bridge, spoof check: remove drop rule index

Rules are appendend by default, thus using an index is redundant. Using an index also requires the full NFT cache, which causes a CNI ADD to be extremely slow. Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
containernetworking · Apr 4, 2023 · cac8230 · cac8230
1 parent 63235a2
commit cac8230
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 3 deletions.
diff --git a/pkg/link/spoofcheck.go b/pkg/link/spoofcheck.go
@@ -195,12 +195,10 @@ func (sc *SpoofChecker) matchMacRule(chain string) *schema.Rule {
 }
 
 func (sc *SpoofChecker) dropRule(chain string) *schema.Rule {
-	macRulesIndex := nft.NewRuleIndex()
 	return &schema.Rule{
 		Family: schema.FamilyBridge,
 		Table:  natTableName,
 		Chain:  chain,
-		Index:  macRulesIndex.Next(),
 		Expr: []schema.Statement{
 			{Verdict: schema.Verdict{SimpleVerdict: schema.SimpleVerdict{Drop: true}}},
 		},

diff --git a/pkg/link/spoofcheck_test.go b/pkg/link/spoofcheck_test.go
@@ -254,7 +254,6 @@ func assertExpectedRulesInSetupConfig(c configurerStub) {
                     "comment":"macspoofchk-container99-net1"}},
                 {"rule":{"family":"bridge","table":"nat","chain":"cni-br-iface-container99-net1-mac",
                     "expr":[{"drop":null}],
-                    "index":0,
                     "comment":"macspoofchk-container99-net1"}}
             ]}`
 	ExpectWithOffset(1, string(jsonConfig)).To(MatchJSON(expectedConfig))