fix: clean up unused iptables chains not being deleted on container r…#4835
Merged
AkihiroSuda merged 1 commit intocontainerd:mainfrom Apr 22, 2026
Merged
Conversation
Member
Author
|
Checking the CI Logs, It appears that this fix has prevented builds when haytok@lima-haytok:/Users/haytok/workspace/github.com/haytok/nerdctl$ GOOS=freebsd go build ./...
# github.com/containernetworking/plugins/pkg/netlinksafe
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:58:42: undefined: netlink.ErrDumpInterrupted
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:66:28: undefined: netlink.ErrDumpInterrupted
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:159:40: undefined: nl.BridgeVlanInfo
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:161:27: undefined: nl.BridgeVlanInfo
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:163:23: undefined: netlink.BridgeVlanList
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:196:24: undefined: netlink.QdiscList
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:207:25: h.Handle.QdiscList undefined (type *netlink.Handle has no field or method QdiscList)
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:218:27: undefined: netlink.LinkGetProtinfo
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:229:28: h.Handle.LinkGetProtinfo undefined (type *netlink.Handle has no field or method LinkGetProtinfo)
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:240:24: undefined: netlink.RuleListFiltered
/home/haytok.linux/go/pkg/mod/github.com/containernetworking/plugins@v1.9.1/pkg/netlinksafe/netlink.go:240:24: too many errorsSo, I'm investigating workarounds. |
haytok
force-pushed
the
delete-chains-on-nat-table
branch
2 times, most recently
from
ca25d3a to
9982816
Compare
sathiraumesh
approved these changes
Apr 10, 2026
Member
|
Failing https://github.com/containerd/nerdctl/actions/runs/24197307638/job/71240723501?pr=4835 |
Member
Author
|
Thanks for checking and retrying CI. Oh ... I tried running the process performed in CI locally as shown below, but I couldn't reproduce the issue. Since this fix and the failing test ( $ sudo nerdctl build \
-t test-integration-rootless \
--target test-integration-rootless .
$ sudo nerdctl run -t --rm --privileged test-integration-rootless \
/test-integration-rootless.sh ./hack/test-integration.sh \
-test.only-flaky=false \
-test.target=nerdctl.gomodjail \
'-test.run=TestLogsFollowNoExtraneousLineFeed\|TestLogsWithoutNewlineOrEOF'
$ sudo nerdctl run -t --rm --privileged test-integration-rootless \
/test-integration-rootless.sh ./hack/test-integration.sh \
-test.only-flaky=false \
-test.target=nerdctl.gomodjailI'll look into it further. |
Member
|
Can you try rebasing to see if it works? |
…emoval
When publishing a container's port(s) to the host and removeing the
container, there are some iptables chains that are not deleted, as shown
below:
```bash
$ sudo nerdctl run -d --name nginx -p 8080:80 nginx
81cc6b08527975ef8bf151b1460ead6a3d767310a7513d306a4bbe19f61fe6a8
$ ID=$(echo -n "bridgedefault-$(sudo nerdctl ps -q --no-trunc --filter=name=nginx)" | sha512sum | awk '{print substr($1, 1, 24)}')
$ sudo iptables -t nat -S | grep $ID
-N CNI-5e9207ffbe238a4b386cd5bd
-A POSTROUTING -s 10.4.0.156/32 -m comment --comment "name: \"bridge\" id: \"default-81cc6b08527975ef8bf151b1460ead6a3d767310a7513d306a4bbe19f61fe6a8\"" -j CNI-5e9207ffbe238a4b386cd5bd
-A CNI-5e9207ffbe238a4b386cd5bd -d 10.4.0.0/24 -m comment --comment "name: \"bridge\" id: \"default-81cc6b08527975ef8bf151b1460ead6a3d767310a7513d306a4bbe19f61fe6a8\"" -j ACCEPT
-A CNI-5e9207ffbe238a4b386cd5bd ! -d 224.0.0.0/4 -m comment --comment "name: \"bridge\" id: \"default-81cc6b08527975ef8bf151b1460ead6a3d767310a7513d306a4bbe19f61fe6a8\"" -j MASQUERADE
$ sudo nerdctl rm -f nginx
nginx
$ sudo iptables -t nat -S | grep $ID
-N CNI-5e9207ffbe238a4b386cd5bd
$ sudo iptables -L -nv -t nat | grep $ID -3
Chain CNI-5cd4851e431cb9d7ef1a143b (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-5e9207ffbe238a4b386cd5bd (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-5fa88ae608b5a4cfbe76c33d (0 references)
```
Unused iptables chains should be deleted. Therefore, this PR makes a
change so that the relevant iptables chains are deleted when a container
is removed.
Signed-off-by: Hayato Kiwata <dev@haytok.jp>
haytok
force-pushed
the
delete-chains-on-nat-table
branch
from
9982816 to
4f71951
Compare
Member
Author
|
Thansk for checking, I rebased and force-pushed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…emoval
When publishing a container's port(s) to the host and removeing the container, there are some iptables chains that are not deleted, as shown below:
Unused iptables chains should be deleted. Therefore, this PR makes a change so that the relevant iptables chains are deleted when a container is removed.