Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check DOCKER-USER chain exists in nf_tables #1900

Merged
merged 3 commits into from
Feb 20, 2024
Merged

Check DOCKER-USER chain exists in nf_tables #1900

merged 3 commits into from
Feb 20, 2024

Conversation

steiler
Copy link
Collaborator

@steiler steiler commented Feb 19, 2024
edited

The simple check for the loaded nf_tables kernel module is not enough. It can be loaded whilst nf_tables is still not in use. iptables-legacy then most probably is.
So via this PR, we check if the DOCKER-USER chain exists. If not, we return and iptables will be used.

@steiler
Check DOCKER-USER chain exists in nf_tables
6dfbe18 
The simple check for the loaded nf_tables kernel module is not enough. It can be loaded whilst nf_tables is still not in use. iptables-legacy then most probably is.
@steiler
use chain name from definition
9512575
@steiler steiler marked this pull request as ready for review February 19, 2024 09:52
@aminato-nokia
Copy link

aminato-nokia commented Feb 20, 2024
edited by steiler

tested in RHEL 7 with this kernel

[root@kvm-7 tmp]# uname -r
6.7.4-1.el7.elrepo.x86_64

deployment was ok without any error messages

[root@kvm-7 tmp]# containerlab deploy --topo test_ne.yml
INFO[0000] Containerlab v0.49.0 started
INFO[0000] Parsing & checking topology file: test_ne.yml
INFO[0000] Creating lab directory: /tmp/clab-test_oob
INFO[0000] Creating container: "VSR-NRC"
INFO[0000] Adding containerlab host entries to /etc/hosts file
INFO[0000] Adding ssh config for containerlab nodes
+---+-----------------------+--------------+-------------------------------------------+---------+---------+----------------+--------------+
| # |         Name          | Container ID |                   Image                   |  Kind   |  State  |  IPv4 Address  | IPv6 Address |
+---+-----------------------+--------------+-------------------------------------------+---------+---------+----------------+--------------+
| 1 | clab-test_oob-VSR-NRC | 4bb896de89ea | registry.srlinux.dev/pub/vr-sros:23.10.R1 | vr-sros | running | 20.30.40.20/24 | N/A          |
+---+-----------------------+--------------+-------------------------------------------+---------+---------+----------------+--------------+

@steiler steiler requested a review from hellt February 20, 2024 10:36
@steiler
Copy link
Collaborator Author

steiler commented Feb 20, 2024

@hellt Take a look if you've got comments, otherwise we can merge.

hellt
hellt reviewed Feb 20, 2024
View reviewed changes
runtime/docker/firewall/nftables/client.go
if err != nil {
return nil, err
}
if len(chains) == 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we check for docker user chain and not just some chains?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thats what we do. if you look closely you will notice definitions.DockerFWUserChain as the parameter to getChains(...).

@codecov Codecov
Copy link

codecov bot commented Feb 20, 2024

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (aaeb64b) 53.65% compared to head (d7130b3) 53.60%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1900      +/-   ##
==========================================
- Coverage   53.65%   53.60%   -0.05%     
==========================================
  Files         154      154              
  Lines       11227    11233       +6     
==========================================
- Hits         6024     6022       -2     
- Misses       4343     4348       +5     
- Partials      860      863       +3
Files Coverage Δ
runtime/docker/firewall/nftables/client.go 70.54% <16.66%> (-2.63%) ⬇️

... and 2 files with indirect coverage changes

@hellt hellt merged commit 2d9da56 into main Feb 20, 2024
59 of 60 checks passed
@hellt hellt deleted the nftablesCheckChainExists branch February 20, 2024 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hellt hellt hellt left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@steiler @aminato-nokia @hellt