luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity

networking: Ensure CNI iptables rules are appended to chain and not forced to be first

Browse source
This commit is contained in:
Adam Duncan 2021-03-13 19:30:22 +00:00 committed by Tim Gross
parent a239224555
commit 7588cf0ec3
1 changed files with 4 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
client/allocrunner/networking_bridge_linux.go
View file

@ -75,7 +75,7 @@ func (b *bridgeNetworkConfigurator) ensureForwardingRules() error {
return err return err
} }
if err := ensureFirstChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil { if err := appendChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil {
return err return err
} }
@ -105,12 +105,11 @@ func ensureChain(ipt *iptables.IPTables, table, chain string) error {
return err return err
} }
// ensureFirstChainRule ensures the given rule exists as the first rule in the chain // appendChainRule adds the given rule to the chain
func ensureFirstChainRule(ipt *iptables.IPTables, chain string, rule []string) error { func appendChainRule(ipt *iptables.IPTables, chain string, rule []string) error {
exists, err := ipt.Exists("filter", chain, rule...) exists, err := ipt.Exists("filter", chain, rule...)
if !exists && err == nil { if !exists && err == nil {
// iptables rules are 1-indexed err = ipt.Append("filter", chain, rule...)
err = ipt.Insert("filter", chain, 1, rule...)
} }
return err return err
} }