Fix panic bug in Antrea Policy

[wenyingd]

Check if the clause pointer is nil before looping the matches.
Fixes #2729

Signed-off-by: wenyingd wenyingd@vmware.com

[codecov-commenter]

Codecov Report

Merging #2730 (de43b1e) into main (dded211) will increase coverage by 6.32%.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##             main    #2730      +/-   ##
==========================================
+ Coverage   59.50%   65.82%   +6.32%     
==========================================
  Files         285      285              
  Lines       23020    26389    +3369     
==========================================
+ Hits        13697    17371    +3674     
+ Misses       7865     7394     -471     
- Partials     1458     1624     +166     

Flag	Coverage Δ
e2e-tests	56.73% <0.00%> (?)
kind-e2e-tests	48.38% <0.00%> (+1.63%)	⬆️
unit-tests	41.33% <70.00%> (+0.28%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/openflow/network_policy.go	82.42% <50.00%> (+6.84%)	⬆️
pkg/controller/egress/ipallocator/allocator.go	65.00% <0.00%> (-15.42%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	77.64% <0.00%> (-13.79%)	⬇️
pkg/agent/flowexporter/flowrecords/flow_records.go	69.73% <0.00%> (-11.81%)	⬇️
pkg/legacyapis/core/v1alpha2/register.go	69.23% <0.00%> (-10.77%)	⬇️
pkg/apis/stats/register.go	71.42% <0.00%> (-10.39%)	⬇️
pkg/legacyapis/stats/register.go	71.42% <0.00%> (-10.39%)	⬇️
pkg/ovs/openflow/ofctrl_meter.go	33.84% <0.00%> (-10.16%)	⬇️
pkg/legacyapis/security/v1alpha1/register.go	73.33% <0.00%> (-10.00%)	⬇️
.../registry/networkpolicy/clustergroupmember/rest.go	78.26% <0.00%> (-9.98%)	⬇️
... and 270 more

[wenyingd]

/test-all
/test-ipv6-all
/test-ipv6-only-all

[abhiraut]

minor nits

[abhiraut]

not introduced by your change; but the var clause is used for the struct and for the looping var

[wenyingd]

Updated.

[qiyueyao]

LGTM, not related just a quick question do we need to check nil before getting flow priority?

func (c *client) GetPolicyInfoFromConjunction(ruleID uint32) (string, string) {
	conjunction := c.getPolicyRuleConjunction(ruleID)
	priorities := conjunction.ActionFlowPriorities()
	if conjunction == nil || len(priorities) == 0 {
		return "", ""
	}
	return conjunction.npRef.ToString(), priorities[0]
}

Thanks!

[GraysonWu]

Just same nits as Abhishek.

[wenyingd]

LGTM, not related just a quick question do we need to check nil before getting flow priority?

func (c *client) GetPolicyInfoFromConjunction(ruleID uint32) (string, string) {
	conjunction := c.getPolicyRuleConjunction(ruleID)
	priorities := conjunction.ActionFlowPriorities()
	if conjunction == nil || len(priorities) == 0 {
		return "", ""
	}
	return conjunction.npRef.ToString(), priorities[0]
}

Thanks!

Greate catch, I would change it together.

[wenyingd]

/test-all
/test-ipv6-all
/test-ipv6-only-all

[tnqn]

LGTM, typo in commit message: nill

[wenyingd]

/test-all
/test-ipv6-all
/test-ipv6-only-all

[tnqn]

LGTM

[wenyingd]

@tnqn Shall I backport this PR to original releases?

[antoninbas]

@wenyingd please backport to any release which has this bug, starting with v0.13