Skip to content

Fix iptables.Exists logic#925

Merged
mavenugo merged 1 commit intomoby:masterfrom
aboch:ex
Mar 4, 2016
Merged

Fix iptables.Exists logic#925
mavenugo merged 1 commit intomoby:masterfrom
aboch:ex

Conversation

@aboch
Copy link
Copy Markdown
Contributor

@aboch aboch commented Feb 2, 2016

  • Fixed Exists to attempt a raw exists check only when "iptables -C ..." is not supported . This is a problem because the raw check has several bugs.
  • Fixed raw exists to not match substring
  • Added GetVersion method

Signed-off-by: Alessandro Boch aboch@docker.com

mavenugo
mavenugo reviewed Feb 2, 2016
View reviewed changes
Comment thread iptables/iptables.go
Copy link
Copy Markdown
Contributor

@mavenugo mavenugo Feb 2, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you adding the \n to take care of the Contains matching on partial TARGET ?

Copy link
Copy Markdown
Contributor Author

@aboch aboch Feb 2, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

Copy link
Copy Markdown
Contributor Author

@aboch aboch Feb 2, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a test for it.

Copy link
Copy Markdown
Contributor

@mavenugo mavenugo Feb 2, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where ? I dont see a partial TARGET match test here.

Copy link
Copy Markdown
Contributor Author

@aboch aboch Feb 2, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look at line 275 in the test diffs

Copy link
Copy Markdown
Contributor Author

@aboch aboch Feb 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mavenugo
Actually you are right, I modified the test code but the check at 275 is still testing the old logic.
Will fix

Copy link
Copy Markdown
Contributor Author

@aboch aboch Feb 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mavenugo
Took care of it, PTAL

Copy link
Copy Markdown
Contributor

@mavenugo mavenugo Feb 6, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

quite frankly, am not too comfortable depending on \n as a mechanism to guarantee the comparison and it could result in false-negatives depending on the position of the rule itself (and various other unrelated dependencies).

Copy link
Copy Markdown
Contributor Author

@aboch aboch Feb 9, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking for the \n is in fact to avoid a possible match on a rule subset.

The existing raw exist check does nothing but looking for the rule string in the output of iptables -t <table> -S <chain>, which is a list of \n terminated strings, where each rule follows this format:

-<Action> <Chain> <rule args>\n

Given the rule format, checking if the byte stream contains <rule>\n will guarantee no subset can match.

Copy link
Copy Markdown
Contributor

@chenchun chenchun Feb 17, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok with \n as a delimiter, as k8s does https://github.com/kubernetes/kubernetes/blob/master/pkg/util/iptables/iptables.go#L417-L437

@aboch
Fix iptables.Exists logic
e5b348b 
- Fixed exists to attempt a raw exists check only when
  "iptables -C ..." execution returns error becasue of "unsupported option"
- Fixed raw exists to not match substring
- Added GetVersion method

Signed-off-by: Alessandro Boch <aboch@docker.com>
@aboch
Copy link
Copy Markdown
Contributor Author

aboch commented Feb 23, 2016

@chenchun I think I took care of your comment. PTAL when you get a chance. Thanks.

@chenchun
Copy link
Copy Markdown
Contributor

chenchun commented Feb 23, 2016

LGTM

@mavenugo
Copy link
Copy Markdown
Contributor

mavenugo commented Mar 2, 2016

LGTM.

@mrjana can you please confirm if you are okay for us to check the iptables version as we do in this PR ? I know we had a similar discussion regarding checking for kernel version vs functionality.

@mrjana
Copy link
Copy Markdown
Contributor

mrjana commented Mar 2, 2016

Yes let's not do any static version checks on any software. Check for the functionality. If the check is made only for test code, the whole versioning check code can move to the *_test file.

@aboch
Copy link
Copy Markdown
Contributor Author

aboch commented Mar 2, 2016

@mrjana
Please note the check on functionality here is very weak as it would look for an error printed by the iptables command. An error which is not guaranteed to be consistent across iptables versions.

The iptables support for the -c option is well documented in their release docs.
No in this PR the version check is not for test code.

mavenugo added a commit that referenced this pull request Mar 4, 2016
@mavenugo
Merge pull request #925 from aboch/ex
f198d12 
Fix iptables.Exists logic
@mavenugo mavenugo merged commit f198d12 into moby:master Mar 4, 2016
@aboch aboch deleted the ex branch March 7, 2016 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status/0-triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@aboch @chenchun @mavenugo @mrjana @GordonTheTurtle