[RFC] libnetwork/iptables: preserve existing forward rules instead of re-creation#43585
Closed
azat wants to merge 1 commit intomoby:masterfrom
Closed
[RFC] libnetwork/iptables: preserve existing forward rules instead of re-creation#43585azat wants to merge 1 commit intomoby:masterfrom
azat wants to merge 1 commit intomoby:masterfrom
Conversation
…eation
Forwarding to `DOCKER-USER` chain is racy, because it is always re-created:
time="2022-05-11T20:03:03.915890496Z" level=debug msg="/usr/sbin/iptables, [--wait -D FORWARD -j DOCKER-USER]"
time="2022-05-11T20:03:04.051254185Z" level=debug msg="/usr/sbin/iptables, [--wait -I FORWARD -j DOCKER-USER]"
This is not very convenient since if you are using `DOCKER-USER` chain
to limit network between containers, for a short period of time rules
from `DOCKER-USER` will not be applied.
So replace -D/-I with -C/-I, seems that there should not be any issues
with this, although note that, **after this change rules will not
re-queued at the beginning of the FORWARD chain**.
P.S. I've also tried to overcome this issue with creating separate
chain, but since docker users -I, my chain will goes after docker rules
and it will not receive any packets.
Signed-off-by: Azat Khuzhin <[email protected]>
azat
force-pushed
the
iptables-preserve-existing-forward-rules
branch
from
1a9e00a to
0773f66
Compare
Author
|
Actually, this will not work, since it will place DOCKER-USER chain after other rules: And so it will not receive those packets. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Forwarding to
DOCKER-USERchain is racy, because it is always re-created:This is not very convenient since if you are using
DOCKER-USERchainto limit network between containers, for a short period of time rules
from
DOCKER-USERwill not be applied.So replace -D/-I with -C/-I, seems that there should not be any issues
with this, although note that, after this change rules will not
re-queued at the beginning of the FORWARD chain.
P.S. I've also tried to overcome this issue with creating separate
chain, but since docker users -I, my chain will goes after docker rules
and it will not receive any packets.