in cmd/egress-cni-plugin/egressContext.go [285:342]
func (ec *egressContext) cmdDelEgress(ipv4 bool) (err error) {
var contIPAddrs []netlink.Addr
protocol := iptables.ProtocolIPv4
ipFamily := netlink.FAMILY_V4
if !ipv4 {
protocol = iptables.ProtocolIPv6
ipFamily = netlink.FAMILY_V6
}
if ec.IPTablesIface == nil {
if ec.IPTablesIface, err = ec.IptCreator(protocol); err != nil {
ec.Log.Error("command iptables not found")
// without iptables ir ip6tables, chain/rules could not be removed
return err
}
}
if ec.NsPath != "" {
_ = ec.Ns.WithNetNSPath(ec.NsPath, func(hostNS ns.NetNS) error {
// DelLinkByNameAddr function deletes a link and returns IPs assigned to it, but it
// excludes IPs that are not global unicast addresses (or) private IPs. Will not work for
// our scenario as we use 169.254.0.0/16 range for v4 IPs.
var _err error
var link netlink.Link
link, _err = ec.Link.LinkByName(ec.NetConf.IfName)
if _err != nil {
if !cniutils.IsLinkNotFoundError(_err) {
ec.Log.Errorf("failed to get container link by name %s: %v", ec.NetConf.IfName, _err)
}
return nil
}
//Retrieve IP addresses assigned to the link
contIPAddrs, _err = ec.Link.AddrList(link, ipFamily)
if _err != nil {
ec.Log.Errorf("failed to get IP addresses for link %s: %v", ec.NetConf.IfName, _err)
}
return _err
})
}
for _, ipAddr := range contIPAddrs {
// for IPv4 egress, IP address is a link-local IPv4 address
// for IPv6 egress, IP address is a unique-local IPv6 address
// NOTE: IsGlobalUnicast returns true for unique-local IPv6 address
if (ipv4 && ipAddr.IP.To4() != nil && ipAddr.IP.IsLinkLocalUnicast()) ||
(!ipv4 && ipAddr.IP.To4() == nil && ipAddr.IP.IsGlobalUnicast()) {
err = snat.Del(ec.IPTablesIface, ipAddr.IP, ec.SnatChain, ec.SnatComment)
if err != nil {
ec.Log.Errorf("failed to remove iptables chain %s: %v", ec.SnatChain, err)
} else {
ec.Log.Infof("successfully removed iptables chain %s", ec.SnatChain)
}
}
}
return nil
}