Signed-off-by: Onur Filiz <ofiliz@users.noreply.github.com>

loopback: Fix ipv6 address checks

Signed-off-by: Bruce Ma <brucema19901024@gmail.com>

Signed-off-by: Bruce Ma <brucema19901024@gmail.com>

Signed-off-by: Bruce Ma <brucema19901024@gmail.com>

pkg/ip: use type cast instead of untrusty error message

ptp: remove some redundant lines

pkg/utils: sysctl package should use black-box testing

In case pciBusID contains pci address of the virtio device,
then lookup the net directory under virtio<id> directory.

Issue: containernetworking/plugins#320

Signed-off-by: Periyasamy Palanisamy <periyasamy.palanisamy@est.tech>

Make host-device to work with virtio net device

Signed-off-by: Bruce Ma <brucema19901024@gmail.com>

Add Michael Cambria per containernetworking/cni#751
Remove Stefan Junker per personal request
Update Casey's email to @redhat.com

Signed-off-by: Dan Williams <dcbw@redhat.com>

owners: updates for maintainer changes

The current ns package code is very careful about not leaving the calling
thread with the overridden namespace set, for example when origns.Set() fails.
This is achieved by starting a new green thread, locking its OS thread, and
never unlocking it. Which makes golang runtime to scrap the OS thread backing
the green thread after the go routine exits.

While this works, it's probably not as optimal: stopping and starting a new OS
thread is expensive and may be avoided if we unlock the thread after resetting
network namespace to the original. On the other hand, if resetting fails, it's
better to leave the thread locked and die.

While it won't work in all cases, we can still make an attempt to reuse the OS
thread when resetting the namespace succeeds. This can be achieved by unlocking
the thread conditionally to the namespace reset success.

Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com>

Unlock OS thread after netns is restored

Signed-off-by: root <timyinshi>

Signed-off-by: Bruce Ma <brucema19901024@gmail.com>

Signed-off-by: Bruce Ma <brucema19901024@gmail.com>

replace juju/errors because of CNCF license scan

Signed-off-by: ahenan <ahenan00@gmail.com>

fix #463
link host veth pair to bridge, the Initial state
of port is BR_STATE_DISABLED and change to
BR_STATE_FORWARDING async.

Signed-off-by: honglichang <honglichang@tencent.com>

Reset the route flag before moving the rule

check bridge's port state

If the pluging receives portMappings in runtimeConfig, the pluing will add a NAT policy for each port mapping on the generated endpoints.
It enables HostPort usage on Windows with win-bridge.

Signed-off-by: Vincent Boulineau <vincent.boulineau@datadoghq.com>

* Add support for `deviceID` runtime config attribute

Signed-off-by: Adrian Chiris <adrianc@mellanox.com>

The DNAT hairpin rule only allow the container itself to access the
ports it is exposing thru the host IP. Other containers in the same
subnet might also want to access this service via the host IP, so
apply this rule to the whole subnet instead of just for the container.

This is particularly useful with setups using a reverse proxy for
https. With such a setup connections between containers (for ex.
oauth2) have to downgrade to http, or need complex dns setup to make
use of the internal IP of the reverse proxy. On the other hand going
thru the host IP is easy as that is probably what the service name
already resolve to.

Signed-off-by: Alban Bedel <albeu@free.fr>
--
v2: Fixed the tests
v3: Updated iptables rules documentation in README.md
v4: Fixed the network addresses in README.md to match iptables output

win-bridge: add support for portMappings capability

portmap: Apply the DNAT hairpin to the whole subnet

A /64 mask was used which routed an entire cidr based on source,
not only the bound address.

Fixes #478

Signed-off-by: Lars Ekman <lars.g.ekman@est.tech>

plugins/meta/sbr: Adjusted ipv6 address mask to /128

modify the error url of windowscontainer

The interface plugins should have absolute control over their addressing
and routing.

Signed-off-by: Casey Callendrello <cdc@redhat.com>

ptp, bridge: disable accept_ra on the host-side interface

When trying to move a master and slave interface into a container it is not
possible without first bringing the interfaces down. This change ensures
that the interface is set to down prior to trying to move the interface
into the container. This matches the behaviour on moving an interface out
of the container.

Signed-off-by: cns <christopher.swindle@metaswitch.com>

This change sets the mac address if specified during the creation of the
macvlan interface. This is superior to setting it via the tuning plugin
because this ensures the mac address is set before an IP is set,
allowing a container to get a reserved IP address from DHCP.

Related #450

Signed-off-by: Clint Armstrong <clint@clintarmstrong.net>

macvlan: set mac address from args

host-device: Bring interfaces down before moving.

It may happen that you want to map a port only in one IP family.
It can be achieved using the unspecified IP address of the
corresponding IP family as HostIP i.e.:

podman run --rm --name some-nginx -d -p 0.0.0.0:8080:80 nginx

The problem is that current implementation considers the
unspecified address valid and appends it to the iptables rule:

-A CNI-DN-60380cb3197c5457ed6ba -s 10.88.0.0/16
-d 0.0.0.0/32 -p tcp -m tcp --dport 8080 -j CNI-HOSTPORT-SETMARK

This rule is not forwarding the traffic to the mapped port.

We should use the unspecified address only to discriminate the IP
family of the port mapping, but not use it to filter the dst.

Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>

portmap: don't use unspecified address as iptables rule destination

Updated "Notes" for minor fixes.

Update README.md

Signed-off-by: Aneesh Puttur <aneeshputtur@gmail.com>

Signed-off-by: Dan Williams <dcbw@redhat.com>

Fix handling of delay in acquiring lease with stp turned on

firewall: fix generate of admin chain comment

if the runtime is not passing portMappings in the runtimeConfig,
then DEL is a noop.

This solves performance issues, when the portmap plugin is
executed multiple times, holding the iptables lock, despite
it does not have anything to delete.

Signed-off-by: Antonio Ojea <aojea@redhat.com>

Document `CNI-ADMIN` chain usage as well as `iptablesAdminChainName`

Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>

portmap should not perform deletions if not portMapping config received

Signed-off-by: Bruce Ma <brucema19901024@gmail.com>

firewall: fix some typos in docs

Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>

Update firewall README.md

Signed-off-by: Bryan Boreham <bjboreham@gmail.com>

Add contact info

Signed-off-by: Dan Williams <dcbw@redhat.com>

Signed-off-by: Dan Williams <dcbw@redhat.com>

{
    "code": 4,
    "msg": "interface name contains / or : or whitespace characters"
}

Signed-off-by: Dan Williams <dcbw@redhat.com>

Bump Go version to 1.13 and 1.14

In GetCurrentNS, If there is a context-switch between
getCurrentThreadNetNSPath and GetNS, another goroutine may execute in
the original thread and change its network namespace, then the original
goroutine would get the updated network namespace, which could lead to
unexpected behavior, especially when GetCurrentNS is used to get the
host network namespace in netNS.Do.

The added test has a chance to reproduce it with "-count=50".

The patch fixes it by locking the thread in GetCurrentNS.

Signed-off-by: Quan Tian <qtian@vmware.com>

Fix race condition in GetCurrentNS

flannel: remove net conf file after DEL succeed