Only check or del ipv6 when an IPv6 is configured

Signed-off-by: Michael Cambria <mccv1r0@gmail.com>
containernetworking · Jan 27, 2023 · 6bb1fa2 · 6bb1fa2
1 parent c4d24e8
commit 6bb1fa2
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/plugins/meta/portmap/main.go b/plugins/meta/portmap/main.go
@@ -127,12 +127,12 @@ func cmdDel(args *skel.CmdArgs) error {
 	}
 
 	netConf.ContainerID = args.ContainerID
-
 	// We don't need to parse out whether or not we're using v6 or snat,
 	// deletion is idempotent
 	if err := unforwardPorts(netConf); err != nil {
 		return err
 	}
+
 	return nil
 }
 

diff --git a/plugins/meta/portmap/portmap.go b/plugins/meta/portmap/portmap.go
@@ -117,11 +117,22 @@ func forwardPorts(config *PortMapConf, containerNet net.IPNet) error {
 }
 
 func checkPorts(config *PortMapConf, containerNet net.IPNet) error {
+	isV6 := (containerNet.IP.To4() == nil)
 	dnatChain := genDnatChain(config.Name, config.ContainerID)
 	fillDnatRules(&dnatChain, config, containerNet)
 
-	ip4t, err4 := maybeGetIptables(false)
-	ip6t, err6 := maybeGetIptables(true)
+	// check is called for each address, not once for all addresses
+	var ip4t *iptables.IPTables
+	var err4 error
+	var ip6t *iptables.IPTables
+	var err6 error
+
+	if isV6 {
+		ip6t, err6 = maybeGetIptables(true)
+	} else {
+		ip4t, err4 = maybeGetIptables(false)
+	}
+
 	if ip4t == nil && ip6t == nil {
 		err := fmt.Errorf("neither iptables nor ip6tables is usable")
 		err = fmt.Errorf("%v, (iptables) %v", err, err4)