dual stack setup
{
"type": "ptp",
"ipMasq": true,
"ipMasqBackend": "nftables",
"ipam": {
"type": "host-local",
"ranges": [
[{"subnet": "198.18.0.0/17"}],
[{"subnet": "fd61:7465:6d65:1000::/112"}]
],
"routes": [
{ "dst": "0.0.0.0/0" },
{ "dst": "::/0" },
]
}
},
Looking at nft list ruleset, only the ip6 rules are present in cni_plugins_masquerade table
Looking at nft monitor rules, we see that the ip rules are added then deleted
|
func setupIPMasqNFTablesWithInterface(nft knftables.Interface, ipn *net.IPNet, network, ifname, containerID string) error { |
|
staleRules, err := findRules(nft, hashForInstance(network, ifname, containerID)) |
In
setupIPMasqNFTablesWithInterface the stale rule logic is incorrect
dual stack setup
Looking at
nft list ruleset, only theip6rules are present incni_plugins_masqueradetableLooking at
nft monitor rules, we see that theiprules are added then deletedplugins/pkg/ip/ipmasq_nftables_linux.go
Lines 84 to 85 in fec2d62
In
setupIPMasqNFTablesWithInterfacethe stale rule logic is incorrect