}
	// pod is removed from the mesh, but is still running. remove iptables rules
	log.Debugf("calling DeleteInpodRules.")
	if err := s.netnsRunner(openNetns, func() error { return s.iptablesConfigurator.DeleteInpodRules() }); err != nil {
		log.Errorf("failed to delete inpod rules %v", err)
		return fmt.Errorf("failed to delete inpod rules %w", err)
	}

	}

	// Create hostprobe rules now, in the host netns
	// Later we will reuse this same configurator inside the pod netns for adding other rules
	iptablesConfigurator.DeleteHostRules()

	if err := iptablesConfigurator.CreateHostRulesForHealthChecks(&HostProbeSNATIP, &HostProbeSNATIPV6); err != nil {
		return nil, fmt.Errorf("error initializing the host rules for health checks: %w", err)
	}

	// Append our rules here
	builder := cfg.appendHostRules(hostSNATIP, hostSNATIPV6)

	log.Info("Adding host netnamespace iptables rules")

	if err := cfg.executeCommands(builder); err != nil {
		log.Errorf("failed to add host netnamespace iptables rules: %v", err)
		return err
	}
	return nil
}

// in a pod, we cannot just access any arbitrary file they happen to bind mount in, as we don't know ahead of time where
// it might be.
//
// Instead, we rely directly on the procfs.
// This rules out two possible methods:
// * use crictl to inspect the pod; this returns the bind-mounted network namespace file.
// * /var/lib/cni/results shows the outputs of CNI plugins; this containers the bind-mounted network namespace file.

		inpodMarkRule.Mark = InpodTProxyMark
		inpodMarkRule.Mask = InpodTProxyMask
		inpodMarkRule.Priority = 32764
		rules = append(rules, inpodMarkRule)
	}

	for _, rule := range rules {
		log.Debugf("Iterating netlink rule : %+v", rule)
		if err := f(rule); err != nil {
			return fmt.Errorf("failed to configure netlink rule: %w", err)
		}
	}

	return nil
}

func AddLoopbackRoutes(cfg *Config) error {

	err := netServer.DelPodFromMesh(ctx, pod)
	assert.NoError(t, err)
	assert.Equal(t, ztunnelServer.deletedPods.Load(), 1)
	// with delete iptables is not called, as there is no need to delete the iptables rules
	// from a pod that's gone from the cluster.
	assert.Equal(t, nlDeps.DelInpodMarkIPRuleCnt.Load(), 0)
	assert.Equal(t, nlDeps.DelLoopbackRoutesCnt.Load(), 0)
	// make sure the uid was taken from cache and netns closed

				},
				ClientStatus: 453,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			var buf bytes.Buffer
			a.Print(&buf)
			expectedOutput := "ACTION   AuthorizationPolicy   RULES\n"
			actualOutput := buf.String()
			if !reflect.DeepEqual(expectedOutput, actualOutput) {
				t.Errorf("Found %v, wanted %v", actualOutput, expectedOutput)
			}
		})
	}

Ben Leggett <******@****.***> 1707525115 -0500

	} else if c.cfg.LabelPods {
		return c.labelBrokenPod(pod)
	}
	return nil
}

// repairPod actually dynamically repairs a pod. This is done by entering the pods network namespace and setting up rules.
// This differs from the general CNI plugin flow, which triggers before the pod fully starts.
// Additionally, we need to jump through hoops to find the network namespace.
func (c *Controller) repairPod(pod *corev1.Pod) error {

			if err != nil {
				log.Fatalf("Cannot read generated IPTables rule file: %v", err)
			}
			generatedRules := getRules(generated)

			refreshGoldens(t, tt.golden, generatedRules)

			// Compare generated iptables rule with golden files.
			golden, err := os.ReadFile(tt.golden)
			if err != nil {
				log.Fatalf("Cannot read golden rule file: %v", err)
			}
			goldenRules := getRules(golden)