libnetwork: Remove iptables nat rule when hairpin is disabled

When userland-proxy is turned off and on again, the iptables nat rule doing hairpinning isn't properly removed. This fix makes sure this nat rule is removed whenever the bridge is torn down or hairpinning is disabled (through setting userland-proxy to true). Unlike for ip masquerading and ICC, the `programChainRule()` call setting up the "MASQ LOCAL HOST" rule has to be called unconditionally because the hairpin parameter isn't restored from the driver store, but always comes from the driver config. Fixes moby#44721.
akerouanton · Jan 11, 2023 · 5f46fda · 5f46fda
1 parent eaa7b49
commit 5f46fda
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/libnetwork/drivers/bridge/setup_ip_tables.go b/libnetwork/drivers/bridge/setup_ip_tables.go
@@ -244,11 +244,10 @@ func setupIPTablesInternal(hostIP net.IP, bridgeIface string, addr *net.IPNet, i
 		}
 	}
 
-	// In hairpin mode, masquerade traffic from localhost
-	if hairpin {
-		if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable); err != nil {
-			return err
-		}
+	// In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down
+	// that bridge, make sure the iptables rule isn't lying around.
+	if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil {
+		return err
 	}
 
 	// Set Inter Container Communication.