Fix iptables for old systems

thockin · thockin · commit e925deccb0db · 2014-11-26T12:50:44.000-08:00
The iptables args list needs to include all fields as they are eventually spit
out by iptables-save.  This is because some systems do not support the
'iptables -C' arg, and so fall back on parsing iptables-save output.  If this
does not match, it will not pass the check.  For example: adding the /32 on
the destination IP arg is not strictly required, but causes this list to not
match the final iptables-save output.  This is fragile and I hope one day we
can stop supporting such old iptables versions.
diff --git a/pkg/proxy/proxier.go b/pkg/proxy/proxier.go
@@ -578,11 +578,20 @@ var localhostIPv6 = net.ParseIP("::1")
 
 // Build a slice of iptables args for a portal rule.
 func iptablesPortalArgs(destIP net.IP, destPort int, protocol api.Protocol, proxyIP net.IP, proxyPort int, service string) []string {
+	// This list needs to include all fields as they are eventually spit out
+	// by iptables-save.  This is because some systems do not support the
+	// 'iptables -C' arg, and so fall back on parsing iptables-save output.
+	// If this does not match, it will not pass the check.  For example:
+	// adding the /32 on the destination IP arg is not strictly required,
+	// but causes this list to not match the final iptables-save output.
+	// This is fragile and I hope one day we can stop supporting such old
+	// iptables versions.
 	args := []string{
 		"-m", "comment",
 		"--comment", service,
 		"-p", strings.ToLower(string(protocol)),
-		"-d", destIP.String(),
+		"-m", strings.ToLower(string(protocol)),
+		"-d", fmt.Sprintf("%s/32", destIP.String()),
 		"--dport", fmt.Sprintf("%d", destPort),
 	}
 	// This is tricky.  If the proxy is bound (see Proxier.listenAddress)
diff --git a/pkg/util/iptables/iptables.go b/pkg/util/iptables/iptables.go
@@ -189,6 +189,7 @@ func (runner *runner) checkRule(table Table, chain Chain, args ...string) (bool,
 // Executes the rule check without using the "-C" flag, instead parsing iptables-save.
 // Present for compatibility with <1.4.11 versions of iptables.
 func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...string) (bool, error) {
+	glog.V(1).Infof("running iptables-save -t %s", string(table))
 	out, err := runner.exec.Command("iptables-save", "-t", string(table)).CombinedOutput()
 	if err != nil {
 		return false, fmt.Errorf("error checking rule: %v", err)
@@ -206,6 +207,7 @@ func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...st
 			if util.NewStringSet(fields...).IsSuperset(argset) {
 				return true, nil
 			}
+			glog.V(5).Infof("DBG: fields is not a superset of args: fields=%v  args=%v", fields, args)
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -189,6 +189,7 @@ func (runner *runner) checkRule(table Table, chain Chain, args ...string) (bool,`
`189`	`189`	`// Executes the rule check without using the "-C" flag, instead parsing iptables-save.`
`190`	`190`	`// Present for compatibility with <1.4.11 versions of iptables.`
`191`	`191`	`func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...string) (bool, error) {`
	`192`	`+ glog.V(1).Infof("running iptables-save -t %s", string(table))`
`192`	`193`	`out, err := runner.exec.Command("iptables-save", "-t", string(table)).CombinedOutput()`
`193`	`194`	`if err != nil {`
`194`	`195`	`return false, fmt.Errorf("error checking rule: %v", err)`
`@@ -206,6 +207,7 @@ func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...st`
`206`	`207`	`if util.NewStringSet(fields...).IsSuperset(argset) {`
`207`	`208`	`return true, nil`
`208`	`209`	`}`
	`210`	`+ glog.V(5).Infof("DBG: fields is not a superset of args: fields=%v args=%v", fields, args)`
`209`	`211`	`}`
`210`	`212`	`}`
`211`	`213`