ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

bridge, spoof check: remove drop rule index

Browse Source 
Rules are appendend by default, thus using an index is redundant.
Using an index also requires the full NFT cache, which causes a CNI ADD
to be extremely slow.

Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
This commit is contained in:
Miguel Duarte Barroso 2023-03-29 17:02:38 +02:00
parent 63235a2531
commit cac8230e7c
2 changed files with 0 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/link/spoofcheck.go
View File

@ -195,12 +195,10 @@ func (sc *SpoofChecker) matchMacRule(chain string) *schema.Rule {
} }
func (sc *SpoofChecker) dropRule(chain string) *schema.Rule { func (sc *SpoofChecker) dropRule(chain string) *schema.Rule {
macRulesIndex := nft.NewRuleIndex()
return &schema.Rule{ return &schema.Rule{
Family: schema.FamilyBridge, Family: schema.FamilyBridge,
Table: natTableName, Table: natTableName,
Chain: chain, Chain: chain,
Index: macRulesIndex.Next(),
Expr: []schema.Statement{ Expr: []schema.Statement{
{Verdict: schema.Verdict{SimpleVerdict: schema.SimpleVerdict{Drop: true}}}, {Verdict: schema.Verdict{SimpleVerdict: schema.SimpleVerdict{Drop: true}}},
}, },

1
pkg/link/spoofcheck_test.go
View File

@ -254,7 +254,6 @@ func assertExpectedRulesInSetupConfig(c configurerStub) {
"comment":"macspoofchk-container99-net1"}}, "comment":"macspoofchk-container99-net1"}},
{"rule":{"family":"bridge","table":"nat","chain":"cni-br-iface-container99-net1-mac", {"rule":{"family":"bridge","table":"nat","chain":"cni-br-iface-container99-net1-mac",
"expr":[{"drop":null}], "expr":[{"drop":null}],
"index":0,
"comment":"macspoofchk-container99-net1"}} "comment":"macspoofchk-container99-net1"}}
]}` ]}`
ExpectWithOffset(1, string(jsonConfig)).To(MatchJSON(expectedConfig)) ExpectWithOffset(1, string(jsonConfig)).To(MatchJSON(expectedConfig))