mirror of
https://github.com/docker/cli.git
synced 2026-01-13 18:22:35 +03:00
529c0891e7
When a container was being destroyed was possible to have flows in conntrack left behind on the host. If a flow is present into the conntrack table, the packet processing will skip the POSTROUTING table of iptables and will use the information in conntrack to do the translation. For this reason is possible that long lived flows created towards a container that is destroyed, will actually affect new flows incoming to the host, creating erroneous conditions where traffic cannot reach new containers. The fix takes care of cleaning them up when a container is destroyed. The test of this commit is actually reproducing the condition where an UDP flow is established towards a container that is then destroyed. The test verifies that the flow established is gone after the container is destroyed. Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com> Upstream-commit: 1c4286bcffcdc6668f84570a2754c78cccbbf7e1 Component: engine