Fix dumping OVS flows of a NetworkPolicy

Fixes #3306.

This commit fixes the nil pointer dereference error while dumping
ovsflows of NetworkPolicy, and adds a test to validate the changes.

Signed-off-by: Pulkit Jain <jainpu@vmware.com>

pkg/agent/openflow/network_policy.go

@@ -525,7 +525,8 @@ type policyRuleConjunction struct {
 	serviceClause *clause
 	actionFlows   []binding.Flow
 	metricFlows   []binding.Flow
-	// NetworkPolicy reference information for debugging usage.
+	// NetworkPolicy reference information for debugging usage, its value can be nil
+	// for conjunctions that are not built for a specific NetworkPolicy, e.g. DNS packetin Conjunction.
 	npRef       *v1beta2.NetworkPolicyReference
 	ruleTableID uint8
 }

pkg/agent/openflow/network_policy_test.go

@@ -159,6 +159,12 @@ func TestInstallPolicyRuleFlows(t *testing.T) {
 	c.networkConfig = &config.NetworkConfig{IPv4Enabled: true}
 	c.ipProtocols = []binding.Protocol{binding.ProtocolIP}
 	defaultAction := crdv1alpha1.RuleActionAllow
+	// Create a policyRuleConjunction for the dns response interception flows 
+	// to ensure nil NetworkPolicyReference is handled correctly by GetNetworkPolicyFlowKeys.
+	dnsID := uint32(1)
+	err := c.NewDNSpacketInConjunction(dnsID)
+	require.Nil(t, err)
+
 	ruleID1 := uint32(101)
 	rule1 := &types.PolicyRule{
 		Direction: v1beta2.DirectionOut,
@@ -189,7 +195,7 @@ func TestInstallPolicyRuleFlows(t *testing.T) {
 	assert.Equal(t, len(rule1.From), getChangedFlowCount(dropFlows))
 	assert.Equal(t, 0, getChangedFlowCount(matchFlows))
 	assert.Equal(t, 2, getDenyAllRuleOPCount(matchFlows, insertion))
-	err := c.applyConjunctiveMatchFlows(ctxChanges)
+	err = c.applyConjunctiveMatchFlows(ctxChanges)
 	require.Nil(t, err)
 
 	ruleID2 := uint32(102)