libnetwork: Remove iptables nat rule when hairpin is disabled

When userland-proxy was turned off and on again, the iptables nat rule doing hairpinning wasn't properly removed. This fix makes sure that nat rule is removed whenever the bridge is torn down or hairpinning is disabled (through setting userland-proxy to true). Fixes moby#44721.
akerouanton · Jan 11, 2023 · f986369 · f986369
1 parent eaa7b49
commit f986369
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/libnetwork/drivers/bridge/setup_ip_tables.go b/libnetwork/drivers/bridge/setup_ip_tables.go
@@ -244,11 +244,10 @@ func setupIPTablesInternal(hostIP net.IP, bridgeIface string, addr *net.IPNet, i
 		}
 	}
 
-	// In hairpin mode, masquerade traffic from localhost
-	if hairpin {
-		if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable); err != nil {
-			return err
-		}
+	// In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down
+	// that bridge, make sure the iptables rule isn't lying around.
+	if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil {
+		return err
 	}
 
 	// Set Inter Container Communication.