feat(linkerd-cni): add support for plain iptables commands (#449)

alpeb · web-flow · commit ca9c4603fb37 · 2024-12-11T16:15:28.000-05:00
Currently the `iptables-mode` for linkerd-cni admits the values `legacy` and `nft`, which make the plugin use the `iptables-legacy[-save]` and `iptables-nft[-save]` commands respectively.

This assumes those commands are available in the node environment, given that linkerd-cni is triggered by the kubelet.

We have found that not to be the case for RHEL, where by default only `iptables[-save]` is available, which is equivalent to the `iptables-nft[-save]` command in other enviroments.

To address this case, this change adds a new possible value `iptables-mode: plain` that makes the plugin use the `iptables[-save]` commands.

This has been tested successfully using RKE2 deployed in RHEL 8.10.
diff --git a/proxy-init/cmd/root.go b/proxy-init/cmd/root.go
@@ -18,6 +18,9 @@ const (
 	IPTablesModeLegacy = "legacy"
 	// IPTablesModeNFT signals the usage of the iptables-nft commands
 	IPTablesModeNFT = "nft"
+	// IPTablesModePlain signals the usage of the iptables commands, which
+	// can be either legacy or nft
+	IPTablesModePlain = "plain"
 
 	cmdLegacy         = "iptables-legacy"
 	cmdLegacySave     = "iptables-legacy-save"
@@ -27,6 +30,10 @@ const (
 	cmdNFTSave        = "iptables-nft-save"
 	cmdNFTIPv6        = "ip6tables-nft"
 	cmdNFTIPv6Save    = "ip6tables-nft-save"
+	cmdPlain          = "iptables"
+	cmdPlainSave      = "iptables-save"
+	cmdPlainIPv6      = "ip6tables"
+	cmdPlainIPv6Save  = "ip6tables-save"
 )
 
 // RootOptions provides the information that will be used to build a firewall configuration.
@@ -147,7 +154,7 @@ func NewRootCmd() *cobra.Command {
 	cmd.PersistentFlags().IntVar(&options.TimeoutCloseWaitSecs, "timeout-close-wait-secs", options.TimeoutCloseWaitSecs, "Sets nf_conntrack_tcp_timeout_close_wait")
 	cmd.PersistentFlags().StringVar(&options.LogFormat, "log-format", options.LogFormat, "Configure log format ('plain' or 'json')")
 	cmd.PersistentFlags().StringVar(&options.LogLevel, "log-level", options.LogLevel, "Configure log level")
-	cmd.PersistentFlags().StringVar(&options.IPTablesMode, "iptables-mode", options.IPTablesMode, "Variant of iptables command to use (\"legacy\" or \"nft\"); overrides --firewall-bin-path and --firewall-save-bin-path")
+	cmd.PersistentFlags().StringVar(&options.IPTablesMode, "iptables-mode", options.IPTablesMode, "Variant of iptables command to use (\"legacy\", \"nft\" or \"plain\"); overrides --firewall-bin-path and --firewall-save-bin-path")
 	cmd.PersistentFlags().BoolVar(&options.IPv6, "ipv6", options.IPv6, "Set rules both via iptables and ip6tables to support dual-stack networking")
 
 	// these two flags are kept for backwards-compatibility, but --iptables-mode is preferred
@@ -158,8 +165,8 @@ func NewRootCmd() *cobra.Command {
 
 // BuildFirewallConfiguration returns an iptables FirewallConfiguration suitable to use to configure iptables.
 func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfiguration, error) {
-	if options.IPTablesMode != "" && options.IPTablesMode != IPTablesModeLegacy && options.IPTablesMode != IPTablesModeNFT {
-		return nil, fmt.Errorf("--iptables-mode valid values are only \"%s\" and \"%s\"", IPTablesModeLegacy, IPTablesModeNFT)
+	if options.IPTablesMode != "" && options.IPTablesMode != IPTablesModeLegacy && options.IPTablesMode != IPTablesModeNFT && options.IPTablesMode != IPTablesModePlain {
+		return nil, fmt.Errorf("--iptables-mode valid values are only \"%s\", \"%s\" and \"%s\"", IPTablesModeLegacy, IPTablesModeNFT, IPTablesModePlain)
 	}
 
 	if options.IPTablesMode == "" {
@@ -168,8 +175,10 @@ func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfigu
 			options.IPTablesMode = IPTablesModeLegacy
 		case cmdNFT:
 			options.IPTablesMode = IPTablesModeNFT
+		case cmdPlain:
+			options.IPTablesMode = IPTablesModePlain
 		default:
-			return nil, fmt.Errorf("--firewall-bin-path valid values are only \"%s\" and \"%s\"", cmdLegacy, cmdNFT)
+			return nil, fmt.Errorf("--firewall-bin-path valid values are only \"%s\", \"%s\" and \"%s\"", cmdLegacy, cmdNFT, cmdPlain)
 		}
 	}
 
@@ -229,18 +238,23 @@ func getFormatter(format string) log.Formatter {
 }
 
 func getCommands(options *RootOptions) (string, string) {
-	if options.IPTablesMode == IPTablesModeLegacy {
+	switch options.IPTablesMode {
+	case IPTablesModeLegacy:
 		if options.IPv6 {
 			return cmdLegacyIPv6, cmdLegacyIPv6Save
 		}
 		return cmdLegacy, cmdLegacySave
+	case IPTablesModeNFT:
+		if options.IPv6 {
+			return cmdNFTIPv6, cmdNFTIPv6Save
+		}
+		return cmdNFT, cmdNFTSave
+	default:
+		if options.IPv6 {
+			return cmdPlainIPv6, cmdPlainIPv6Save
+		}
+		return cmdPlain, cmdPlainSave
 	}
-
-	if options.IPv6 {
-		return cmdNFTIPv6, cmdNFTIPv6Save
-	}
-
-	return cmdNFT, cmdNFTSave
 }
 
 func setLogLevel(logLevel string) error {
