beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

bridge: also flush conntrack entries when setting up endpoints

Browse source 
There is a race condition between the local proxy and iptables rule
setting. When we have a lot of UDP traffic, the kernel will create
conntrack entries to the local proxy and will ignore the iptables
rules set after that.

Related to PR #32505. Fix #8795.

Signed-off-by: Vincent Bernat <vincent@bernat.ch>
This commit is contained in:
Vincent Bernat 2022-03-23 08:34:26 +01:00
parent 6b9b445af6
commit e5812117a5
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
libnetwork/drivers/bridge/bridge.go
View file

@ -1352,6 +1352,11 @@ func (d *driver) ProgramExternalConnectivity(nid, eid string, options map[string
}
}()
// Clean the connection tracker state of the host for the
// specific endpoint. This is needed because some flows may be
// bound to the local proxy and won't bre redirect to the new endpoints.
clearEndpointConnections(d.nlh, endpoint)
if err = d.storeUpdate(endpoint); err != nil {
return fmt.Errorf("failed to update bridge endpoint %.7s to store: %v", endpoint.id, err)
}