fix(netpol): don't check if rules already exist in lax mode

[SkalaNetworks]

In some cases, Lax mode can generate faulty DHCP rules due to the ACLs not being generated.

This is the result of a check that doesn't generate an ACL if it already exists. Except we wipe every ACL when creating the Netpol, so we don't care if it already exists.

Note: this is unrelated to the issue I brought up on Slack.

[gemini-code-assist]

Summary of Changes

Hello @SkalaNetworks, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue within the network policy's 'Lax mode' that led to the generation of incorrect DHCP rules. The problem was caused by a redundant check that prevented the creation of Access Control Lists (ACLs) under the mistaken assumption they already existed, despite the system clearing all ACLs during network policy initialization. By modifying the code to bypass this unnecessary check, the change ensures that ACLs are correctly generated, thereby preventing the occurrence of faulty DHCP rules and improving network policy reliability.

Highlights

• Fix for faulty DHCP rules in Lax mode: This pull request addresses a bug where the network policy's 'Lax mode' could inadvertently generate faulty DHCP rules, impacting network stability and functionality.
• Removal of redundant ACL existence check: The core of the fix involves bypassing an unnecessary check that prevented the generation of Access Control Lists (ACLs) if they were perceived to already exist. This check was problematic because all ACLs are explicitly wiped when a new network policy is created, making the existence check redundant and counterproductive.
• Switch to newACLWithoutCheck function: The change replaces the call to c.newACL with c.newACLWithoutCheck within the UpdateDefaultBlockExceptionsACLOps function. This ensures that ACLs are consistently generated as intended, resolving the underlying cause of the faulty DHCP rules.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The change to use newACLWithoutCheck is correct for the described scenario, as it avoids checking for pre-existing ACLs when they are expected to have been wiped. This should resolve the issue with faulty DHCP rule generation. I've added one suggestion to improve the code's correctness and maintainability by using the appropriate priority constant based on the traffic direction.