From c71c500d1b6eca24db85f4b3b8a2d411e72d2d98 Mon Sep 17 00:00:00 2001 From: Francois Prowse Date: Wed, 2 Apr 2025 08:15:25 +1000 Subject: [PATCH] Update bridge.go Port Isolation of an interface in the Linux bridge is only supported by a subset of interfaces. This code change checks that the interface is of type veth, vnet or tap before attempting to isolate the interface to the bridge. The existing code would try to isolate any interface type with no checking and would easily cause an error. --- plugins/main/bridge/bridge.go | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/plugins/main/bridge/bridge.go b/plugins/main/bridge/bridge.go index 056a6983f..ba2ba7618 100644 --- a/plugins/main/bridge/bridge.go +++ b/plugins/main/bridge/bridge.go @@ -24,6 +24,7 @@ import ( "sort" "syscall" "time" + "strings" "github.com/vishvananda/netlink" @@ -456,9 +457,15 @@ func setupVeth( return nil, nil, fmt.Errorf("failed to setup hairpin mode for %v: %v", hostVeth.Attrs().Name, err) } - // set isolation mode - if err = netlink.LinkSetIsolated(hostVeth, portIsolation); err != nil { - return nil, nil, fmt.Errorf("failed to set isolated on for %v: %v", hostVeth.Attrs().Name, err) + if portIsolation { + name := hostVeth.Attrs().Name + if strings.HasPrefix(name, "veth") || strings.HasPrefix(name, "vnet") || strings.HasPrefix(name, "tap") { + if err = netlink.LinkSetIsolated(hostVeth, true); err != nil { + fmt.Fprintf(os.Stderr, "[WARN] Failed to set isolated on %s: %v\n", name, err) + } else { + fmt.Fprintf(os.Stderr, "[DEBUG] Isolation set on %s\n", name) + } + } } if (vlanID != 0 || len(vlans) > 0) && !preserveDefaultVlan {