rancher/plugins
1
0
Fork 1
mirror of https://github.com/rancher/plugins.git synced 2025-09-13 02:59:23 +00:00
Code Issues Projects Releases Wiki Activity

ipmasq: fix nftables backend

Browse Source 
Rename
SetupIPMasqForNetwork -> SetupIPMasqForNetworks
TeardownIPMasqForNetwork -> TeardownIPMasqForNetworks
and have them take []*net.IPNet instead of *net.IPNet.

This allow the nftables backend to cleanup stale rules and recreate all
needed rules in a single transaction, where previously the stale rules
cleanup was breaking all but the last IPNet.

Fixes 61d078645a

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
This commit is contained in:
Etienne Champetier
2024-11-11 15:48:35 -05:00
committed by Casey Callendrello
parent 9296c5f80a
commit 6de8a9853c
6 changed files with 120 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/ip/ipmasq_linux.go
View File

@@ -24,11 +24,11 @@ import (
"github.com/containernetworking/plugins/pkg/utils"
)
// SetupIPMasqForNetwork installs rules to masquerade traffic coming from ip of ipn and
// going outside of ipn, using a chain name based on network, ifname, and containerID. The
// SetupIPMasqForNetworks installs rules to masquerade traffic coming from ips of ipns and
// going outside of ipns, using a chain name based on network, ifname, and containerID. The
// backend can be either "iptables" or "nftables"; if it is nil, then a suitable default
// implementation will be used.
func SetupIPMasqForNetwork(backend *string, ipn *net.IPNet, network, ifname, containerID string) error {
func SetupIPMasqForNetworks(backend *string, ipns []*net.IPNet, network, ifname, containerID string) error {
if backend == nil {
// Prefer iptables, unless only nftables is available
defaultBackend := "iptables"
@@ -40,27 +40,27 @@ func SetupIPMasqForNetwork(backend *string, ipn *net.IPNet, network, ifname, con
switch *backend {
case "iptables":
return setupIPMasqIPTables(ipn, network, ifname, containerID)
return setupIPMasqIPTables(ipns, network, ifname, containerID)
case "nftables":
return setupIPMasqNFTables(ipn, network, ifname, containerID)
return setupIPMasqNFTables(ipns, network, ifname, containerID)
default:
return fmt.Errorf("unknown ipmasq backend %q", *backend)
}
}
// TeardownIPMasqForNetwork undoes the effects of SetupIPMasqForNetwork
func TeardownIPMasqForNetwork(ipn *net.IPNet, network, ifname, containerID string) error {
// TeardownIPMasqForNetworks undoes the effects of SetupIPMasqForNetworks
func TeardownIPMasqForNetworks(ipns []*net.IPNet, network, ifname, containerID string) error {
var errs []string
// Do both the iptables and the nftables cleanup, since the pod may have been
// created with a different version of this plugin or a different configuration.
err := teardownIPMasqIPTables(ipn, network, ifname, containerID)
err := teardownIPMasqIPTables(ipns, network, ifname, containerID)
if err != nil && utils.SupportsIPTables() {
errs = append(errs, err.Error())
}
err = teardownIPMasqNFTables(ipn, network, ifname, containerID)
err = teardownIPMasqNFTables(ipns, network, ifname, containerID)
if err != nil && utils.SupportsNFTables() {
errs = append(errs, err.Error())
}