Fix not mangle policy insertion priority

Signed-off-by: lou-lan <[email protected]>
spidernet-io · Mar 29, 2024 · d3f2474 · d3f2474
1 parent a900eaa
commit d3f2474
Showing 1 changed file with 15 additions and 17 deletions.
diff --git a/pkg/agent/police.go b/pkg/agent/police.go
@@ -476,7 +476,7 @@ func (r *policeReconciler) getPolicySrcIPs(policyNs, policyName string, filter f
 }
 
 func buildEipRule(policyName string, eip IP, version uint8, isIgnoreInternalCIDR bool) *iptables.Rule {
-	if eip.V4 == "" && eip.V6 == "" {
+	if (version == 4 && eip.V4 == "") || (version == 6 && eip.V6 == "") {
 		return nil
 	}
 
@@ -775,24 +775,22 @@ func buildMangleStaticRule(base uint32,
 	}}
 
 	prerouting := make([]iptables.Rule, 0)
+	prerouting = append(prerouting, iptables.Rule{
+		Match:  iptables.MatchCriteria{},
+		Action: iptables.JumpAction{Target: "EGRESSGATEWAY-MARK-REQUEST"},
+		Comment: []string{
+			"Checking for EgressPolicy matched traffic",
+		},
+	})
 
 	if isEgressNode && enableGatewayReplyRoute {
-		prerouting = []iptables.Rule{
-			{
-				Match:  iptables.MatchCriteria{},
-				Action: iptables.JumpAction{Target: "EGRESSGATEWAY-REPLY-ROUTING"},
-				Comment: []string{
-					"egressGateway Reply datapath rule, rule is from the EgressGateway",
-				},
-			},
-			{
-				Match:  iptables.MatchCriteria{},
-				Action: iptables.JumpAction{Target: "EGRESSGATEWAY-MARK-REQUEST"},
-				Comment: []string{
-					"Checking for EgressPolicy matched traffic",
-				},
+		prerouting = append(prerouting, iptables.Rule{
+			Match:  iptables.MatchCriteria{},
+			Action: iptables.JumpAction{Target: "EGRESSGATEWAY-REPLY-ROUTING"},
+			Comment: []string{
+				"egressGateway Reply datapath rule, rule is from the EgressGateway",
 			},
-		}
+		})
 		postrouting = append(postrouting, iptables.Rule{
 			Match:  iptables.MatchCriteria{}.MarkMatchesWithMask(replyMark, 0xffffffff),
 			Action: iptables.SetMaskedMarkAction{Mark: 0x00000000, Mask: 0xffffffff},
@@ -1113,7 +1111,7 @@ func newPolicyController(mgr manager.Manager, log logr.Logger, cfg *config.Confi
 		filterTables = append(filterTables, filterTable)
 	}
 	if cfg.FileConfig.EnableIPv6 {
-		mangle, err := iptables.NewTable("mangle", 6, "egw:-", opt, log)
+		mangle, err := iptables.NewTable("mangle", 6, "egw:", opt, log)
 		if err != nil {
 			return err
 		}