If the pluging receives portMappings in runtimeConfig, the pluing will add a NAT policy for each port mapping on the generated endpoints.
It enables HostPort usage on Windows with win-bridge.
Signed-off-by: Vincent Boulineau <vincent.boulineau@datadoghq.com>
fix #463
link host veth pair to bridge, the Initial state
of port is BR_STATE_DISABLED and change to
BR_STATE_FORWARDING async.
Signed-off-by: honglichang <honglichang@tencent.com>
DEL can be called multiple times, a plugin should return no error if
the device is already removed, and other errors should be returned. It
was the opposite for vlan plugin. This PR fixes it.
Signed-off-by: Quan Tian <qtian@vmware.com>
If the Linux kernel is not built with the parameter
CONFIG_BRIDGE_VLAN_FILTERING, passing vlanFiltering in
the Bridge struct returns an error creating the bridge interface.
This happens even when no parameter is set on Vlan in the CNI config.
This change fixes the case where no Vlan parameter is configured on
CNI config file so the flag doesn't need to be included in the struct.
Signed-off-by: Carlos de Paula <me@carlosedp.com>
Add the following idempotent functions to iptables utils:
DeleteRule: idempotently delete an iptables rule
DeleteChain: idempotently delete an iptables chain
ClearChain: idempotently flush an iptables chain
Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
It turns out that the portmap plugin is not idempotent if its
executed in parallel.
The errors are caused due to a race of different instantiations
deleting the chains.
This patch does that the portmap plugin doesn't fail if the
errors are because the chain doesn't exist on teardown.
Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Use a Describe container for the It code block of the
portmap port forward integration test.
Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Concurrent use of the `portmap` and `firewall` plugins can result in
errors during iptables chain creation:
- The `portmap` plugin has a time-of-check-time-of-use race where it
checks for existence of the chain but the operation isn't atomic.
- The `firewall` plugin doesn't check for existing chains and just
returns an error.
This commit makes both operations idempotent by creating the chain and
then discarding the error if it's caused by the chain already
existing. It also factors the chain creation out into `pkg/utils` as a
site for future refactoring work.
Signed-off-by: Tim Gross <tim@0x74696d.com>
This change sends gratuitous ARP when MAC address is changed to
let other devices to know the MAC address update.
Signed-off-by: Tomofumi Hayashi <tohayash@redhat.com>
This change introduce priorities for IPs input among CNI_ARGS,
'args' and runtimeConfig. Fix #399.
Signed-off-by: Tomofumi Hayashi <tohayash@redhat.com>
The CNI spec states that for DEL implementations, "when CNI_NETNS and/or
prevResult are not provided, the plugin should clean up as many resources as
possible (e.g. releasing IPAM allocations) and return a successful response".
This change results in the firewall plugin conforming to the spec by not
returning an error whenever the del method is not provided a prevResult.
Signed-off-by: Erik Sipsma <sipsma@amazon.com>
Previously, if an IPAM plugin provided DNS settings in the result to the PTP
plugin, those settings were always lost because the PTP plugin would always
provide its own DNS settings in the result even if the PTP plugin was not
configured with any DNS settings.
This was especially problematic when trying to use, for example, the host-local
IPAM plugin's support for retrieving DNS settings from a resolv.conf file on
the host. Before this change, those DNS settings were always lost when using the
PTP plugin and couldn't be specified as part of PTP instead because PTP does not
support parsing a resolv.conf file.
This change checks to see if any fields were actually set in the PTP plugin's
DNS settings and only overrides any previous DNS results from an IPAM plugin in
the case that settings actually were provided to PTP. In the case where no
DNS settings are provided to PTP, the DNS results of the IPAM plugin (if any)
are used instead.
Signed-off-by: Erik Sipsma <sipsma@amazon.com>
