-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iptables: handle case where kernel IPv6 support is disabled #20680
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ugh, I remember having an uneasy feeling about this...
For the commit message:
- can you please add what specific case this covers? It's the ipv6.disable=1 module parameter, correct?
- think we need a
Fixes:
tag for the commit that introduced the regression.
4e38f16
to
f7d7c6a
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks for the quick fix jibi! One further comment, but feel free to ignore.
f7d7c6a
to
e9a2928
Compare
Currently, even if the kernel IPv6 support is disabled (i.e. the ipv6.disable=1 kernel parameter is set), the agent will try to find or load the ip6tables kernel modules, and if successful it will assume ip6tables is supported. This will result in a fatal error since all ip6tables commands will fail with "Address family not supported". This commit fixes this by setting the haveIp6tables IptablesManager's property to false in case the kernel does not support IPv6. Fixes: d812b92 ("iptables: don't ignore errors") Fixes: #18513 Fixes: #20672 Signed-off-by: Gilberto Bertin <jibi@cilium.io>
e9a2928
to
aa2081c
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with a nit (almost the same as Julian's one) 👍
"Unable to read /sys/module/ipv6/parameters/disable, disabling IPv6 iptables support") | ||
haveIp6tables = false | ||
} else if strings.TrimSuffix(string(ipv6Disabled), "\n") == "1" { | ||
log.Debug( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should show this message to users even if it is not a Fatal. Maybe it should be a Warning?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm following the same pattern as above (i.e. emitting a debug logline in case we fail to find/load ip6tables modules):
cilium/pkg/datapath/iptables/iptables.go
Lines 290 to 297 in 78d075d
if err := modulesManager.FindOrLoadModules( | |
"ip6_tables", "ip6table_mangle", "ip6table_raw", "ip6table_filter"); err != nil { | |
if option.Config.EnableIPv6 { | |
log.WithError(err).Fatal( | |
"IPv6 is enabled and ip6tables modules could not be initialized (try disabling IPv6 in Cilium or loading ip6_tables, ip6table_mangle, ip6table_raw and ip6table_filter kernel modules)") | |
} | |
log.WithError(err).Debug( | |
"ip6tables kernel modules could not be loaded, so IPv6 cannot be used") |
I thought that the issue got fixed with the closure of #18904 |
That change only handles the case where IPv6 support is enabled in Cilium but we can't find the related ip6tables modules (but apparently we can still load them even if the kernel has disabled IPv6 support) |
Currently, even if the kernel IPv6 support is disabled (i.e. the
ipv6.disable=1 kernel parameter is set), the agent will try to find or
load the ip6tables kernel modules, and if successful it will assume
ip6tables is supported.
This will result in a fatal error since all ip6tables commands will
fail with "Address family not supported".
This commit fixes this by setting the haveIp6tables IptablesManager's
property to false in case the kernel does not support IPv6.
Fixes: d812b92 ("iptables: don't ignore errors")
Fixes: #18513
Fixes: #20672