Skip to content
This repository has been archived by the owner on Dec 7, 2023. It is now read-only.

Commit

Permalink
Teardown IPMasq rules for all actual configured bridges instead of us…
Browse files Browse the repository at this point in the history 
…ing the hardcoded default string
  • Loading branch information
@stealthybox
stealthybox committed Sep 26, 2019
1 parent 292dd05 commit dba82ba
Showing 1 changed file with 26 additions and 9 deletions.
35 changes: 26 additions & 9 deletions pkg/network/cni/cni.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,9 +83,10 @@ var defaultCNIConf = fmt.Sprintf(`{
`, defaultNetworkName, defaultBridgeName, defaultSubnet)

type cniNetworkPlugin struct {
cni gocni.CNI
runtime runtime.Interface
once *sync.Once
cni gocni.CNI
cniConfig *gocni.ConfigResult
runtime runtime.Interface
once *sync.Once
}

func GetCNINetworkPlugin(runtime runtime.Interface) (network.Plugin, error) {
Expand Down Expand Up @@ -168,6 +169,9 @@ func (plugin *cniNetworkPlugin) initialize() (err error) {
log.Errorf("failed to load cni configuration: %v", err)
}
})

plugin.cniConfig = plugin.cni.GetConfig()

return
}

Expand Down Expand Up @@ -203,17 +207,30 @@ func (plugin *cniNetworkPlugin) RemoveContainerNetwork(containerID string) error
return nil
}

// get the amount of combinations between an IP mask, and an iptables chain, with the specified container ID
// this makes the defaultNetworkName CNI network config not leak iptables rules
// Get the amount of combinations between an IP mask, and an iptables chain, with the specified container ID
// This makes the defaultNetworkName CNI network config not leak iptables rules
// It could possibly help with rule cleanup for other CNI network configs as well
result, err := getIPChains(c.ID)
if err != nil {
return err
}
comment := utils.FormatComment(defaultNetworkName, c.ID)

for _, t := range result {
if err = ip.TeardownIPMasq(t.ip, t.chain, comment); err != nil {
return err
for _, net := range plugin.cniConfig.Networks {
var hasBridge bool
for _, plugin := range net.Config.Plugins {
if plugin.Network.Type == "bridge" {
hasBridge = true
}
}

if hasBridge {
log.Debugf("TeardownIPMasq for container %q on CNI network %q which contains a bridge", containerID, net.Config.Name)
comment := utils.FormatComment(net.Config.Name, c.ID)
for _, t := range result {
if err = ip.TeardownIPMasq(t.ip, t.chain, comment); err != nil {
return err
}
}
}
}

Expand Down

0 comments on commit dba82ba

Please sign in to comment.