[IPv6] Bug fix in adding iptable rules #2469
Conversation
|
/test-e2e /test-conformance /test-networkpolicy /test-ipv6-e2e |
Codecov Report
@@ Coverage Diff @@
## main #2469 +/- ##
==========================================
+ Coverage 59.82% 64.95% +5.12%
==========================================
Files 284 281 -3
Lines 22168 25534 +3366
==========================================
+ Hits 13263 16586 +3323
+ Misses 7483 7403 -80
- Partials 1422 1545 +123
Flags with carried forward coverage won't be shown. Click here to find out more.
|
lzhecheng
force-pushed
the
e2e-fix-ds-upgrade
branch
6 times, most recently
from
b6105a8
to
789e384
Compare
|
/test-e2e /test-conformance /test-networkpolicy /test-ipv6-e2e /test-ipv6-only-e2e |
|
@antoninbas @tnqn I refactored some iptables methods. PTAL. |
lzhecheng
force-pushed
the
e2e-fix-ds-upgrade
branch
8 times, most recently
from
9cb186a
to
a2b8df9
Compare
|
/test-e2e /test-conformance /test-networkpolicy /test-ipv6-e2e /test-ipv6-only-e2e |
lzhecheng
force-pushed
the
e2e-fix-ds-upgrade
branch
3 times, most recently
from
b0c0e9b
to
cc394bb
Compare
|
/test-all /test-ipv6-all /test-ipv6-only-all |
|
@tnqn PTAL @lzhecheng please cherry-pick this as needed (at least v1.2, but potentially all the way back to v0.13 if appropriate) |
pkg/agent/util/iptables/iptables.go
Outdated
| for idx := range c.ipts { | ||
| err := c.ipts[idx].ClearChain(table, chain) | ||
| // DeleteMatchingChains deletes all rules from chains in all tables and then delete the chains. | ||
| func (c *Client) DeleteMatchingChains(table string, chain string) error { |
There was a problem hiding this comment.
ditto.
The comment about "delete all rules from chains in all tables" is incorrect.
I think if we specify "protocol" like EnsureChain, AppendRule and InsertRule, it will make same to name the delete method DeleteChain and DeleteRule? @antoninbas
There was a problem hiding this comment.
Comment is updated.
There was a problem hiding this comment.
@antoninbas please take a look at @tnqn 's suggestion.
There was a problem hiding this comment.
yes if we pass the protocol like for the insertion functions, we can use the same naming scheme I think
lzhecheng
force-pushed
the
e2e-fix-ds-upgrade
branch
3 times, most recently
from
e3cb226
to
ef30704
Compare
|
/test-e2e /test-conformance /test-networkpolicy /test-ipv6-all /test-ipv6-only-all |
lzhecheng
force-pushed
the
e2e-fix-ds-upgrade
branch
from
ef30704
to
cc9130c
Compare
|
/test-all /test-ipv6-all /test-ipv6-only-all |
pkg/agent/route/route_linux.go
Outdated
| @@ -771,5 +772,5 @@ func (c *Client) DeleteSNATRule(mark uint32) error { | |||
| } | |||
| c.markToSNATIP.Delete(mark) | |||
| snatIP := value.(net.IP) | |||
| return c.ipt.DeleteRule(iptables.NATTable, antreaPostRoutingChain, c.snatRuleSpec(snatIP, mark)) | |||
| return c.ipt.DeleteRules(iptables.ProtocolDual, iptables.NATTable, antreaPostRoutingChain, c.snatRuleSpec(snatIP, mark)) | |||
There was a problem hiding this comment.
this should still be DeleteRule?
There was a problem hiding this comment.
Thank you for catching this. Updated.
* bug fix in EnsureRule() * refactor iptables methods Signed-off-by: Zhecheng Li <lzhecheng@vmware.com>
lzhecheng
force-pushed
the
e2e-fix-ds-upgrade
branch
from
cc9130c
to
a4e7873
Compare
|
/test-all /test-ipv6-all /test-ipv6-only-all |
| if !exists { | ||
| return nil | ||
| if err := ipt.table.DeleteChain(iptables.ProtocolIPv4, iptables.NATTable, NodePortLocalChain); err != nil { | ||
| return err |
There was a problem hiding this comment.
I did a test, deleting a chain which was still referenced by another rule always fails with "Too many links" error, so this would introduce a regression. Is this method covered by any test?
There was a problem hiding this comment.
Did you do it manually? "Too many links" is expected in this way.
There was a problem hiding this comment.
Anyway, it seems DeleteChain is only used in DeleteAllRules and DeleteAllRules is used by no one. I am going to delete them.
There was a problem hiding this comment.
I don't think it's expected. The original code deletes the chain at last so it ensures the chain is not referenced by any rule when deleting it. This patch changes to delete the chain in the beginning so it would introduce a regression. I'm not why there there is an orphaned method here, maybe it's left for historical reason, or maybe it's planed for future usage. Anyway it's beyond the scope of this PR. I would sugges to keep it as is if you want to merge this earlier. Otherwise I would invite the feature owner to comment whether deleting it is expected. If you keep the method, I would expect it wouldn't introduce a bug by this PR.
There was a problem hiding this comment.
DeleteAllRules and ChainExists are reverted.
lzhecheng
force-pushed
the
e2e-fix-ds-upgrade
branch
2 times, most recently
from
8a9aabf
to
896c590
Compare
Signed-off-by: Zhecheng Li <lzhecheng@vmware.com>
lzhecheng
force-pushed
the
e2e-fix-ds-upgrade
branch
from
896c590
to
15437d1
Compare
|
/test-all |
* [IPv6] Bug fix in adding iptable rules * bug fix in EnsureRule() * refactor iptables methods Signed-off-by: Zhecheng Li <lzhecheng@vmware.com>
* Bug fix in adding iptable rules * bug fix in EnsureRule() * refactor iptables methods Signed-off-by: Zhecheng Li <lzhecheng@vmware.com> * Revert ChainExists() and DeleteAllRules() Signed-off-by: Zhecheng Li <lzhecheng@vmware.com>
Signed-off-by: Zhecheng Li lzhecheng@vmware.com