luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

networking: Ensure CNI iptables rules are appended to chain and not forced to be first

This commit is contained in:
Adam Duncan 2021-03-13 19:30:22 +00:00 committed by Tim Gross
parent a239224555
commit 7588cf0ec3
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
client/allocrunner/networking_bridge_linux.go
View File

@ -75,7 +75,7 @@ func (b *bridgeNetworkConfigurator) ensureForwardingRules() error {
return err
}
if err := ensureFirstChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil {
if err := appendChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil {
return err
}
@ -105,12 +105,11 @@ func ensureChain(ipt *iptables.IPTables, table, chain string) error {
return err
}
// ensureFirstChainRule ensures the given rule exists as the first rule in the chain
func ensureFirstChainRule(ipt *iptables.IPTables, chain string, rule []string) error {
// appendChainRule adds the given rule to the chain
func appendChainRule(ipt *iptables.IPTables, chain string, rule []string) error {
exists, err := ipt.Exists("filter", chain, rule...)
if !exists && err == nil {
// iptables rules are 1-indexed
err = ipt.Insert("filter", chain, 1, rule...)
err = ipt.Append("filter", chain, rule...)
}
return err
}