Skip to content

Re-order NPM IpTable Chains/Rules #572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 2, 2020
Merged

Re-order NPM IpTable Chains/Rules #572

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4004591
Move AZURE-NPM chain under KUBE-SERVICES chain; Move default allow CO…
jaer-tsun Jun 1, 2020
baaad63
Find index of KUBE-SERVICES chain.
jaer-tsun Jun 2, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 66 additions & 23 deletions npm/iptm/iptm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ package iptm
import (
"os"
"os/exec"
"strconv"
"strings"
"syscall"
"time"
Expand All @@ -18,6 +19,7 @@ import (
"github.com/Azure/azure-container-networking/log"
"github.com/Azure/azure-container-networking/npm/util"
"k8s.io/apimachinery/pkg/util/wait"
// utiliptables "k8s.io/kubernetes/pkg/util/iptables"
)

const (
Expand Down Expand Up @@ -72,32 +74,24 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
}

if !exists {
iptMgr.OperationFlag = util.IptablesInsertionFlag
if _, err = iptMgr.Run(entry); err != nil {
log.Errorf("Error: failed to add AZURE-NPM chain to FORWARD chain.")
return err
// retrieve KUBE-SERVICES index
index := "1"
iptFilterEntries := exec.Command(util.Iptables, "-t", "filter", "-n", "--list", "FORWARD", "--line-numbers")
grep := exec.Command("grep", "KUBE-SERVICES")
pipe, _ := iptFilterEntries.StdoutPipe()
grep.Stdin = pipe
iptFilterEntries.Start()
output, err := grep.CombinedOutput()
if err == nil && len(output) > 2 {
tmpIndex, _ := strconv.Atoi(string(output[0]))
index = strconv.Itoa(tmpIndex + 1)
}
}

// Add default allow CONNECTED/RELATED rule to AZURE-NPM chain.
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{
util.IptablesModuleFlag,
util.IptablesStateModuleFlag,
util.IptablesStateFlag,
util.IptablesRelatedState + "," + util.IptablesEstablishedState,
util.IptablesJumpFlag,
util.IptablesAccept,
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
pipe.Close()
// position Azure-NPM chain after Kube-Forward and Kube-Service chains if it exists
iptMgr.OperationFlag = util.IptablesInsertionFlag
entry.Specs = append([]string{index}, entry.Specs...)
if _, err = iptMgr.Run(entry); err != nil {
log.Printf("Error: failed to add default allow CONNECTED/RELATED rule to AZURE-NPM chain.")
log.Errorf("Error: failed to add AZURE-NPM chain to FORWARD chain.")
return err
}
}
Expand Down Expand Up @@ -175,6 +169,29 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
}
}

// Add default allow CONNECTED/RELATED rule to AZURE-NPM chain.
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{
util.IptablesModuleFlag,
util.IptablesStateModuleFlag,
util.IptablesStateFlag,
util.IptablesRelatedState + "," + util.IptablesEstablishedState,
util.IptablesJumpFlag,
util.IptablesAccept,
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesAppendFlag
if _, err = iptMgr.Run(entry); err != nil {
log.Printf("Error: failed to add default allow CONNECTED/RELATED rule to AZURE-NPM chain.")
return err
}
}

return nil
}

Expand Down Expand Up @@ -457,3 +474,29 @@ func grabIptablesLocks() (*os.File, error) {
func grabIptablesFileLock(f *os.File) error {
return unix.Flock(int(f.Fd()), unix.LOCK_EX|unix.LOCK_NB)
}

// TO-DO :- Use iptables-restore to update iptables.
// func SyncIptables(entries []*IptEntry) error {
// // Ensure main chains and rules are installed.
// tablesNeedServicesChain := []utiliptables.Table{utiliptables.TableFilter, utiliptables.TableNAT}
// for _, table := range tablesNeedServicesChain {
// if _, err := proxier.iptables.EnsureChain(table, iptablesServicesChain); err != nil {
// glog.Errorf("Failed to ensure that %s chain %s exists: %v", table, iptablesServicesChain, err)
// return
// }
// }

// // Get iptables-save output so we can check for existing chains and rules.
// // This will be a map of chain name to chain with rules as stored in iptables-save/iptables-restore
// existingFilterChains := make(map[utiliptables.Chain]string)
// iptablesSaveRaw, err := proxier.iptables.Save(utiliptables.TableFilter)
// if err != nil { // if we failed to get any rules
// glog.Errorf("Failed to execute iptables-save, syncing all rules. %s", err.Error())
// } else { // otherwise parse the output
// existingFilterChains = getChainLines(utiliptables.TableFilter, iptablesSaveRaw)
// }

// // Write table headers.
// writeLine(filterChains, "*filter")

// }