Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

daemon: Enable configuration of iptables --random-fully #13383

Merged
merged 2 commits into from
Oct 14, 2020
Merged

daemon: Enable configuration of iptables --random-fully #13383

merged 2 commits into from
Oct 14, 2020

Conversation

kh34
Copy link
Contributor

@kh34 kh34 commented Oct 2, 2020
edited by joestringer

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Thanks for contributing!

Fixes: #13037

Add a new daemon CLI argument, "--iptables-random-fully" to specify the
iptables "--random-fully" argument when invoking the iptables CLI binary
directly from cilium-agent.

@kh34 kh34 requested review from a team October 2, 2020 02:47
@kh34 kh34 requested review from a team as code owners October 2, 2020 02:47
@kh34 kh34 requested a review from a team October 2, 2020 02:47
@kh34 kh34 requested a review from a team as a code owner October 2, 2020 02:47
@maintainer-s-little-helper

This comment has been minimized.

Sign in to view
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 2, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Oct 2, 2020
@kh34 kh34 force-pushed the ipt-random-fully-cfg branch 3 times, most recently from 988ce2b to 3a29b62 Compare October 2, 2020 03:02
@pchaigno pchaigno removed the request for review from a team October 2, 2020 06:38
@pchaigno pchaigno added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Oct 2, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 2, 2020
brb
brb reviewed Oct 2, 2020
View reviewed changes
Copy link
Member

@brb brb left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Have you considered setting --random-fully if iptables supports it instead of controlling with the flag? The former approach is implemented by k8s: https://github.com/kubernetes/kubernetes/blob/112dbd55860e600af525cedc255f2664e3f286aa/pkg/util/iptables/iptables.go#L228. Please ignore my comment.

joestringer
joestringer requested changes Oct 2, 2020
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, just one minor request on the Helm side.

install/kubernetes/cilium/charts/config/templates/configmap.yaml Outdated Show resolved Hide resolved
@pchaigno pchaigno self-assigned this Oct 2, 2020
@pchaigno pchaigno added the needs/e2e-test This issue is not covered by existing CI tests, but should be. label Oct 2, 2020
@joestringer
Copy link
Member

test-me-please

@pchaigno pchaigno added the dont-merge/blocked Another PR must be merged before this one. label Oct 6, 2020
@pchaigno
Copy link
Member

pchaigno commented Oct 6, 2020

As discussed with @kh34 offline, I will add another commit on top of this branch to test the new flag (probably tomorrow). We will likely need to update the iptables version during backports somehow so I'd prefer if we have a test that fails when that is needed.

@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.8.5 Oct 15, 2020
@aanm aanm mentioned this pull request Oct 19, 2020
Merged
@rolinh rolinh mentioned this pull request Oct 19, 2020
Merged
@tklauser tklauser mentioned this pull request Oct 19, 2020
Merged
tklauser added a commit that referenced this pull request Oct 19, 2020
@tklauser
contrib: match commit subject exactly when searching for upstream commit
c8495d3 
In generate_commit_list_for_pr, the commit subject is used to determine
the upstream commit ID from $REMOTE/master. However, if in the meantime
another commit with e.g. a Fixes tag that mentions this commit subject,
it appears first and leads to the original commit not being found. This
can be demonstrated using #13383:

```
 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  Warning: No commit correlation found!    via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)

$ # this is the git log command (with the subject added) from
$ # contrib/backporting/check-stable that should extract a single
$ # upstream commit
$ git log -F --since="1year" --pretty="%H %s" --no-merges --grep "daemon: Enable configuration of iptables --random-fully" origin/master
078ec54 install/kubernetes: consistent case spelling of iptables related values
4e39def daemon: Enable configuration of iptables --random-fully
$ git show 078ec54
commit 078ec54
Author: Tobias Klauser <tklauser@distanz.ch>
Date:   Wed Oct 14 11:58:29 2020 +0200

    install/kubernetes: consistent case spelling of iptables related values

    Make the case spelling of the newly introduced "ipTablesRandomFully"
    value consistent with other iptables option values which use the
    "iptables" spelling.

    Fixes: 4e39def ("daemon: Enable configuration of iptables --random-fully")
    Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
```

Note the `Fixes: ...` line in commit 078ec54 above.

Fix this behavior by grepping for the subject line from start of line:

```
$ git log -F --since="1year" --pretty="%H %s" --no-merges --extended-regexp --grep "^daemon: Enable configuration of iptables --random-fully" origin/master
4e39def daemon: Enable configuration of iptables --random-fully

 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  4e39def via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)
```

Reported-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
aanm pushed a commit that referenced this pull request Oct 19, 2020
@tklauser @aanm
contrib: match commit subject exactly when searching for upstream commit
6557f75 
In generate_commit_list_for_pr, the commit subject is used to determine
the upstream commit ID from $REMOTE/master. However, if in the meantime
another commit with e.g. a Fixes tag that mentions this commit subject,
it appears first and leads to the original commit not being found. This
can be demonstrated using #13383:

```
 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  Warning: No commit correlation found!    via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)

$ # this is the git log command (with the subject added) from
$ # contrib/backporting/check-stable that should extract a single
$ # upstream commit
$ git log -F --since="1year" --pretty="%H %s" --no-merges --grep "daemon: Enable configuration of iptables --random-fully" origin/master
078ec54 install/kubernetes: consistent case spelling of iptables related values
4e39def daemon: Enable configuration of iptables --random-fully
$ git show 078ec54
commit 078ec54
Author: Tobias Klauser <tklauser@distanz.ch>
Date:   Wed Oct 14 11:58:29 2020 +0200

    install/kubernetes: consistent case spelling of iptables related values

    Make the case spelling of the newly introduced "ipTablesRandomFully"
    value consistent with other iptables option values which use the
    "iptables" spelling.

    Fixes: 4e39def ("daemon: Enable configuration of iptables --random-fully")
    Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
```

Note the `Fixes: ...` line in commit 078ec54 above.

Fix this behavior by grepping for the subject line from start of line:

```
$ git log -F --since="1year" --pretty="%H %s" --no-merges --extended-regexp --grep "^daemon: Enable configuration of iptables --random-fully" origin/master
4e39def daemon: Enable configuration of iptables --random-fully

 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  4e39def via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)
```

Reported-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
nathanjsweet pushed a commit that referenced this pull request Oct 19, 2020
@tklauser @nathanjsweet
contrib: match commit subject exactly when searching for upstream commit
96bf3d6 
[ upstream commit 6557f75 ]

In generate_commit_list_for_pr, the commit subject is used to determine
the upstream commit ID from $REMOTE/master. However, if in the meantime
another commit with e.g. a Fixes tag that mentions this commit subject,
it appears first and leads to the original commit not being found. This
can be demonstrated using #13383:

```
 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  Warning: No commit correlation found!    via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)

$ # this is the git log command (with the subject added) from
$ # contrib/backporting/check-stable that should extract a single
$ # upstream commit
$ git log -F --since="1year" --pretty="%H %s" --no-merges --grep "daemon: Enable configuration of iptables --random-fully" origin/master
078ec54 install/kubernetes: consistent case spelling of iptables related values
4e39def daemon: Enable configuration of iptables --random-fully
$ git show 078ec54
commit 078ec54
Author: Tobias Klauser <tklauser@distanz.ch>
Date:   Wed Oct 14 11:58:29 2020 +0200

    install/kubernetes: consistent case spelling of iptables related values

    Make the case spelling of the newly introduced "ipTablesRandomFully"
    value consistent with other iptables option values which use the
    "iptables" spelling.

    Fixes: 4e39def ("daemon: Enable configuration of iptables --random-fully")
    Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
```

Note the `Fixes: ...` line in commit 078ec54 above.

Fix this behavior by grepping for the subject line from start of line:

```
$ git log -F --since="1year" --pretty="%H %s" --no-merges --extended-regexp --grep "^daemon: Enable configuration of iptables --random-fully" origin/master
4e39def daemon: Enable configuration of iptables --random-fully

 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  4e39def via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)
```

Reported-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
nathanjsweet pushed a commit that referenced this pull request Oct 19, 2020
@tklauser @nathanjsweet
contrib: match commit subject exactly when searching for upstream commit
b76bd84 
[ upstream commit 6557f75 ]

In generate_commit_list_for_pr, the commit subject is used to determine
the upstream commit ID from $REMOTE/master. However, if in the meantime
another commit with e.g. a Fixes tag that mentions this commit subject,
it appears first and leads to the original commit not being found. This
can be demonstrated using #13383:

```
 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  Warning: No commit correlation found!    via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)

$ # this is the git log command (with the subject added) from
$ # contrib/backporting/check-stable that should extract a single
$ # upstream commit
$ git log -F --since="1year" --pretty="%H %s" --no-merges --grep "daemon: Enable configuration of iptables --random-fully" origin/master
078ec54 install/kubernetes: consistent case spelling of iptables related values
4e39def daemon: Enable configuration of iptables --random-fully
$ git show 078ec54
commit 078ec54
Author: Tobias Klauser <tklauser@distanz.ch>
Date:   Wed Oct 14 11:58:29 2020 +0200

    install/kubernetes: consistent case spelling of iptables related values

    Make the case spelling of the newly introduced "ipTablesRandomFully"
    value consistent with other iptables option values which use the
    "iptables" spelling.

    Fixes: 4e39def ("daemon: Enable configuration of iptables --random-fully")
    Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
```

Note the `Fixes: ...` line in commit 078ec54 above.

Fix this behavior by grepping for the subject line from start of line:

```
$ git log -F --since="1year" --pretty="%H %s" --no-merges --extended-regexp --grep "^daemon: Enable configuration of iptables --random-fully" origin/master
4e39def daemon: Enable configuration of iptables --random-fully

 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  4e39def via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)
```

Reported-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
aanm pushed a commit that referenced this pull request Oct 20, 2020
@tklauser @aanm
contrib: match commit subject exactly when searching for upstream commit
98210c4 
[ upstream commit 6557f75 ]

In generate_commit_list_for_pr, the commit subject is used to determine
the upstream commit ID from $REMOTE/master. However, if in the meantime
another commit with e.g. a Fixes tag that mentions this commit subject,
it appears first and leads to the original commit not being found. This
can be demonstrated using #13383:

```
 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  Warning: No commit correlation found!    via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)

$ # this is the git log command (with the subject added) from
$ # contrib/backporting/check-stable that should extract a single
$ # upstream commit
$ git log -F --since="1year" --pretty="%H %s" --no-merges --grep "daemon: Enable configuration of iptables --random-fully" origin/master
078ec54 install/kubernetes: consistent case spelling of iptables related values
4e39def daemon: Enable configuration of iptables --random-fully
$ git show 078ec54
commit 078ec54
Author: Tobias Klauser <tklauser@distanz.ch>
Date:   Wed Oct 14 11:58:29 2020 +0200

    install/kubernetes: consistent case spelling of iptables related values

    Make the case spelling of the newly introduced "ipTablesRandomFully"
    value consistent with other iptables option values which use the
    "iptables" spelling.

    Fixes: 4e39def ("daemon: Enable configuration of iptables --random-fully")
    Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
```

Note the `Fixes: ...` line in commit 078ec54 above.

Fix this behavior by grepping for the subject line from start of line:

```
$ git log -F --since="1year" --pretty="%H %s" --no-merges --extended-regexp --grep "^daemon: Enable configuration of iptables --random-fully" origin/master
4e39def daemon: Enable configuration of iptables --random-fully

 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  4e39def via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)
```

Reported-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
aanm pushed a commit that referenced this pull request Oct 20, 2020
@tklauser @aanm
contrib: match commit subject exactly when searching for upstream commit
93ecd42 
[ upstream commit 6557f75 ]

In generate_commit_list_for_pr, the commit subject is used to determine
the upstream commit ID from $REMOTE/master. However, if in the meantime
another commit with e.g. a Fixes tag that mentions this commit subject,
it appears first and leads to the original commit not being found. This
can be demonstrated using #13383:

```
 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  Warning: No commit correlation found!    via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)

$ # this is the git log command (with the subject added) from
$ # contrib/backporting/check-stable that should extract a single
$ # upstream commit
$ git log -F --since="1year" --pretty="%H %s" --no-merges --grep "daemon: Enable configuration of iptables --random-fully" origin/master
078ec54 install/kubernetes: consistent case spelling of iptables related values
4e39def daemon: Enable configuration of iptables --random-fully
$ git show 078ec54
commit 078ec54
Author: Tobias Klauser <tklauser@distanz.ch>
Date:   Wed Oct 14 11:58:29 2020 +0200

    install/kubernetes: consistent case spelling of iptables related values

    Make the case spelling of the newly introduced "ipTablesRandomFully"
    value consistent with other iptables option values which use the
    "iptables" spelling.

    Fixes: 4e39def ("daemon: Enable configuration of iptables --random-fully")
    Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
```

Note the `Fixes: ...` line in commit 078ec54 above.

Fix this behavior by grepping for the subject line from start of line:

```
$ git log -F --since="1year" --pretty="%H %s" --no-merges --extended-regexp --grep "^daemon: Enable configuration of iptables --random-fully" origin/master
4e39def daemon: Enable configuration of iptables --random-fully

 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  4e39def via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)
```

Reported-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
nathanjsweet pushed a commit that referenced this pull request Oct 22, 2020
@tklauser @nathanjsweet
contrib: match commit subject exactly when searching for upstream commit
7a5fd8e 
[ upstream commit 6557f75 ]

In generate_commit_list_for_pr, the commit subject is used to determine
the upstream commit ID from $REMOTE/master. However, if in the meantime
another commit with e.g. a Fixes tag that mentions this commit subject,
it appears first and leads to the original commit not being found. This
can be demonstrated using #13383:

```
 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  Warning: No commit correlation found!    via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)

$ # this is the git log command (with the subject added) from
$ # contrib/backporting/check-stable that should extract a single
$ # upstream commit
$ git log -F --since="1year" --pretty="%H %s" --no-merges --grep "daemon: Enable configuration of iptables --random-fully" origin/master
078ec54 install/kubernetes: consistent case spelling of iptables related values
4e39def daemon: Enable configuration of iptables --random-fully
$ git show 078ec54
commit 078ec54
Author: Tobias Klauser <tklauser@distanz.ch>
Date:   Wed Oct 14 11:58:29 2020 +0200

    install/kubernetes: consistent case spelling of iptables related values

    Make the case spelling of the newly introduced "ipTablesRandomFully"
    value consistent with other iptables option values which use the
    "iptables" spelling.

    Fixes: 4e39def ("daemon: Enable configuration of iptables --random-fully")
    Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
```

Note the `Fixes: ...` line in commit 078ec54 above.

Fix this behavior by grepping for the subject line from start of line:

```
$ git log -F --since="1year" --pretty="%H %s" --no-merges --extended-regexp --grep "^daemon: Enable configuration of iptables --random-fully" origin/master
4e39def daemon: Enable configuration of iptables --random-fully

 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  4e39def via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)
```

Reported-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
@pchaigno pchaigno mentioned this pull request Oct 22, 2020
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.8 in 1.8.5 Oct 22, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.8 to Backport done to v1.8 in 1.8.5 Oct 22, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport done to v1.8 to Backport pending to v1.8 in 1.8.5 Oct 22, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport done to v1.8 to Backport pending to v1.8 in 1.8.5 Oct 22, 2020
joestringer pushed a commit that referenced this pull request Oct 22, 2020
@tklauser @joestringer
contrib: match commit subject exactly when searching for upstream commit
62cb734 
[ upstream commit 6557f75 ]

In generate_commit_list_for_pr, the commit subject is used to determine
the upstream commit ID from $REMOTE/master. However, if in the meantime
another commit with e.g. a Fixes tag that mentions this commit subject,
it appears first and leads to the original commit not being found. This
can be demonstrated using #13383:

```
 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  Warning: No commit correlation found!    via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)

$ # this is the git log command (with the subject added) from
$ # contrib/backporting/check-stable that should extract a single
$ # upstream commit
$ git log -F --since="1year" --pretty="%H %s" --no-merges --grep "daemon: Enable configuration of iptables --random-fully" origin/master
078ec54 install/kubernetes: consistent case spelling of iptables related values
4e39def daemon: Enable configuration of iptables --random-fully
$ git show 078ec54
commit 078ec54
Author: Tobias Klauser <tklauser@distanz.ch>
Date:   Wed Oct 14 11:58:29 2020 +0200

    install/kubernetes: consistent case spelling of iptables related values

    Make the case spelling of the newly introduced "ipTablesRandomFully"
    value consistent with other iptables option values which use the
    "iptables" spelling.

    Fixes: 4e39def ("daemon: Enable configuration of iptables --random-fully")
    Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
```

Note the `Fixes: ...` line in commit 078ec54 above.

Fix this behavior by grepping for the subject line from start of line:

```
$ git log -F --since="1year" --pretty="%H %s" --no-merges --extended-regexp --grep "^daemon: Enable configuration of iptables --random-fully" origin/master
4e39def daemon: Enable configuration of iptables --random-fully

 * PR: 13383 -- daemon: Enable configuration of iptables --random-fully (@kh34) -- #13383
   Merge with 2 commit(s) merged at: Wed, 14 Oct 2020 11:41:51 +0200!
     Branch:     master (!)                          refs/pull/13383/head
                 ----------                          -------------------
     v (start)
     |  4e39def via dbac86c ("daemon: Enable configuration of iptables --random-fully")
     |  350f0b3 via 22d4554 ("test: Test iptables masquerading with --random-fully")
     v (end)
```

Reported-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
@christarazi christarazi mentioned this pull request Oct 28, 2020
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.8 to Backport done to v1.8 in 1.8.5 Oct 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@tklauser tklauser tklauser approved these changes

@joestringer joestringer joestringer approved these changes

@christarazi christarazi christarazi approved these changes

Assignees

@pchaigno pchaigno

Labels
release-note/minor This PR changes functionality that users may find relevant to operating Cilium. release-priority/best-effort The project for target version is not a hard requirement. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
1.8.5
Backport done to v1.8
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add --random-fully to SNAT iptables rules
7 participants
@kh34 @joestringer @pchaigno @brb @tklauser @christarazi @aanm