From 378dafffe8337b749a040de606d3f1bd699862da Mon Sep 17 00:00:00 2001
From: Alex Stockinger <alex@atomicjar.com>
Date: Tue, 26 Jul 2022 13:30:55 +0000
Subject: [PATCH] Reconcile prepend rules

---
 pkg/iptables/iptables.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/pkg/iptables/iptables.go b/pkg/iptables/iptables.go
index faeaedc..e624fef 100644
--- a/pkg/iptables/iptables.go
+++ b/pkg/iptables/iptables.go
@@ -347,6 +347,13 @@ func (c *Controller) reconcile() error {
 	c.Lock()
 	defer c.Unlock()
 	var rc ruleCache
+	if err := c.reconcileAppendRules(rc); err != nil {
+		return err
+	}
+	return c.reconcilePrependRules(rc)
+}
+
+func (c *Controller) reconcileAppendRules(rc ruleCache) error {
 	for i, r := range c.appendRules {
 		ok, err := rc.exists(c.client(r.Proto()), r)
 		if err != nil {
@@ -363,6 +370,22 @@ func (c *Controller) reconcile() error {
 	return nil
 }
 
+func (c *Controller) reconcilePrependRules(rc ruleCache) error {
+	for _, r := range c.prependRules {
+		ok, err := rc.exists(c.client(r.Proto()), r)
+		if err != nil {
+			return fmt.Errorf("failed to check if rule exists: %v", err)
+		}
+		if !ok {
+			level.Info(c.logger).Log("msg", "prepending iptables rule")
+			if err := r.Prepend(c.client(r.Proto())); err != nil {
+				return fmt.Errorf("failed to prepend rule: %v", err)
+			}
+		}
+	}
+	return nil
+}
+
 // resetFromIndex re-adds all rules starting from the given index.
 func (c *Controller) resetFromIndex(i int, rules []Rule) error {
 	if i >= len(rules) {