fix(ipset): don't strip inet6 prefixing of ipsets

The problem here stems from the fact that when netpol generates its list of expected ipsets, it includes the inet6:
prefix, however, when the proxy and routing controller sent their list of expected ipsets, they did not do so. This
meant that no matter how we handled it in ipset.go it was wrong for one or the other use-cases.

I decided to standardize on the netpol way of sending the list of expected ipset names so that BuildIPSetRestore() can
function in the same way for all invocations.

Author: aauren

pkg/controllers/proxy/network_services_controller.go

@@ -710,7 +710,10 @@ func (nsc *NetworkServicesController) syncIpvsFirewall() error {
 
 		setHandler.RefreshSet(serviceIPPortsSetName, serviceIPPortsIPSets[family], utils.TypeHashIPPort)
 
-		err := setHandler.RestoreSets([]string{localIPsIPSetName, serviceIPsIPSetName, serviceIPPortsSetName})
+		multiFamilySetNames := utils.GenerateMultiFamilySetNames(
+			[]string{localIPsIPSetName, serviceIPsIPSetName, serviceIPPortsSetName},
+		)
+		err := setHandler.RestoreSets(multiFamilySetNames)
 		if err != nil {
 			return fmt.Errorf("could not save ipset for service firewall: %v", err)
 		}

pkg/controllers/routing/network_routes_controller.go

@@ -864,7 +864,8 @@ func (nrc *NetworkRoutingController) syncNodeIPSets() error {
 
 		ipSetHandler.RefreshSet(nodeAddrsIPSetName, currentNodeIPs[family], utils.TypeHashIP)
 
-		err = ipSetHandler.RestoreSets([]string{podSubnetsIPSetName, nodeAddrsIPSetName})
+		multiFamilySetNames := utils.GenerateMultiFamilySetNames([]string{podSubnetsIPSetName, nodeAddrsIPSetName})
+		err = ipSetHandler.RestoreSets(multiFamilySetNames)
 		if err != nil {
 			return fmt.Errorf("failed to sync pod subnets / node addresses ipsets: %v", err)
 		}

pkg/utils/ipset.go

@@ -529,15 +529,11 @@ func scrubInitValFromOptions(options []string) []string {
 // add KUBE-DST-3YNVZWWGX3UQQ4VQ 100.96.1.6 timeout 0
 func BuildIPSetRestore(ipset *IPSet, setIncludeNames []string) string {
 	setNames := make([]string, 0, len(ipset.sets))
-	for setName, set := range ipset.sets {
+	for setName := range ipset.sets {
 		// If we've been passed a set of filter names, check to see if this set is contained within that set before
 		// adding it to the restore to ensure that we don't impact other unrelated sets
 		if setIncludeNames != nil {
-			origName := setName
-			if set.Parent.isIpv6 {
-				origName = strings.Replace(setName, fmt.Sprintf("%s:", IPv6SetPrefix), "", 1)
-			}
-			if !slices.Contains(setIncludeNames, origName) {
+			if !slices.Contains(setIncludeNames, setName) {
 				continue
 			}
 		}
@@ -655,3 +651,12 @@ func (ipset *IPSet) Get(setName string) *Set {
 func (ipset *IPSet) Sets() map[string]*Set {
 	return ipset.sets
 }
+
+func GenerateMultiFamilySetNames(setNames []string) []string {
+	multiFamilySetNames := make([]string, 0, len(setNames))
+	for _, setName := range setNames {
+		multiFamilySetNames = append(multiFamilySetNames, setName)
+		multiFamilySetNames = append(multiFamilySetNames, IPSetName(setName, true))
+	}
+	return multiFamilySetNames
+}

pkg/utils/ipset_test.go

@@ -198,7 +198,7 @@ func Test_buildIPSetRestore_setIncludeNames(t *testing.T) {
 					Parent:  &IPSet{isIpv6: false},
 				},
 			}},
-			setIncludeNames: []string{"set1", "set2"},
+			setIncludeNames: []string{"inet6:set1", "inet6:set2"},
 			expectedSets:    []string{"inet6:set1", "inet6:set2"},
 			excludedSets:    []string{"regular-set"},
 		},
@@ -218,7 +218,7 @@ func Test_buildIPSetRestore_setIncludeNames(t *testing.T) {
 					Parent:  &IPSet{isIpv6: true},
 				},
 			}},
-			setIncludeNames: []string{"set1"},
+			setIncludeNames: []string{"inet6:set1"},
 			expectedSets:    []string{"inet6:set1"},
 			excludedSets:    []string{"inet6:set2"},
 		},
@@ -575,7 +575,7 @@ func Test_buildIPSetRestore_integrationRealWorldSets(t *testing.T) {
 					Parent:  &IPSet{isIpv6: true},
 				},
 			}},
-			setIncludeNames: []string{"kube-router-svip", "kube-router-svip-prt"},
+			setIncludeNames: []string{"inet6:kube-router-svip", "inet6:kube-router-svip-prt"},
 			description:     "Should match IPv6 sets by removing inet6: prefix",
 		},
 		{
@@ -610,15 +610,11 @@ func Test_buildIPSetRestore_integrationRealWorldSets(t *testing.T) {
 			result := BuildIPSetRestore(tt.ipset, tt.setIncludeNames)
 
 			// Verify that only the specified sets are included
-			for setName, set := range tt.ipset.sets {
+			for setName := range tt.ipset.sets {
 				shouldBeIncluded := false
 				for _, includeName := range tt.setIncludeNames {
 					// Check if this set should be included based on the filtering logic
-					origName := setName
-					if set.Parent != nil && set.Parent.isIpv6 {
-						origName = strings.Replace(setName, fmt.Sprintf("%s:", IPv6SetPrefix), "", 1)
-					}
-					if origName == includeName {
+					if setName == includeName {
 						shouldBeIncluded = true
 						break
 					}