Closed vrischmann closed 3 years ago
Hi,
I believe there's a bug in execDelete which prevents it from removing the filter-forward chain for the container id.
execDelete
With v1.0.9 after removing a pod with podman, the chains are still in my ruleset:
table ip _filter { chain _forward { type filter hook forward priority 0; policy accept; jump cni-ffw-8726fd92cb82f541940f26a jump cni-ffw-469fc695dc03346d8d7865c } chain cni-ffw-469fc695dc03346d8d7865c { oifname "cni-podman0" ip daddr 20.88.0.20 ct state established,related counter packets 0 bytes 0 accept iifname "cni-podman0" ip saddr 20.88.0.20 counter packets 0 bytes 0 accept iifname "cni-podman0" oifname "cni-podman0" counter packets 0 bytes 0 accept } chain cni-ffw-8726fd92cb82f541940f26a { oifname "cni-podman0" ip daddr 20.88.0.21 ct state established,related counter packets 0 bytes 0 accept iifname "cni-podman0" ip saddr 20.88.0.21 counter packets 0 bytes 0 accept iifname "cni-podman0" oifname "cni-podman0" counter packets 0 bytes 0 accept } }
but the rules under the nat table, postrouting chain are correctly removed.
As far as I can tell, this check is wrong, the ffwChain is in the filter table, not the nat table. This PR fixes this.
ffwChain
I've verified on my server that it works correctly now, but let me know if I'm misunderstanding something
@vrischmann , thank you for the contribution 👍
:+1: thank you for the software !
@vrischmann , released v1.0.10
Hi,
I believe there's a bug in
execDelete
which prevents it from removing the filter-forward chain for the container id.With v1.0.9 after removing a pod with podman, the chains are still in my ruleset:
but the rules under the nat table, postrouting chain are correctly removed.
As far as I can tell, this check is wrong, the
ffwChain
is in the filter table, not the nat table. This PR fixes this.I've verified on my server that it works correctly now, but let me know if I'm misunderstanding something