Merge pull request #44803 from akerouanton/fix-44721

libnetwork: Remove iptables nat rule when hairpin is disabled
2023-01-12 08:36:10 -07:00 · 2023-01-12 08:36:10 -07:00 · dae48a8064
commit dae48a8064
parent 4c02882f8a 566a2e4c79
1 changed files with 4 additions and 5 deletions
--- a/libnetwork/drivers/bridge/setup_ip_tables.go
+++ b/libnetwork/drivers/bridge/setup_ip_tables.go
@ -244,11 +244,10 @@ func setupIPTablesInternal(hostIP net.IP, bridgeIface string, addr *net.IPNet, i
 		}
 	}

-	// In hairpin mode, masquerade traffic from localhost
-	if hairpin {
-		if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable); err != nil {
-			return err
-		}
+	// In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down
+	// that bridge, make sure the iptables rule isn't lying around.
+	if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil {
+		return err
 	}

 	// Set Inter Container Communication.