From 7dcd738d34e68a8ab3229c4e7f9ec5599abd00d6 Mon Sep 17 00:00:00 2001
From: Miguel Duarte Barroso <mdbarroso@redhat.com>
Date: Thu, 23 Mar 2023 17:35:19 +0100
Subject: [PATCH] bridge, spoofcheck: only read the prerouting chain on CNI
 delete

Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
---
 pkg/link/spoofcheck.go      | 12 ++++++++----
 pkg/link/spoofcheck_test.go |  2 +-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/pkg/link/spoofcheck.go b/pkg/link/spoofcheck.go
index 6c1bd535..82487fe9 100644
--- a/pkg/link/spoofcheck.go
+++ b/pkg/link/spoofcheck.go
@@ -29,7 +29,7 @@ const (
 
 type NftConfigurer interface {
 	Apply(*nft.Config) error
-	Read() (*nft.Config, error)
+	Read(filterCommands ...string) (*nft.Config, error)
 }
 
 type SpoofChecker struct {
@@ -45,8 +45,8 @@ func (dnc defaultNftConfigurer) Apply(cfg *nft.Config) error {
 	return nft.ApplyConfig(cfg)
 }
 
-func (dnc defaultNftConfigurer) Read() (*nft.Config, error) {
-	return nft.ReadConfig()
+func (dnc defaultNftConfigurer) Read(filterCommands ...string) (*nft.Config, error) {
+	return nft.ReadConfig(filterCommands...)
 }
 
 func NewSpoofChecker(iface, macAddress, refID string) *SpoofChecker {
@@ -109,7 +109,7 @@ func (sc *SpoofChecker) Setup() error {
 // interface is removed.
 func (sc *SpoofChecker) Teardown() error {
 	ifaceChain := sc.ifaceChain()
-	currentConfig, ifaceMatchRuleErr := sc.configurer.Read()
+	currentConfig, ifaceMatchRuleErr := sc.configurer.Read(listChainBridgeNatPrerouting()...)
 	if ifaceMatchRuleErr == nil {
 		expectedRuleToFind := sc.matchIfaceJumpToChainRule(preRoutingBaseChainName, ifaceChain.Name)
 		// It is safer to exclude the statement matching, avoiding cases where a current statement includes
@@ -241,3 +241,7 @@ func ruleComment(id string) string {
 	const refIDPrefix = "macspoofchk-"
 	return refIDPrefix + id
 }
+
+func listChainBridgeNatPrerouting() []string {
+	return []string{"chain", "bridge", natTableName, preRoutingBaseChainName}
+}
diff --git a/pkg/link/spoofcheck_test.go b/pkg/link/spoofcheck_test.go
index 0ed8dde8..f26aa6a6 100644
--- a/pkg/link/spoofcheck_test.go
+++ b/pkg/link/spoofcheck_test.go
@@ -288,7 +288,7 @@ func (a *configurerStub) Apply(c *nft.Config) error {
 	return nil
 }
 
-func (a *configurerStub) Read() (*nft.Config, error) {
+func (a *configurerStub) Read(_ ...string) (*nft.Config, error) {
 	if a.failReadConfig {
 		return nil, fmt.Errorf(errorReadText)
 	}