networking: Ensure CNI iptables rules are appended to chain and not forced to be first

microadam · tgross · commit da27dafdf0f9 · 2021-04-15T10:11:15.000-04:00
diff --git a/client/allocrunner/networking_bridge_linux.go b/client/allocrunner/networking_bridge_linux.go
@@ -75,7 +75,7 @@ func (b *bridgeNetworkConfigurator) ensureForwardingRules() error {
 		return err
 	}
 
-	if err := ensureFirstChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil {
+	if err := appendChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil {
 		return err
 	}
 
@@ -105,12 +105,11 @@ func ensureChain(ipt *iptables.IPTables, table, chain string) error {
 	return err
 }
 
-// ensureFirstChainRule ensures the given rule exists as the first rule in the chain
-func ensureFirstChainRule(ipt *iptables.IPTables, chain string, rule []string) error {
+// appendChainRule adds the given rule to the chain
+func appendChainRule(ipt *iptables.IPTables, chain string, rule []string) error {
 	exists, err := ipt.Exists("filter", chain, rule...)
 	if !exists && err == nil {
-		// iptables rules are 1-indexed
-		err = ipt.Insert("filter", chain, 1, rule...)
+		err = ipt.Append("filter", chain, rule...)
 	}
 	return err
 }

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ func (b *bridgeNetworkConfigurator) ensureForwardingRules() error {`
`75`	`75`	`return err`
`76`	`76`	`}`
`77`	`77`
`78`		`- if err := ensureFirstChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil {`
	`78`	`+ if err := appendChainRule(ipt, cniAdminChainName, b.generateAdminChainRule()); err != nil {`
`79`	`79`	`return err`
`80`	`80`	`}`
`81`	`81`
`@@ -105,12 +105,11 @@ func ensureChain(ipt *iptables.IPTables, table, chain string) error {`
`105`	`105`	`return err`
`106`	`106`	`}`
`107`	`107`
`108`		`-// ensureFirstChainRule ensures the given rule exists as the first rule in the chain`
`109`		`-func ensureFirstChainRule(ipt *iptables.IPTables, chain string, rule []string) error {`
	`108`	`+// appendChainRule adds the given rule to the chain`
	`109`	`+func appendChainRule(ipt *iptables.IPTables, chain string, rule []string) error {`
`110`	`110`	`exists, err := ipt.Exists("filter", chain, rule...)`
`111`	`111`	`if !exists && err == nil {`
`112`		`- // iptables rules are 1-indexed`
`113`		`- err = ipt.Insert("filter", chain, 1, rule...)`
	`112`	`+ err = ipt.Append("filter", chain, rule...)`
`114`	`113`	`}`
`115`	`114`	`return err`
`116`	`115`	`}`