Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: containernetworking/plugins
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.8.0
Choose a base ref
...
head repository: containernetworking/plugins
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.9.0
Choose a head ref
  • 4 commits
  • 5 files changed
  • 3 contributors

Commits on Sep 29, 2025

  1. Fix file exists errro in dummy cni 

    When the root net ns has "eth0", dummy CNI returns errror "failed to
create dummy: file exists"

The fix is to create the dummy interface directly in the pod net ns

Signed-off-by: Yuan Liu <liuyuan@google.com>
    @liuyuan10 @squeed
    liuyuan10 authored and squeed committed Sep 29, 2025
    Configuration menu
    Copy the full SHA
    85daca7 View commit details
    Browse the repository at this point in the history

Commits on Oct 2, 2025

  1. Ignore settling with down state since it will never settle 

    Signed-off-by: Balazs Nemeth <bnemeth@redhat.com>
    @bn222
    bn222 authored and Marcelo Guerrero Viveros committed Oct 2, 2025
    Configuration menu
    Copy the full SHA
    372953d View commit details
    Browse the repository at this point in the history

Commits on Nov 13, 2025

  1. portmap: fix CHECK for nftables backend 

    Fixes 01a94e1

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
    @champtar
    champtar authored and Marcelo Guerrero Viveros committed Nov 13, 2025
    Configuration menu
    Copy the full SHA
    8ee59c6 View commit details
    Browse the repository at this point in the history

  2. portmap: ensure nftables backend only intercept local traffic 

    portmap iptables backend uses `-m addrtype --dst-type LOCAL`
and a common chain (CNI-HOSTPORT-DNAT) for both hostPort and hostIP/hostPort.

Before this commit, nftables backend was using 2 separate chains,
`hostip_hostports` and `hostports`. The goal was to avoid using
`fib daddr type local` before we jump to `hostip_hostports`,
but this is a behavior change compared to iptables backend,
and a security issue (hostIP: 1.1.1.1 / hostPort: 53).
Also while switching from input to prerouting hook, we forgot to
add the fib lookup for `hostports`, rendering the nftables backend half broken.

To allow transparent upgrades and avoid running the fib lookup twice,
we use an intermediate chain (`hostports_all`)
```
chain hostports_all {
    jump hostip_hostports
    jump hostports
}
```

Long-term we want to remove `hostip_hostports`,
so all new rules are created in the `hostports` chain.

We can't use implicit chains (`jump { jump hostip_hostports; jump hostports }`)
as it's not supported by knftables.Fake yet.

Fixes 9296c5f
Fixes 01a94e1

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
    @champtar
    champtar authored and Marcelo Guerrero Viveros committed Nov 13, 2025
    Configuration menu
    Copy the full SHA
    9b3772e View commit details
    Browse the repository at this point in the history
Loading