Skip to content

Commit dc19603

Browse files
aaurenaauren
authored
fix(NPC): don't rely on exit code for chain check (cloudnativelabs#1157)
Don't use the exit code of NewChain() to decide if the chain exists or not as it doesn't appear to be consistent between nftables and legacy iptables implementations.
1 parent 401e4cf commit dc19603

File tree

1 file changed

+18
-6
lines changed

1 file changed

+18
-6
lines changed

pkg/controllers/netpol/network_policy_controller.go

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -346,9 +346,15 @@ func (npc *NetworkPolicyController) ensureTopLevelChains() {
346346
}
347347

348348
for builtinChain, customChain := range defaultChains {
349-
err = iptablesCmdHandler.NewChain("filter", customChain)
350-
if err != nil && err.(*iptables.Error).ExitStatus() != 1 {
351-
klog.Fatalf("Failed to run iptables command to create %s chain due to %s", customChain, err.Error())
349+
exists, err := iptablesCmdHandler.ChainExists("filter", customChain)
350+
if err != nil {
351+
klog.Fatalf("failed to check for the existence of chain %s, error: %v", customChain, err)
352+
}
353+
if !exists {
354+
err = iptablesCmdHandler.NewChain("filter", customChain)
355+
if err != nil {
356+
klog.Fatalf("failed to run iptables command to create %s chain due to %s", customChain, err.Error())
357+
}
352358
}
353359
args := []string{"-m", "comment", "--comment", "kube-router netpol", "-j", customChain}
354360
uuid, err := addUUIDForRuleSpec(builtinChain, &args)
@@ -413,9 +419,15 @@ func (npc *NetworkPolicyController) ensureDefaultNetworkPolicyChain() {
413419
markComment := "rule to mark traffic matching a network policy"
414420
markArgs = append(markArgs, "-j", "MARK", "-m", "comment", "--comment", markComment, "--set-xmark", "0x10000/0x10000")
415421

416-
err = iptablesCmdHandler.NewChain("filter", kubeDefaultNetpolChain)
417-
if err != nil && err.(*iptables.Error).ExitStatus() != 1 {
418-
klog.Fatalf("Failed to run iptables command to create %s chain due to %s", kubeDefaultNetpolChain, err.Error())
422+
exists, err := iptablesCmdHandler.ChainExists("filter", kubeDefaultNetpolChain)
423+
if err != nil {
424+
klog.Fatalf("failed to check for the existence of chain %s, error: %v", kubeDefaultNetpolChain, err)
425+
}
426+
if !exists {
427+
err = iptablesCmdHandler.NewChain("filter", kubeDefaultNetpolChain)
428+
if err != nil {
429+
klog.Fatalf("failed to run iptables command to create %s chain due to %s", kubeDefaultNetpolChain, err.Error())
430+
}
419431
}
420432
err = iptablesCmdHandler.AppendUnique("filter", kubeDefaultNetpolChain, markArgs...)
421433
if err != nil {

0 commit comments

Comments
 (0)