search

containernetworking / plugins

Some reference and example networking plugins, maintained by the CNI team.
Apache License 2.0
2.23k stars 788 forks source link

bridge: read only required chain on cni del instead of the entire ruleset #880

Closed maiqueb closed 1 year ago

maiqueb commented 1 year ago

This PR changes the bridge-cni mac spoof protection to only read the required chain on CNI DELs (instead of the entire ruleset). This is required since without it we read the entire ruleset, which takes too long when there are plenty of provisioned rules.

It requires an updated version of go-nft, which also imposes a timeout when trying to read the NFT configuration.

These 2 features will hopefully reduce the time it takes to teardown pod networking on CNI DELs.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2175041

maiqueb commented 1 year ago

@squeed / @dcbw can you take a look ?

squeed commented 1 year ago

Looks good, thanks for chasing these sorts of performance wins down!