From bbcedc83911d3673820938a8d24d7118696e07c6 Mon Sep 17 00:00:00 2001
From: Brad Davidson <brad.davidson@rancher.com>
Date: Fri, 15 Sep 2023 16:43:28 +0000
Subject: [PATCH] Move ipset restore outside policy loop

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 pkg/controllers/netpol/policy.go | 40 +++++++++++++++++---------------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/pkg/controllers/netpol/policy.go b/pkg/controllers/netpol/policy.go
index 63b98807ce..118f7dbbf1 100644
--- a/pkg/controllers/netpol/policy.go
+++ b/pkg/controllers/netpol/policy.go
@@ -112,8 +112,7 @@ func (npc *NetworkPolicyController) syncNetworkPolicyChains(networkPoliciesInfo
 			}
 		}
 
-		for ipFamily, ipset := range npc.ipSetHandlers {
-			ipFamily := ipFamily
+		for ipFamily := range npc.ipSetHandlers {
 			// ensure there is a unique chain per network policy in filter table
 			policyChainName := networkPolicyChainName(policy.namespace, policy.name, version, ipFamily)
 
@@ -143,26 +142,29 @@ func (npc *NetworkPolicyController) syncNetworkPolicyChains(networkPoliciesInfo
 				}
 				activePolicyIPSets[targetSourcePodIPSetName] = true
 			}
+		}
+	}
 
-			restoreStart := time.Now()
-			err := ipset.Restore()
-			restoreEndTime := time.Since(restoreStart)
-
-			defer func() {
-				if npc.MetricsEnabled {
-					switch ipFamily {
-					case api.IPv4Protocol:
-						metrics.ControllerPolicyIpsetV4RestoreTime.Observe(restoreEndTime.Seconds())
-					case api.IPv6Protocol:
-						metrics.ControllerPolicyIpsetV6RestoreTime.Observe(restoreEndTime.Seconds())
-					}
+	for ipFamily, ipset := range npc.ipSetHandlers {
+		ipFamily := ipFamily
+		restoreStart := time.Now()
+		err := ipset.Restore()
+		restoreEndTime := time.Since(restoreStart)
+
+		defer func() {
+			if npc.MetricsEnabled {
+				switch ipFamily {
+				case api.IPv4Protocol:
+					metrics.ControllerPolicyIpsetV4RestoreTime.Observe(restoreEndTime.Seconds())
+				case api.IPv6Protocol:
+					metrics.ControllerPolicyIpsetV6RestoreTime.Observe(restoreEndTime.Seconds())
 				}
-				klog.V(2).Infof("Restoring %v ipset took %v", ipFamily, restoreEndTime)
-			}()
-
-			if err != nil {
-				return nil, nil, fmt.Errorf("failed to perform ipset restore: %w", err)
 			}
+			klog.V(2).Infof("Restoring %v ipset took %v", ipFamily, restoreEndTime)
+		}()
+
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to perform ipset restore: %w", err)
 		}
 	}