Skip to content

Commit 7ae0a74

Browse files
tamilmani1989tamilmani1989
authored
[CNI][Fix] Make iptable calls idempotent for swift podsubnet scenario (#1795)
* cns cilium * make swift iptable calls idempotent
1 parent 04a3d29 commit 7ae0a74

File tree

1 file changed

+22
-8
lines changed

1 file changed

+22
-8
lines changed

cni/network/invoker_cns.go

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -183,16 +183,30 @@ func setHostOptions(ncSubnetPrefix *net.IPNet, options map[string]interface{}, i
183183
snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP)
184184
// we need to snat IMDS traffic to node IP, this sets up snat '--to'
185185
snatHostIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.hostPrimaryIP)
186-
options[network.IPTablesKey] = []iptables.IPTableEntry{
187-
iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift),
188-
iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift),
189-
// add a snat rules to primary NC IP for DNS
190-
iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSUDPMatch, snatPrimaryIPJump),
191-
iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSTCPMatch, snatPrimaryIPJump),
192-
// add a snat rule to node IP for IMDS http traffic
193-
iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump),
186+
187+
var iptableCmds []iptables.IPTableEntry
188+
if !iptables.ChainExists(iptables.V4, iptables.Nat, iptables.Swift) {
189+
iptableCmds = append(iptableCmds, iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift))
190+
}
191+
192+
if !iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift) {
193+
iptableCmds = append(iptableCmds, iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift))
194+
}
195+
196+
if !iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Swift, azureDNSUDPMatch, snatPrimaryIPJump) {
197+
iptableCmds = append(iptableCmds, iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSUDPMatch, snatPrimaryIPJump))
194198
}
195199

200+
if !iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Swift, azureDNSTCPMatch, snatPrimaryIPJump) {
201+
iptableCmds = append(iptableCmds, iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSTCPMatch, snatPrimaryIPJump))
202+
}
203+
204+
if !iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump) {
205+
iptableCmds = append(iptableCmds, iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump))
206+
}
207+
208+
options[network.IPTablesKey] = iptableCmds
209+
196210
return nil
197211
}
198212

0 commit comments

Comments
 (0)