From f986369c7b9758701bc373c82346ef522cd10f6a Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Wed, 11 Jan 2023 01:58:19 +0100 Subject: [PATCH] libnetwork: Remove iptables nat rule when hairpin is disabled When userland-proxy was turned off and on again, the iptables nat rule doing hairpinning wasn't properly removed. This fix makes sure that nat rule is removed whenever the bridge is torn down or hairpinning is disabled (through setting userland-proxy to true). Fixes #44721. --- libnetwork/drivers/bridge/setup_ip_tables.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libnetwork/drivers/bridge/setup_ip_tables.go b/libnetwork/drivers/bridge/setup_ip_tables.go index 0591a1243c15d..bd2822e39cab9 100644 --- a/libnetwork/drivers/bridge/setup_ip_tables.go +++ b/libnetwork/drivers/bridge/setup_ip_tables.go @@ -244,11 +244,10 @@ func setupIPTablesInternal(hostIP net.IP, bridgeIface string, addr *net.IPNet, i } } - // In hairpin mode, masquerade traffic from localhost - if hairpin { - if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable); err != nil { - return err - } + // In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down + // that bridge, make sure the iptables rule isn't lying around. + if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil { + return err } // Set Inter Container Communication.