Skip to content

Commit d3db72e

Browse files
jaer-tsunjaer-tsun
authored
Re-order NPM IpTable Chains/Rules (#572)
* Move AZURE-NPM chain under KUBE-SERVICES chain; Move default allow CONNECTED/RELATED entry to the end of AZURE-NPM chain. * Find index of KUBE-SERVICES chain.
1 parent 9e15490 commit d3db72e

File tree

1 file changed

+66
-23
lines changed

1 file changed

+66
-23
lines changed

npm/iptm/iptm.go

Lines changed: 66 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ package iptm
99
import (
1010
"os"
1111
"os/exec"
12+
"strconv"
1213
"strings"
1314
"syscall"
1415
"time"
@@ -18,6 +19,7 @@ import (
1819
"github.com/Azure/azure-container-networking/log"
1920
"github.com/Azure/azure-container-networking/npm/util"
2021
"k8s.io/apimachinery/pkg/util/wait"
22+
// utiliptables "k8s.io/kubernetes/pkg/util/iptables"
2123
)
2224

2325
const (
@@ -72,32 +74,24 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
7274
}
7375

7476
if !exists {
75-
iptMgr.OperationFlag = util.IptablesInsertionFlag
76-
if _, err = iptMgr.Run(entry); err != nil {
77-
log.Errorf("Error: failed to add AZURE-NPM chain to FORWARD chain.")
78-
return err
77+
// retrieve KUBE-SERVICES index
78+
index := "1"
79+
iptFilterEntries := exec.Command(util.Iptables, "-t", "filter", "-n", "--list", "FORWARD", "--line-numbers")
80+
grep := exec.Command("grep", "KUBE-SERVICES")
81+
pipe, _ := iptFilterEntries.StdoutPipe()
82+
grep.Stdin = pipe
83+
iptFilterEntries.Start()
84+
output, err := grep.CombinedOutput()
85+
if err == nil && len(output) > 2 {
86+
tmpIndex, _ := strconv.Atoi(string(output[0]))
87+
index = strconv.Itoa(tmpIndex + 1)
7988
}
80-
}
81-
82-
// Add default allow CONNECTED/RELATED rule to AZURE-NPM chain.
83-
entry.Chain = util.IptablesAzureChain
84-
entry.Specs = []string{
85-
util.IptablesModuleFlag,
86-
util.IptablesStateModuleFlag,
87-
util.IptablesStateFlag,
88-
util.IptablesRelatedState + "," + util.IptablesEstablishedState,
89-
util.IptablesJumpFlag,
90-
util.IptablesAccept,
91-
}
92-
exists, err = iptMgr.Exists(entry)
93-
if err != nil {
94-
return err
95-
}
96-
97-
if !exists {
89+
pipe.Close()
90+
// position Azure-NPM chain after Kube-Forward and Kube-Service chains if it exists
9891
iptMgr.OperationFlag = util.IptablesInsertionFlag
92+
entry.Specs = append([]string{index}, entry.Specs...)
9993
if _, err = iptMgr.Run(entry); err != nil {
100-
log.Printf("Error: failed to add default allow CONNECTED/RELATED rule to AZURE-NPM chain.")
94+
log.Errorf("Error: failed to add AZURE-NPM chain to FORWARD chain.")
10195
return err
10296
}
10397
}
@@ -175,6 +169,29 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
175169
}
176170
}
177171

172+
// Add default allow CONNECTED/RELATED rule to AZURE-NPM chain.
173+
entry.Chain = util.IptablesAzureChain
174+
entry.Specs = []string{
175+
util.IptablesModuleFlag,
176+
util.IptablesStateModuleFlag,
177+
util.IptablesStateFlag,
178+
util.IptablesRelatedState + "," + util.IptablesEstablishedState,
179+
util.IptablesJumpFlag,
180+
util.IptablesAccept,
181+
}
182+
exists, err = iptMgr.Exists(entry)
183+
if err != nil {
184+
return err
185+
}
186+
187+
if !exists {
188+
iptMgr.OperationFlag = util.IptablesAppendFlag
189+
if _, err = iptMgr.Run(entry); err != nil {
190+
log.Printf("Error: failed to add default allow CONNECTED/RELATED rule to AZURE-NPM chain.")
191+
return err
192+
}
193+
}
194+
178195
return nil
179196
}
180197

@@ -457,3 +474,29 @@ func grabIptablesLocks() (*os.File, error) {
457474
func grabIptablesFileLock(f *os.File) error {
458475
return unix.Flock(int(f.Fd()), unix.LOCK_EX|unix.LOCK_NB)
459476
}
477+
478+
// TO-DO :- Use iptables-restore to update iptables.
479+
// func SyncIptables(entries []*IptEntry) error {
480+
// // Ensure main chains and rules are installed.
481+
// tablesNeedServicesChain := []utiliptables.Table{utiliptables.TableFilter, utiliptables.TableNAT}
482+
// for _, table := range tablesNeedServicesChain {
483+
// if _, err := proxier.iptables.EnsureChain(table, iptablesServicesChain); err != nil {
484+
// glog.Errorf("Failed to ensure that %s chain %s exists: %v", table, iptablesServicesChain, err)
485+
// return
486+
// }
487+
// }
488+
489+
// // Get iptables-save output so we can check for existing chains and rules.
490+
// // This will be a map of chain name to chain with rules as stored in iptables-save/iptables-restore
491+
// existingFilterChains := make(map[utiliptables.Chain]string)
492+
// iptablesSaveRaw, err := proxier.iptables.Save(utiliptables.TableFilter)
493+
// if err != nil { // if we failed to get any rules
494+
// glog.Errorf("Failed to execute iptables-save, syncing all rules. %s", err.Error())
495+
// } else { // otherwise parse the output
496+
// existingFilterChains = getChainLines(utiliptables.TableFilter, iptablesSaveRaw)
497+
// }
498+
499+
// // Write table headers.
500+
// writeLine(filterChains, "*filter")
501+
502+
// }

0 commit comments

Comments
 (0)