Skip to content

Commit

Permalink
make the comments of the iptables rules more accurate and reasonable (#…
Browse files Browse the repository at this point in the history 
…527)
  • Loading branch information
@jimmy-zh @murali-reddy
jimmy-zh authored and murali-reddy committed Sep 10, 2018
1 parent 7496b00 commit 1b7ae13
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions pkg/controllers/netpol/network_policy_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -397,7 +397,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
// so match on all sources, with specified port and protocol
if ingressRule.matchAllSource && !ingressRule.matchAllPorts {
for _, portProtocol := range ingressRule.ports {
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
comment := "rule to ACCEPT traffic from all sources to dest pods selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetDestPodIpSetName, "dst",
Expand All @@ -414,7 +414,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
// case where nether ports nor from details are speified in the ingress rule
// so match on all ports, protocol, source IP's
if ingressRule.matchAllSource && ingressRule.matchAllPorts {
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
comment := "rule to ACCEPT traffic from all sources to dest pods selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetDestPodIpSetName, "dst",
Expand All @@ -428,7 +428,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
for _, cidr := range ingressRule.cidrs {
if !ingressRule.matchAllPorts {
for _, portProtocol := range ingressRule.ports {
comment := "rule to ACCEPT traffic from specified CIDR's to dest pods selected by policy name: " +
comment := "rule to ACCEPT traffic from specified CIDR to dest pods selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetDestPodIpSetName, "dst",
Expand All @@ -443,7 +443,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo
}
}
if ingressRule.matchAllPorts {
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
comment := "rule to ACCEPT traffic from specified CIDR to dest pods selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetDestPodIpSetName, "dst",
Expand Down Expand Up @@ -532,7 +532,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
// so match on all sources, with specified port and protocol
if egressRule.matchAllDestinations && !egressRule.matchAllPorts {
for _, portProtocol := range egressRule.ports {
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
comment := "rule to ACCEPT traffic from source pods to all destinations selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetSourcePodIpSetName, "src",
Expand All @@ -549,7 +549,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
// case where nether ports nor from details are speified in the egress rule
// so match on all ports, protocol, source IP's
if egressRule.matchAllDestinations && egressRule.matchAllPorts {
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
comment := "rule to ACCEPT traffic from source pods to all destinations selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetSourcePodIpSetName, "src",
Expand All @@ -563,7 +563,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
for _, cidr := range egressRule.cidrs {
if !egressRule.matchAllPorts {
for _, portProtocol := range egressRule.ports {
comment := "rule to ACCEPT traffic from specified CIDR's to dest pods selected by policy name: " +
comment := "rule to ACCEPT traffic from source pods to specified CIDR selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetSourcePodIpSetName, "src",
Expand All @@ -578,7 +578,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo,
}
}
if egressRule.matchAllPorts {
comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name: " +
comment := "rule to ACCEPT traffic from source pods to specified CIDR selected by policy name: " +
policy.name + " namespace " + policy.namespace
args := []string{"-m", "comment", "--comment", comment,
"-m", "set", "--set", targetSourcePodIpSetName, "src",
Expand Down

0 comments on commit 1b7ae13

Please sign in to comment.