Improve patching ovs flow rules in UpdateEgressNetworkPolicyRules

Old behavior:
1. Drop outgoing traffic
2. Examine egress np, generate and add ovs flows
3. Enable traffic
Step (2) could be slow when egress np has many DNS entries.

New behavior:
(1) Examine egress np, generate ovs flows (not added)
(2) Drop outgoing traffic
(3) Add generated ovs flows in (1)
(4) Enable traffic

Author: Ravi Sankar Penta

pkg/network/node/ovscontroller.go

@@ -445,10 +445,7 @@ func (oc *ovsController) UpdateEgressNetworkPolicyRules(policies []networkapi.Eg
 		otx.DeleteFlows("table=101, reg0=%d", vnid)
 		otx.AddFlow("table=101, reg0=%d, priority=1, actions=drop", vnid)
 	} else /* vnid != 0 && len(policies) == 1 */ {
-		// Temporarily drop all outgoing traffic, to avoid race conditions while modifying the other rules
-		otx.AddFlow("table=101, reg0=%d, cookie=1, priority=65535, actions=drop", vnid)
-		otx.DeleteFlows("table=101, reg0=%d, cookie=0/1", vnid)
-
+		var flows []string
 		dnsFound := false
 		for i, rule := range policies[0].Spec.Egress {
 			priority := len(policies[0].Spec.Egress) - i
@@ -482,10 +479,17 @@ func (oc *ovsController) UpdateEgressNetworkPolicyRules(policies []networkapi.Eg
 					dst = fmt.Sprintf(", nw_dst=%s", selector)
 				}
 
-				otx.AddFlow("table=101, reg0=%d, priority=%d, ip%s, actions=%s", vnid, priority, dst, action)
+				flows = append(flows, fmt.Sprintf("table=101, reg0=%d, priority=%d, ip%s, actions=%s", vnid, priority, dst, action))
 			}
 		}
 
+		// Temporarily drop all outgoing traffic, to avoid race conditions while modifying the other rules
+		otx.AddFlow("table=101, reg0=%d, cookie=1, priority=65535, actions=drop", vnid)
+		otx.DeleteFlows("table=101, reg0=%d, cookie=0/1", vnid)
+		for _, f := range flows {
+			otx.AddFlow(f)
+		}
+
 		if dnsFound {
 			if err := common.CheckDNSResolver(); err != nil {
 				inputErr = fmt.Errorf("DNS resolver failed: %v, dropping all traffic for namespace: %q", err, namespaces[0])