From ec27b781d3ce8216e1fee3998d41ad43e61de3f5 Mon Sep 17 00:00:00 2001 From: Adam Duncan Date: Sat, 13 Mar 2021 19:30:22 +0000 Subject: [PATCH] networking: Ensure CNI iptables rules are appended to chain and not forced to be first --- client/allocrunner/networking_bridge_linux.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/client/allocrunner/networking_bridge_linux.go b/client/allocrunner/networking_bridge_linux.go index 37c504e4141..1c331bddd22 100644 --- a/client/allocrunner/networking_bridge_linux.go +++ b/client/allocrunner/networking_bridge_linux.go @@ -75,7 +75,7 @@ func (b *bridgeNetworkConfigurator) ensureForwardingRules() error { return err } - if err := ensureFirstChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil { + if err := appendChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil { return err } @@ -105,12 +105,11 @@ func ensureChain(ipt *iptables.IPTables, table, chain string) error { return err } -// ensureFirstChainRule ensures the given rule exists as the first rule in the chain -func ensureFirstChainRule(ipt *iptables.IPTables, chain string, rule []string) error { +// appendChainRule adds the given rule to the chain +func appendChainRule(ipt *iptables.IPTables, chain string, rule []string) error { exists, err := ipt.Exists("filter", chain, rule...) if !exists && err == nil { - // iptables rules are 1-indexed - err = ipt.Insert("filter", chain, 1, rule...) + err = ipt.Append("filter", chain, rule...) } return err }