From cac8230e7c1f60ea420345157371bf7cdbd42045 Mon Sep 17 00:00:00 2001 From: Miguel Duarte Barroso Date: Wed, 29 Mar 2023 17:02:38 +0200 Subject: [PATCH] bridge, spoof check: remove drop rule index Rules are appendend by default, thus using an index is redundant. Using an index also requires the full NFT cache, which causes a CNI ADD to be extremely slow. Signed-off-by: Miguel Duarte Barroso --- pkg/link/spoofcheck.go | 2 -- pkg/link/spoofcheck_test.go | 1 - 2 files changed, 3 deletions(-) diff --git a/pkg/link/spoofcheck.go b/pkg/link/spoofcheck.go index 7ff4ad3c..6c1bd535 100644 --- a/pkg/link/spoofcheck.go +++ b/pkg/link/spoofcheck.go @@ -195,12 +195,10 @@ func (sc *SpoofChecker) matchMacRule(chain string) *schema.Rule { } func (sc *SpoofChecker) dropRule(chain string) *schema.Rule { - macRulesIndex := nft.NewRuleIndex() return &schema.Rule{ Family: schema.FamilyBridge, Table: natTableName, Chain: chain, - Index: macRulesIndex.Next(), Expr: []schema.Statement{ {Verdict: schema.Verdict{SimpleVerdict: schema.SimpleVerdict{Drop: true}}}, }, diff --git a/pkg/link/spoofcheck_test.go b/pkg/link/spoofcheck_test.go index a7ed7ee5..0ed8dde8 100644 --- a/pkg/link/spoofcheck_test.go +++ b/pkg/link/spoofcheck_test.go @@ -254,7 +254,6 @@ func assertExpectedRulesInSetupConfig(c configurerStub) { "comment":"macspoofchk-container99-net1"}}, {"rule":{"family":"bridge","table":"nat","chain":"cni-br-iface-container99-net1-mac", "expr":[{"drop":null}], - "index":0, "comment":"macspoofchk-container99-net1"}} ]}` ExpectWithOffset(1, string(jsonConfig)).To(MatchJSON(expectedConfig))