Store the relevant applied config part for later to extract the rule to
delete from there instead of having to list the ruleset. This is much
faster especially with large rulesets.
Signed-off-by: Phil Sutter <psutter@redhat.com>
This go-nft version allows its users to only read particular
tables/chains when invoking `ReadConfig`, instead of the entire ruleset.
This will make deleting rules from a large ruleset faster, thus speeding
up CNI DELs.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2175041
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
The new macspoofchk field is added to the bridge plugin to support
anti-mac-spoofing.
When the parameter is enabled, traffic is limited to the mac addresses
of the container interface (the veth peer that is placed in the
container ns).
Any traffic that exits the pod is checked against the source mac address
that is expected. If the mac address is different, the frames are
dropped.
The implementation is using nftables and should only be used on nodes
that support it.
Signed-off-by: Edward Haas <edwardh@redhat.com>
