Dan Winship

> looks like it is the first part of a bigger change? If so, can you explain the steps of this plan? Yes, the plan is to eventually remove all...

@npinaeva updated

@npinaeva OK, big rewrite. With the removal of the unnecessary looping around the nftables calls, it made a lot less sense to keep the iptables and nftables rules grouped together...

Test failure is real. (Well, one of them is failing because it's counting iptables rules and I didn't update the test to count nftables rules instead, but the other one...

(just rebased and updated to latest knftables; still expected to fail `e2e (control-plane, noHA, local, ipv4, noSnatGW, 1br, ic-single-node-zones)` as above)

/sig network /sig api-machinery

@salaxander sorry, the initial description hadn't been updated in a while. This did not go alpha in 1.22 and thus is not scheduled to go beta in 1.23 (but should...

> and we error out oh, you can't do that. Customers will complain. We tried it with a few things in openshift-sdn (like "you can't have more than one EgressNetworkPolicy...

> Or is the problem more so that there's no mechanism for us to actually stop users from creating two ANPs at the same priority? This. We can't prevent it...

We don't want people to depend on any specific behavior; if there is any situation where someone _needs_ to depend on the relative ordering of two policies with the same...