From 7b1413009fe96aa1b01fec1c79f3375ffdf3b20c Mon Sep 17 00:00:00 2001
From: Canwu Yao <yaocanwu@gmail.com>
Date: Tue, 23 May 2023 15:37:30 +0800
Subject: [PATCH] Disable iptables bridge forwarding on initialization

(cherry picked from commit 652162909d48f81d2759c49538e2ac42ecd75eb9)
---
 pkg/network/iface/bridge.go | 6 +-----
 pkg/network/vlan/vlan.go    | 6 ++++++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/pkg/network/iface/bridge.go b/pkg/network/iface/bridge.go
index 6ff163d3..e54090fc 100644
--- a/pkg/network/iface/bridge.go
+++ b/pkg/network/iface/bridge.go
@@ -31,10 +31,6 @@ func NewBridge(name string) *Bridge {
 // Ensure bridge
 // set promiscuous mod default
 func (br *Bridge) Ensure() error {
-	if err := disableBridgeNF(); err != nil {
-		return fmt.Errorf("disable net.bridge.bridge-nf-call-iptables failed, error: %w", err)
-	}
-
 	if err := netlink.LinkAdd(br); err != nil && err != syscall.EEXIST {
 		return fmt.Errorf("add iface failed, error: %w, iface: %v", err, br)
 	}
@@ -67,7 +63,7 @@ func (br *Bridge) Ensure() error {
 	return br.Fetch()
 }
 
-func disableBridgeNF() error {
+func DisableBridgeNF() error {
 	return utils.EnsureSysctlValue(bridgeNFCallIptables, "0")
 }
 
diff --git a/pkg/network/vlan/vlan.go b/pkg/network/vlan/vlan.go
index 8687102b..e3534085 100644
--- a/pkg/network/vlan/vlan.go
+++ b/pkg/network/vlan/vlan.go
@@ -142,3 +142,9 @@ func (v *Vlan) Bridge() *iface.Bridge {
 func (v *Vlan) Uplink() *iface.Link {
 	return v.uplink
 }
+
+func init() {
+	if err := iface.DisableBridgeNF(); err != nil {
+		klog.Fatalf("disable net.bridge.bridge-nf-call-iptables failed, error: %v", err)
+	}
+}