fix: avoid segfault by only listing one chain

huntergregory · huntergregory · commit 85dc587eb75e · 2024-11-04T17:00:05.000-08:00
Signed-off-by: Hunter Gregory &lt;42728408+huntergregory@users.noreply.github.com&gt;
diff --git a/npm/pkg/dataplane/policies/chain-management_linux.go b/npm/pkg/dataplane/policies/chain-management_linux.go
@@ -91,6 +91,10 @@ var (
 		util.IptablesJumpFlag,
 		util.IptablesAzureChain,
 	}
+
+	listChainArgs       = []string{util.IptablesWaitFlag, util.IptablesDefaultWaitTime, util.IptablesTableFlag, util.IptablesMangleTable, util.IptablesNumericFlag, util.IptablesListFlag}
+	listHintChainArgs   = append(listChainArgs, "KUBE-IPTABLES-HINT")
+	listCanaryChainArgs = append(listChainArgs, "KUBE-KUBELET-CANARY")
 )
 
 type exitErrorInfo struct {
@@ -246,46 +250,23 @@ func (pMgr *PolicyManager) bootupAfterDetectAndCleanup() error {
 // detectIptablesVersion sets the global iptables variable to nft if detected or legacy if detected.
 // NPM will crash if it fails to detect either.
 // This global variable is referenced in all iptables related functions.
+// NPM should use the same iptables version as kube-proxy.
+// kube-proxy creates an iptables chain as a hint for which version it uses.
+// For more details, see: https://kubernetes.io/blog/2022/09/07/iptables-chains-not-api/#use-case-iptables-mode
 func (pMgr *PolicyManager) detectIptablesVersion() error {
-	klog.Info("first attempt detecting iptables version. running: iptables-nft-save -t mangle")
-	cmd := pMgr.ioShim.Exec.Command(util.IptablesSaveNft, "-t", "mangle")
-	output, nftErr := cmd.CombinedOutput()
-	if nftErr != nil {
-		msg := "failed to detect iptables version on first attempt. error running iptables-nft-save. will try detecting using iptables-legacy-save. err: %s"
-		metrics.SendErrorLogAndMetric(util.IptmID, msg, nftErr.Error())
-	} else if strings.Contains(string(output), "KUBE-IPTABLES-HINT") || strings.Contains(string(output), "KUBE-KUBELET-CANARY") {
-		msg := "detected iptables version on first attempt. found KUBE chains in nft iptables. NPM will use iptables-nft"
-		klog.Info(msg)
-		metrics.SendLog(util.IptmID, msg, metrics.DonotPrint)
+	klog.Info("first attempt detecting iptables version. looking for hint/canary chain in iptables-nft")
+	if pMgr.hintOrCanaryChainExist(util.IptablesNft) {
 		util.SetIptablesToNft()
 		return nil
 	}
 
-	klog.Info("second attempt detecting iptables version. running: iptables-legacy-save -t mangle")
-	lCmd := pMgr.ioShim.Exec.Command(util.IptablesSaveLegacy, "-t", "mangle")
-	loutput, legacyErr := lCmd.CombinedOutput()
-	if legacyErr != nil {
-		msg := "failed to detect iptables version on second attempt. error running iptables-legacy-save. will try detecting using kernel version. err: %s"
-		metrics.SendErrorLogAndMetric(util.IptmID, msg, legacyErr.Error())
-	} else {
-		if strings.Contains(string(loutput), "KUBE-IPTABLES-HINT") || strings.Contains(string(loutput), "KUBE-KUBELET-CANARY") {
-			msg := "detected iptables version on second attempt. found KUBE chains in legacy tables. NPM will use iptables-legacy"
-			klog.Info(msg)
-			metrics.SendLog(util.IptmID, msg, metrics.DonotPrint)
-			util.SetIptablesToLegacy()
-			return nil
-		} else if nftErr != nil {
-			msg := "NPM will use iptables-nft. iptables-nft-save failed earlier, but iptables-legacy-save didn't have KUBE chains"
-			klog.Info(msg)
-			metrics.SendLog(util.IptmID, msg, metrics.DonotPrint)
-			util.SetIptablesToNft()
-			return nil
-		}
+	klog.Info("second attempt detecting iptables version. looking for hint/canary chain in iptables-legacy")
+	if pMgr.hintOrCanaryChainExist(util.IptablesLegacy) {
+		util.SetIptablesToLegacy()
+		return nil
 	}
 
-	// we are here if either:
-	// 1. both nft and legacy save commands failed
-	// 2. both nft and legacy save commands didn't have KUBE chains
+	// at this point, chains do not exist in iptables legacy/nft and/or iptables commands have failed for other reasons
 	klog.Info("third attempt detecting iptables version. getting kernel version")
 	var majorVersion int
 	var versionError error
@@ -315,6 +296,31 @@ func (pMgr *PolicyManager) detectIptablesVersion() error {
 	return nil
 }
 
+func (pMgr *PolicyManager) hintOrCanaryChainExist(iptablesCmd string) bool {
+	// hint chain should exist since k8s 1.24 (see https://kubernetes.io/blog/2022/09/07/iptables-chains-not-api/#use-case-iptables-mode)
+	hintCmd := pMgr.ioShim.Exec.Command(iptablesCmd, listHintChainArgs...)
+	_, hintErr := hintCmd.CombinedOutput()
+	if hintErr != nil {
+		klog.Infof("failed to list hint chain. cmd: %s. error: %s", iptablesCmd, hintErr.Error())
+		metrics.SendErrorLogAndMetric(util.IptmID, "failed to list hint chain. cmd: %s. error: %s", iptablesCmd, hintErr.Error())
+	} else {
+		metrics.SendLog(util.IptmID, fmt.Sprintf("found hint chain. will use iptables version: %s", iptablesCmd), metrics.DonotPrint)
+		return true
+	}
+
+	// check for canary chain
+	canaryCmd := pMgr.ioShim.Exec.Command(iptablesCmd, listCanaryChainArgs...)
+	_, canaryErr := canaryCmd.CombinedOutput()
+	if canaryErr != nil {
+		klog.Infof("failed to list canary chain. cmd: %s. error: %s", iptablesCmd, canaryErr.Error())
+		metrics.SendErrorLogAndMetric(util.IptmID, "failed to list canary chain. cmd: %s. error: %s", iptablesCmd, canaryErr.Error())
+		return false
+	}
+
+	metrics.SendLog(util.IptmID, fmt.Sprintf("found canary chain. will use iptables version: %s", iptablesCmd), metrics.DonotPrint)
+	return true
+}
+
 // clenaupOtherIptablesChains cleans up legacy tables if using nft and vice versa.
 // It will only return an error if it fails to delete a jump rule and flush the AZURE-NPM chain (see comment about #3088 below).
 // Cleanup logic:
diff --git a/npm/pkg/dataplane/policies/chain-management_linux_test.go b/npm/pkg/dataplane/policies/chain-management_linux_test.go
@@ -909,58 +909,69 @@ func TestDetectIptablesVersion(t *testing.T) {
 
 	tests := []args{
 		{
-			name: "iptables-nft-save returns kube chains",
+			name: "nft has hint chain",
 			calls: []testutils.TestCmd{
 				{
-					Cmd:    []string{"iptables-nft-save", "-t", "mangle"},
-					Stdout: iptablesSaveMangleOutput,
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 0,
 				},
 			},
 			expectedErr:             false,
 			expectedIptablesVersion: util.IptablesNft,
 		},
 		{
-			name: "iptables-save returns kube chains",
+			name: "nft has only canary chain",
 			calls: []testutils.TestCmd{
 				{
-					Cmd:    []string{"iptables-nft-save", "-t", "mangle"},
-					Stdout: "",
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 1,
 				},
 				{
-					Cmd:    []string{"iptables-save", "-t", "mangle"},
-					Stdout: iptablesSaveMangleOutput,
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-KUBELET-CANARY"},
+					ExitCode: 0,
 				},
 			},
 			expectedErr:             false,
-			expectedIptablesVersion: util.IptablesLegacy,
+			expectedIptablesVersion: util.IptablesNft,
 		},
 		{
-			name:          "iptables-nft-save and iptables-save both fail: kernel version >= 5",
-			kernelVersion: 5,
+			name: "legacy has hint chain",
 			calls: []testutils.TestCmd{
 				{
-					Cmd:      []string{"iptables-nft-save", "-t", "mangle"},
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables-save", "-t", "mangle"},
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-KUBELET-CANARY"},
 					ExitCode: 1,
 				},
+				{
+					Cmd:      []string{"iptables", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 0,
+				},
 			},
 			expectedErr:             false,
-			expectedIptablesVersion: util.IptablesNft,
+			expectedIptablesVersion: util.IptablesLegacy,
 		},
 		{
-			name:          "no kube chains: kernel version >= 5",
+			name:          "nft and legacy both fail: kernel version >= 5",
 			kernelVersion: 5,
 			calls: []testutils.TestCmd{
 				{
-					Cmd:    []string{"iptables-nft-save", "-t", "mangle"},
-					Stdout: "",
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 2,
 				},
 				{
-					Cmd:    []string{"iptables-save", "-t", "mangle"},
-					Stdout: "",
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-KUBELET-CANARY"},
+					ExitCode: 2,
+				},
+				{
+					Cmd:      []string{"iptables", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 2,
+				},
+				{
+					Cmd:      []string{"iptables", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-KUBELET-CANARY"},
+					ExitCode: 2,
 				},
 			},
 			expectedErr:             false,
@@ -971,12 +982,20 @@ func TestDetectIptablesVersion(t *testing.T) {
 			kernelVersion: 4,
 			calls: []testutils.TestCmd{
 				{
-					Cmd:    []string{"iptables-nft-save", "-t", "mangle"},
-					Stdout: "",
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 1,
 				},
 				{
-					Cmd:    []string{"iptables-save", "-t", "mangle"},
-					Stdout: "",
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-KUBELET-CANARY"},
+					ExitCode: 1,
+				},
+				{
+					Cmd:      []string{"iptables", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 1,
+				},
+				{
+					Cmd:      []string{"iptables", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-KUBELET-CANARY"},
+					ExitCode: 1,
 				},
 			},
 			expectedErr:             false,
@@ -987,12 +1006,20 @@ func TestDetectIptablesVersion(t *testing.T) {
 			kernelVersionErr: fmt.Errorf("kernel version error"),
 			calls: []testutils.TestCmd{
 				{
-					Cmd:    []string{"iptables-nft-save", "-t", "mangle"},
-					Stdout: "",
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 1,
+				},
+				{
+					Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-KUBELET-CANARY"},
+					ExitCode: 1,
+				},
+				{
+					Cmd:      []string{"iptables", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+					ExitCode: 1,
 				},
 				{
-					Cmd:    []string{"iptables-save", "-t", "mangle"},
-					Stdout: "",
+					Cmd:      []string{"iptables", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-KUBELET-CANARY"},
+					ExitCode: 1,
 				},
 			},
 			expectedErr: true,
@@ -1001,7 +1028,8 @@ func TestDetectIptablesVersion(t *testing.T) {
 
 	for _, tt := range tests {
 		tt := tt
-		if tt.name != "no kube chains: kernel version is empty" {
+
+		if tt.name != "no kube chains: kernel version error" {
 			continue
 		}
 
@@ -1012,11 +1040,12 @@ func TestDetectIptablesVersion(t *testing.T) {
 			ioshim := common.NewMockIOShim(tt.calls)
 			defer ioshim.VerifyCalls(t, tt.calls)
 			cfg := &PolicyManagerCfg{
-				debug:                true,
-				debugKernelVersion:   tt.kernelVersion,
-				NodeIP:               "6.7.8.9",
-				PolicyMode:           IPSetPolicyMode,
-				PlaceAzureChainFirst: util.PlaceAzureChainFirst,
+				debug:                 true,
+				debugKernelVersion:    tt.kernelVersion,
+				debugKernelVersionErr: tt.kernelVersionErr,
+				NodeIP:                "6.7.8.9",
+				PolicyMode:            IPSetPolicyMode,
+				PlaceAzureChainFirst:  util.PlaceAzureChainFirst,
 			}
 			pMgr := NewPolicyManager(ioshim, cfg)
 			err := pMgr.detectIptablesVersion()
diff --git a/npm/pkg/dataplane/policies/testutils_linux.go b/npm/pkg/dataplane/policies/testutils_linux.go
@@ -7,21 +7,6 @@ import (
 	testutils "github.com/Azure/azure-container-networking/test/utils"
 )
 
-const iptablesSaveMangleOutput = `# Generated by iptables-save v1.8.4 on Thu Jan  7 17:00:00 2021
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-:KUBE-IPTABLES-HINT - [0:0]
-:KUBE-KUBELET-CANARY - [0:0]
-:KUBE-PROXY-CANARY - [0:0]
--A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 32526 -j DROP
--A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -j DROP
-COMMIT
-`
-
 var (
 	fakeIPTablesRestoreCommand        = testutils.TestCmd{Cmd: []string{"iptables-nft-restore", "-w", "60", "-T", "filter", "--noflush"}}
 	fakeIPTablesRestoreFailureCommand = testutils.TestCmd{Cmd: []string{"iptables-nft-restore", "-w", "60", "-T", "filter", "--noflush"}, ExitCode: 1}
@@ -68,8 +53,8 @@ func GetBootupTestCalls() []testutils.TestCmd {
 	bootUp := []testutils.TestCmd{
 		// detect iptables version to be nft
 		{
-			Cmd:    []string{"iptables-nft-save", "-t", "mangle"},
-			Stdout: iptablesSaveMangleOutput,
+			Cmd:      []string{"iptables-nft", "-w", "60", "-t", "mangle", "-n", "-L", "KUBE-IPTABLES-HINT"},
+			ExitCode: 0,
 		},
 		// legacy clean up
 		{Cmd: []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}, ExitCode: 2},                                        //nolint // AZURE-NPM chain didn't exist
diff --git a/npm/util/const.go b/npm/util/const.go
@@ -83,6 +83,7 @@ const (
 	IptablesEstablishedState   string = "ESTABLISHED"
 	IptablesNewState           string = "NEW"
 	IptablesFilterTable        string = "filter"
+	IptablesMangleTable        string = "mangle"
 	IptablesCommentModuleFlag  string = "comment"
 	IptablesCommentFlag        string = "--comment"
 	IptablesAddCommentFlag
