fix(netpol): use parenthesis around ipblock expressions

SkalaNetworks · zbb88888 · commit 52d952453d58 · 2026-04-07T21:21:32.000+08:00
Signed-off-by: SkalaNetworks <contact@skala.network> (cherry picked from commit eeafcfd)
diff --git a/pkg/ovs/util.go b/pkg/ovs/util.go
@@ -225,6 +225,7 @@ func (m AndACLMatch) Match() (string, error) {
 			klog.Error(err)
 			return "", fmt.Errorf("generate match %s: %w", match, err)
 		}
+
 		matches = append(matches, match)
 	}
 
@@ -256,8 +257,8 @@ func (m OrACLMatch) Match() (string, error) {
 			return "", fmt.Errorf("generate match %s: %w", match, err)
 		}
 
-		// has more then one rule
-		if strings.Contains(match, "&&") {
+		// has more than one rule
+		if strings.Contains(match, "&&") || strings.Contains(match, "||") {
 			match = "(" + match + ")"
 		}
 
@@ -272,27 +273,6 @@ func (m OrACLMatch) String() string {
 	return match
 }
 
-type groupACLMatch struct {
-	match ACLMatch
-}
-
-func NewGroupACLMatch(match ACLMatch) ACLMatch {
-	return groupACLMatch{match: match}
-}
-
-func (m groupACLMatch) Match() (string, error) {
-	s, err := m.match.Match()
-	if err != nil {
-		return "", err
-	}
-	return "(" + s + ")", nil
-}
-
-func (m groupACLMatch) String() string {
-	match, _ := m.Match()
-	return match
-}
-
 type aclMatch struct {
 	key      string
 	value    string
@@ -340,6 +320,29 @@ func (m aclMatch) String() string {
 	return rule
 }
 
+type groupACLMatch struct {
+	match ACLMatch
+}
+
+func NewGroupACLMatch(match ACLMatch) ACLMatch {
+	return groupACLMatch{
+		match: match,
+	}
+}
+
+func (m groupACLMatch) Match() (string, error) {
+	match, err := m.match.Match()
+	if err != nil {
+		return "", err
+	}
+	return "(" + match + ")", nil
+}
+
+func (m groupACLMatch) String() string {
+	match, _ := m.Match()
+	return match
+}
+
 type Limiter struct {
 	limit   int32
 	current int32
diff --git a/pkg/ovs/util_test.go b/pkg/ovs/util_test.go
@@ -254,6 +254,25 @@ func Test_OrAclMatch_Match(t *testing.T) {
 	})
 }
 
+func Test_GroupAclMatch_Match(t *testing.T) {
+	t.Parallel()
+
+	t.Run("generate grouped match", func(t *testing.T) {
+		t.Parallel()
+		match := NewGroupACLMatch(NewACLMatch("ip4.dst", "==", "10.0.0.0/8", ""))
+		rule, err := match.Match()
+		require.NoError(t, err)
+		require.Equal(t, "(ip4.dst == 10.0.0.0/8)", rule)
+	})
+
+	t.Run("error propagation", func(t *testing.T) {
+		t.Parallel()
+		match := NewGroupACLMatch(NewACLMatch("", "", "", ""))
+		_, err := match.Match()
+		require.Error(t, err)
+	})
+}
+
 func Test_Limiter(t *testing.T) {
 	t.Parallel()
 
