetHandlers[ipFamily].Name(dstIPSetName), "dst")
}
if protocol != "" {
args = append(args, "-p", protocol)