From 0f0b0bda139812ef7152185343baaab1e5c3facd Mon Sep 17 00:00:00 2001
From: Clive Jevons <clive@jevons-it.net>
Date: Wed, 29 Jun 2022 10:16:07 +0200
Subject: [PATCH] prepend encapsulation rules to reduce number of
 reconciliation thereof

because of the way the iptables rules are reconciled, having the encapsulation
rules at the end of the slice of rules results in them being deleted and re-added
many times, even though they are very static. Prepending them to the slice of
rules prevents this from happening, making that iptables chain more stable
and saving a bunch of roundtrips to iptables.
---
 pkg/mesh/mesh.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/mesh/mesh.go b/pkg/mesh/mesh.go
index 00f36c0..22c54e1 100644
--- a/pkg/mesh/mesh.go
+++ b/pkg/mesh/mesh.go
@@ -516,7 +516,9 @@ func (m *Mesh) applyTopology() {
 				break
 			}
 		}
-		ipRules = append(ipRules, m.enc.Rules(cidrs)...)
+
+		ipRules = append(m.enc.Rules(cidrs), ipRules...)
+
 		// If we are handling local routes, ensure the local
 		// tunnel has an IP address.
 		if err := m.enc.Set(oneAddressCIDR(newAllocator(*nodes[m.hostname].Subnet).next().IP)); err != nil {