Serialize overlay filter plumbing
When plumbing overlay filter rules serialize this to make sure that multiple sandbox join or leave is not causing erroneous behavior while moving the RETURN rule in the predefined chains. Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
This commit is contained in:
Jana Radhakrishnan
parent
cfe5b1467e
commit
d6e596b3a0
|
|
@ -12,6 +12,13 @@ const globalChain = "DOCKER-OVERLAY"
|
|||
|
||||
var filterOnce sync.Once
|
||||
|
||||
var filterChan = make(chan struct{}, 1)
|
||||
|
||||
func filterWait() func() {
|
||||
filterChan <- struct{}{}
|
||||
return func() { <-filterChan }
|
||||
}
|
||||
|
||||
func chainExists(cname string) bool {
|
||||
if _, err := iptables.Raw("-L", cname); err != nil {
|
||||
return false
|
||||
|
|
@ -69,10 +76,14 @@ func setNetworkChain(cname string, remove bool) error {
|
|||
}
|
||||
|
||||
func addNetworkChain(cname string) error {
|
||||
defer filterWait()()
|
||||
|
||||
return setNetworkChain(cname, false)
|
||||
}
|
||||
|
||||
func removeNetworkChain(cname string) error {
|
||||
defer filterWait()()
|
||||
|
||||
return setNetworkChain(cname, true)
|
||||
}
|
||||
|
||||
|
|
@ -119,9 +130,13 @@ func setFilters(cname, brName string, remove bool) error {
|
|||
}
|
||||
|
||||
func addFilters(cname, brName string) error {
|
||||
defer filterWait()()
|
||||
|
||||
return setFilters(cname, brName, false)
|
||||
}
|
||||
|
||||
func removeFilters(cname, brName string) error {
|
||||
defer filterWait()()
|
||||
|
||||
return setFilters(cname, brName, true)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue