Description of problem: Version-Release number of selected component (if applicable): 4.8.0-0.nightly-2021-04-15-030836 How reproducible: Sometimes Steps to Reproduce: 1. In CNO set useMultiNetworkPolicy: true 2. Configure NAD and pods 3. Configure multinetwork policy with ipblock spec: ingress: - from: - ipBlock: cidr: 192.168.10.8/29 ports: - port: 8080 protocol: TCP podSelector: matchLabels: name: blue-openshift policyTypes: - Ingress Actual results: *filter :MULTI-INGRESS - [0:0] :MULTI-EGRESS - [0:0] :MULTI-0-INGRESS - [0:0] :MULTI-0-INGRESS-0-PORTS - [0:0] :MULTI-0-INGRESS-0-FROM - [0:0] :MULTI-1-INGRESS - [0:0] :MULTI-1-INGRESS-0-PORTS - [0:0] :MULTI-1-INGRESS-0-FROM - [0:0] -A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM -A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN -A MULTI-0-INGRESS -j DROP -A MULTI-INGRESS -m comment --comment "policy:ingress-allow-same-podselector-with-same-namespaceselector net-attach-def:project-c/macvlan-net4" -i net1 -j MULTI-1-INGRESS -A MULTI-1-INGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-1-INGRESS -j MULTI-1-INGRESS-0-PORTS -A MULTI-1-INGRESS -j MULTI-1-INGRESS-0-FROM -A MULTI-1-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN -A MULTI-1-INGRESS -j DROP -A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000 -A MULTI-1-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8080 -j MARK --set-xmark 0x10000/0x10000 -A MULTI-1-INGRESS-0-FROM -i net1 -s 192.168.10.8/29 -j MARK --set-xmark 0x20000/0x20000 Expected results: multiNetworkpolicy should filter based on configured ipblock Additional info: Tomofumi Hayashi knew the issue and is working on his upstream PR
Upstream PR: https://github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pull/10
Tested and verified in 4.8.0-0.nightly-2021-04-30-201824
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438