run through all applicable network policies for a flow

[murali-reddy]

• change ACCEPT to RETURN with mark when a netpol is matched so that we run through
  all the applicable network policies for a flow

Fixes #916

[murali-reddy]

This PR fixes specific case where both source pod and destination pod are on the same node. An egress network policy applied on the source pod may permit traffic from the source pod to destination pod, but a seperate network policy applied to destination pod may reject it. So for the flow both the network policies to be applied to permit/deny traffic. Apart from verifying the fix address the above case ensure there are no regression.

Merging the PR based on testing.

[aauren]

I take it that you chose this value, because it's above this range:

kube-router/pkg/controllers/proxy/network_services_controller.go

Line 1676 in 4d6b0b8

return h.Sum32() & 0x3FFF, err

? Is there anything else in kube-router than deals with marks?

[murali-reddy]

No other use of Markings. Just choose random numbers.

[aauren]

Seems reasonable, and I can't think of a better approach, but it's a bummer that it essentially doubles the amount of iptables rules that we're going to have though. Overall LGTM.

[murali-reddy]

Seems reasonable, and I can't think of a better approach, but it's a bummer that it essentially doubles the amount of iptables rules that we're going to have though. Overall LGTM.

Thanks for the review. Actually its not bad. Or atleast it does not make any worse performance wise.

Since kube-router is stateful firewall, for the established sessions (i.e. "RELATED,ESTABLISHED") we still ACCEPT, its just for the first packet its run through all the chains.

[aauren]

Sorry I should have been more clear. I was referring to the time that it takes to perform the full sync on iptables, not the performance of the data path. You're correct, this doesn't have a huge impact on the data path.