<fix>(np) fix mulit np rule and gateway bug

kubeovn · Dec 23, 2020 · 03ff96e · 03ff96e
1 parent f299aa7
commit 03ff96e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 4 deletions.
diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -219,7 +219,6 @@ func (c *Controller) handleUpdateNp(key string) error {
 			if len(npr.From) == 0 {
 				allows = []string{"0.0.0.0/0"}
 				excepts = []string{}
-				break
 			} else {
 				for _, npp := range npr.From {
 					allow, except, err := c.fetchPolicySelectedAddresses(np.Namespace, npp)
@@ -302,7 +301,6 @@ func (c *Controller) handleUpdateNp(key string) error {
 			if len(npr.To) == 0 {
 				allows = []string{"0.0.0.0/0"}
 				excepts = []string{}
-				break
 			} else {
 				for _, npp := range npr.To {
 					allow, except, err := c.fetchPolicySelectedAddresses(np.Namespace, npp)

diff --git a/pkg/ovs/ovn-nbctl.go b/pkg/ovs/ovn-nbctl.go
@@ -924,8 +924,8 @@ func (c Client) CreateGatewayACL(pgName, gateway, protocol string) error {
 	if protocol == kubeovnv1.ProtocolIPv6 {
 		ipSuffix = "ip6"
 	}
-	ingressArgs := []string{MayExist, "--type=port-group", "acl-add", pgName, "to-lport", util.IngressAllowPriority, fmt.Sprintf("%s.src == $%s && icmp", ipSuffix, gateway), "allow-related"}
-	egressArgs := []string{"--", MayExist, "--type=port-group", "acl-add", pgName, "from-lport", util.EgressAllowPriority, fmt.Sprintf("%s.dst == $%s && icmp", ipSuffix, gateway), "allow-related"}
+	ingressArgs := []string{MayExist, "--type=port-group", "acl-add", pgName, "to-lport", util.IngressAllowPriority, fmt.Sprintf("%s.src == %s && icmp", ipSuffix, gateway), "allow-related"}
+	egressArgs := []string{"--", MayExist, "--type=port-group", "acl-add", pgName, "from-lport", util.EgressAllowPriority, fmt.Sprintf("%s.dst == %s && icmp", ipSuffix, gateway), "allow-related"}
 	ovnArgs := append(ingressArgs, egressArgs...)
 	_, err := c.ovnNbCommand(ovnArgs...)
 	return err