From 5f46fda62155b7795be97ad0d4108a7b8560572a Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Wed, 11 Jan 2023 01:58:19 +0100 Subject: [PATCH] libnetwork: Remove iptables nat rule when hairpin is disabled When userland-proxy is turned off and on again, the iptables nat rule doing hairpinning isn't properly removed. This fix makes sure this nat rule is removed whenever the bridge is torn down or hairpinning is disabled (through setting userland-proxy to true). Unlike for ip masquerading and ICC, the `programChainRule()` call setting up the "MASQ LOCAL HOST" rule has to be called unconditionally because the hairpin parameter isn't restored from the driver store, but always comes from the driver config. Fixes #44721. --- libnetwork/drivers/bridge/setup_ip_tables.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libnetwork/drivers/bridge/setup_ip_tables.go b/libnetwork/drivers/bridge/setup_ip_tables.go index 0591a1243c15d..bd2822e39cab9 100644 --- a/libnetwork/drivers/bridge/setup_ip_tables.go +++ b/libnetwork/drivers/bridge/setup_ip_tables.go @@ -244,11 +244,10 @@ func setupIPTablesInternal(hostIP net.IP, bridgeIface string, addr *net.IPNet, i } } - // In hairpin mode, masquerade traffic from localhost - if hairpin { - if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable); err != nil { - return err - } + // In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down + // that bridge, make sure the iptables rule isn't lying around. + if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil { + return err } // Set Inter Container Communication.