Merge pull request #44811 from akerouanton/23.0-backport-44803

[23.0 backport] libnetwork: Remove iptables nat rule when hairpin is disabled
2023-01-12 10:42:01 -07:00 · 2023-01-12 10:42:01 -07:00 · 7e4f58d894
commit 7e4f58d894
parent 225551ddef c8262e912f
1 changed files with 4 additions and 5 deletions
--- a/libnetwork/drivers/bridge/setup_ip_tables.go
+++ b/libnetwork/drivers/bridge/setup_ip_tables.go
@ -244,11 +244,10 @@ func setupIPTablesInternal(hostIP net.IP, bridgeIface string, addr *net.IPNet, i
 		}
 	}

-	// In hairpin mode, masquerade traffic from localhost
-	if hairpin {
-		if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable); err != nil {
-			return err
-		}
+	// In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down
+	// that bridge, make sure the iptables rule isn't lying around.
+	if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil {
+		return err
 	}

 	// Set Inter Container Communication.