NetworkPolicy ipv6 doesn't work.

[xujunjie-cover]

What happened?
NetworkPolicy ipv6 doesn't work. ipset name and ip6tables rule are not equal

What did you expect to happen?
networkpolicy works with ipv6

How can we reproduce the behavior you experienced?
Steps to reproduce the behavior:

1. create test pod
2. create networkpolicy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: nginx
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: test
    ports:
      - protocol: TCP
        port: 80

**Screenshots / Architecture Diagrams / Network Topologies **
If applicable, add those here to help explain your problem.

** System Information (please complete the following information):**

• Kube-Router Version (kube-router --version): v2.1.0
• Kube-Router Parameters: - --run-router=false - --run-firewall=true - --run-service-proxy=false - --bgp-graceful-restart=true - --enable-ipv6=true
• Kubernetes Version (kubectl version) : 1.24.17
• Cloud Type: on premise
• Kubernetes Deployment Type: Kubeadm
• Kube-Router Deployment Type: DaemonSet
• Cluster Size: 2

** Logs, other output, metrics **

 Aborting sync. Failed to run iptables-restore: failed to call ip6tables-restore: exit status 2 (ip6tables-restore v1.8.7 (legacy): Set KUBE-SRC-YZGP7RC3Z53QX6UT doesn't exist.

logs report ipset KUBE-SRC-YZGP7RC3Z53QX6UT not exist, but the inet6:KUBE-SRC-YZGP7RC3Z53QX6UT is correct. the ipset used by ip6tables without inet6 Prefix.

kube-router/pkg/controllers/netpol/policy.go

Lines 215 to 233 in b423b1f

	if len(ingressRule.namedPorts) != 0 {
	for epIdx, endPoints := range ingressRule.namedPorts {
	namedPortIPSetName := policyIndexedIngressNamedPortIPSetName(policy.namespace,
	policy.name, ruleIdx, epIdx, ipFamily)
	activePolicyIPSets[namedPortIPSetName] = true
	setEntries := make([][]string, 0)
	for _, ip := range endPoints.ips[ipFamily] {
	setEntries = append(setEntries, []string{ip, utils.OptionTimeout, "0"})
	}
	npc.ipSetHandlers[ipFamily].RefreshSet(namedPortIPSetName, setEntries, utils.TypeHashIP)
	//nolint:goconst // don't need to make error messages a constant
	comment := "rule to ACCEPT traffic from source pods to dest pods selected by policy name " +
	policy.name + " namespace " + policy.namespace
	if err := npc.appendRuleToPolicyChain(policyChainName, comment, srcPodIPSetName, namedPortIPSetName,
	endPoints.protocol, endPoints.port, endPoints.endport, ipFamily); err != nil {
	return err
	}
	}

L224 create ipset name srcPodIPSetName with preifx "inet6"
L242 appendRuleToPolicyChain only use srcPodIPSetName

how to solve? add prefix in appendRuleToPolicyChain ?

[aauren]

Thanks @xujunjie-cover!

This is a great find and I'm sad that we missed this in our testing. 😞

I'll check out your PR!

[aauren]

Fixed via #1654