prepend encapsulation rules to reduce number of reconciliation thereof

because of the way the iptables rules are reconciled, having the encapsulation rules at the end of the slice of rules results in them being deleted and re-added many times, even though they are very static. Prepending them to the slice of rules prevents this from happening, making that iptables chain more stable and saving a bunch of roundtrips to iptables.
squat · Jul 12, 2022 · 0f0b0bd · 0f0b0bd
1 parent 37b3cf1
commit 0f0b0bd
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/pkg/mesh/mesh.go b/pkg/mesh/mesh.go
@@ -516,7 +516,9 @@ func (m *Mesh) applyTopology() {
 				break
 			}
 		}
-		ipRules = append(ipRules, m.enc.Rules(cidrs)...)
+
+		ipRules = append(m.enc.Rules(cidrs), ipRules...)
+
 		// If we are handling local routes, ensure the local
 		// tunnel has an IP address.
 		if err := m.enc.Set(oneAddressCIDR(newAllocator(*nodes[m.hostname].Subnet).next().IP)); err != nil {