From 400459130d8fbc44a8630ca5111e0da7c16f98e1 Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Mon, 1 Jun 2020 21:18:59 +0000 Subject: [PATCH 1/2] Move AZURE-NPM chain under KUBE-SERVICES chain; Move default allow CONNECTED/RELATED entry to the end of AZURE-NPM chain. --- npm/iptm/iptm.go | 88 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 65 insertions(+), 23 deletions(-) diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index 18fa4b6baa..403f4abed1 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -18,6 +18,7 @@ import ( "github.com/Azure/azure-container-networking/log" "github.com/Azure/azure-container-networking/npm/util" "k8s.io/apimachinery/pkg/util/wait" + // utiliptables "k8s.io/kubernetes/pkg/util/iptables" ) const ( @@ -72,32 +73,24 @@ func (iptMgr *IptablesManager) InitNpmChains() error { } if !exists { - iptMgr.OperationFlag = util.IptablesInsertionFlag - if _, err = iptMgr.Run(entry); err != nil { - log.Errorf("Error: failed to add AZURE-NPM chain to FORWARD chain.") - return err + iptMgr.OperationFlag = "-t" + index := "3" + ksEntry := &IptEntry{ + Chain: "filter", + Specs: []string{ + "-n", + "--list", + "KUBE-SERVICES", + }, } - } - - // Add default allow CONNECTED/RELATED rule to AZURE-NPM chain. - entry.Chain = util.IptablesAzureChain - entry.Specs = []string{ - util.IptablesModuleFlag, - util.IptablesStateModuleFlag, - util.IptablesStateFlag, - util.IptablesRelatedState + "," + util.IptablesEstablishedState, - util.IptablesJumpFlag, - util.IptablesAccept, - } - exists, err = iptMgr.Exists(entry) - if err != nil { - return err - } - - if !exists { + if _, err = iptMgr.Run(ksEntry); err != nil { + index = "1" + } + // position Azure-NPM chain after Kube-Forward and Kube-Service chains if it exists iptMgr.OperationFlag = util.IptablesInsertionFlag + entry.Specs = append([]string{index}, entry.Specs...) if _, err = iptMgr.Run(entry); err != nil { - log.Printf("Error: failed to add default allow CONNECTED/RELATED rule to AZURE-NPM chain.") + log.Errorf("Error: failed to add AZURE-NPM chain to FORWARD chain.") return err } } @@ -175,6 +168,29 @@ func (iptMgr *IptablesManager) InitNpmChains() error { } } + // Add default allow CONNECTED/RELATED rule to AZURE-NPM chain. + entry.Chain = util.IptablesAzureChain + entry.Specs = []string{ + util.IptablesModuleFlag, + util.IptablesStateModuleFlag, + util.IptablesStateFlag, + util.IptablesRelatedState + "," + util.IptablesEstablishedState, + util.IptablesJumpFlag, + util.IptablesAccept, + } + exists, err = iptMgr.Exists(entry) + if err != nil { + return err + } + + if !exists { + iptMgr.OperationFlag = util.IptablesAppendFlag + if _, err = iptMgr.Run(entry); err != nil { + log.Printf("Error: failed to add default allow CONNECTED/RELATED rule to AZURE-NPM chain.") + return err + } + } + return nil } @@ -457,3 +473,29 @@ func grabIptablesLocks() (*os.File, error) { func grabIptablesFileLock(f *os.File) error { return unix.Flock(int(f.Fd()), unix.LOCK_EX|unix.LOCK_NB) } + +// TO-DO :- Use iptables-restore to update iptables. +// func SyncIptables(entries []*IptEntry) error { +// // Ensure main chains and rules are installed. +// tablesNeedServicesChain := []utiliptables.Table{utiliptables.TableFilter, utiliptables.TableNAT} +// for _, table := range tablesNeedServicesChain { +// if _, err := proxier.iptables.EnsureChain(table, iptablesServicesChain); err != nil { +// glog.Errorf("Failed to ensure that %s chain %s exists: %v", table, iptablesServicesChain, err) +// return +// } +// } + +// // Get iptables-save output so we can check for existing chains and rules. +// // This will be a map of chain name to chain with rules as stored in iptables-save/iptables-restore +// existingFilterChains := make(map[utiliptables.Chain]string) +// iptablesSaveRaw, err := proxier.iptables.Save(utiliptables.TableFilter) +// if err != nil { // if we failed to get any rules +// glog.Errorf("Failed to execute iptables-save, syncing all rules. %s", err.Error()) +// } else { // otherwise parse the output +// existingFilterChains = getChainLines(utiliptables.TableFilter, iptablesSaveRaw) +// } + +// // Write table headers. +// writeLine(filterChains, "*filter") + +// } From baaad63f5bf107da4c8fd9e3bfa3dff0875e7f3f Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Tue, 2 Jun 2020 18:16:14 +0000 Subject: [PATCH 2/2] Find index of KUBE-SERVICES chain. --- npm/iptm/iptm.go | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index 403f4abed1..7ce0f2557a 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -9,6 +9,7 @@ package iptm import ( "os" "os/exec" + "strconv" "strings" "syscall" "time" @@ -73,19 +74,19 @@ func (iptMgr *IptablesManager) InitNpmChains() error { } if !exists { - iptMgr.OperationFlag = "-t" - index := "3" - ksEntry := &IptEntry{ - Chain: "filter", - Specs: []string{ - "-n", - "--list", - "KUBE-SERVICES", - }, - } - if _, err = iptMgr.Run(ksEntry); err != nil { - index = "1" + // retrieve KUBE-SERVICES index + index := "1" + iptFilterEntries := exec.Command(util.Iptables, "-t", "filter", "-n", "--list", "FORWARD", "--line-numbers") + grep := exec.Command("grep", "KUBE-SERVICES") + pipe, _ := iptFilterEntries.StdoutPipe() + grep.Stdin = pipe + iptFilterEntries.Start() + output, err := grep.CombinedOutput() + if err == nil && len(output) > 2 { + tmpIndex, _ := strconv.Atoi(string(output[0])) + index = strconv.Itoa(tmpIndex + 1) } + pipe.Close() // position Azure-NPM chain after Kube-Forward and Kube-Service chains if it exists iptMgr.OperationFlag = util.IptablesInsertionFlag entry.Specs = append([]string{index}, entry.Specs...)