diff options
author | Paul Holzinger <pholzing@redhat.com> | 2024-09-20 18:19:02 +0200 |
---|---|---|
committer | Paul Holzinger <pholzing@redhat.com> | 2024-09-25 11:36:12 +0200 |
commit | b497d6bfa6b37d21aa08fb2f9c396bf22b52a8f5 (patch) | |
tree | 156873f11557d36e7ee42422ed4aecc2601118cf /test | |
parent | 22b5110fbe2ee70331ffc8753a6338df2011439c (diff) |
nftables: add dns dnat rule first
When a container has port 53 forwarded as well we also add dnst rules
for it. This means depending on the order the container dns traffic
might go to another container not aardvark-dns breaking container name
resolution.
The fix to make sure to insert the rule always first.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/250-bridge-nftables.bats | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/test/250-bridge-nftables.bats b/test/250-bridge-nftables.bats index 31e1091..02ea2f0 100644 --- a/test/250-bridge-nftables.bats +++ b/test/250-bridge-nftables.bats @@ -317,7 +317,8 @@ export NETAVARK_FW=nftables # check nftables run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT - assert "${lines[2]}" =~ "ip daddr 10.89.3.1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip to 10.89.3.1:$dns_port" "DNS forward rule" + assert "${lines[2]}" =~ "ip6 daddr fd10:88:a::1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip6 to \[fd10:88:a::1\]:$dns_port" "DNS forward rule ip6" + assert "${lines[3]}" =~ "ip daddr 10.89.3.1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip to 10.89.3.1:$dns_port" "DNS forward rule ip4" # check aardvark config and running run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1" |