libnetwork: Remove iptables nat rule when hairpin is disabled
When userland-proxy is turned off and on again, the iptables nat rule
doing hairpinning isn't properly removed. This fix makes sure this nat
rule is removed whenever the bridge is torn down or hairpinning is
disabled (through setting userland-proxy to true).
Unlike for ip masquerading and ICC, the `programChainRule()` call
setting up the "MASQ LOCAL HOST" rule has to be called unconditionally
because the hairpin parameter isn't restored from the driver store, but
always comes from the driver config.
For the "SKIP DNAT" rule, things are a bit different: this rule is
always deleted by `removeIPChains()` when the bridge driver is
initialized.
Fixes #44721.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
(cherry picked from commit 566a2e4
)
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
This commit is contained in:
parent
225551ddef
commit
c8262e912f
1 changed files with 4 additions and 5 deletions
|
@ -244,11 +244,10 @@ func setupIPTablesInternal(hostIP net.IP, bridgeIface string, addr *net.IPNet, i
|
|||
}
|
||||
}
|
||||
|
||||
// In hairpin mode, masquerade traffic from localhost
|
||||
if hairpin {
|
||||
if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable); err != nil {
|
||||
return err
|
||||
}
|
||||
// In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down
|
||||
// that bridge, make sure the iptables rule isn't lying around.
|
||||
if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Set Inter Container Communication.
|
||||
|
|
Loading…
Add table
Reference in a new issue