Improve utiliptables error handling when there's no iptables binary

If `iptables --version` failed, utiliptables.New() would log a warning
and assume that the problem was that you had an implausibly ancient
version of iptables installed. Change it to instead assume that the
problem is that you don't have iptables installed at all (and don't
log anything; the caller will discover this later).

Author: danwinship

pkg/util/iptables/iptables.go

@@ -219,12 +219,6 @@ type runner struct {
 // newInternal returns a new Interface which will exec iptables, and allows the
 // caller to change the iptables-restore lockfile path
 func newInternal(exec utilexec.Interface, protocol Protocol, lockfilePath14x, lockfilePath16x string) Interface {
-	version, err := getIPTablesVersion(exec, protocol)
-	if err != nil {
-		klog.InfoS("Error checking iptables version, assuming version at least", "version", MinCheckVersion, "err", err)
-		version = MinCheckVersion
-	}
-
 	if lockfilePath16x == "" {
 		lockfilePath16x = LockfilePath16x
 	}
@@ -235,13 +229,22 @@ func newInternal(exec utilexec.Interface, protocol Protocol, lockfilePath14x, lo
 	runner := &runner{
 		exec:            exec,
 		protocol:        protocol,
-		hasCheck:        version.AtLeast(MinCheckVersion),
-		hasRandomFully:  version.AtLeast(RandomFullyMinVersion),
-		waitFlag:        getIPTablesWaitFlag(version),
-		restoreWaitFlag: getIPTablesRestoreWaitFlag(version, exec, protocol),
 		lockfilePath14x: lockfilePath14x,
 		lockfilePath16x: lockfilePath16x,
 	}
+
+	version, err := getIPTablesVersion(exec, protocol)
+	if err != nil {
+		// The only likely error is "no such file or directory", in which case any
+		// further commands will fail the same way, so we don't need to do
+		// anything special here.
+		return runner
+	}
+
+	runner.hasCheck = version.AtLeast(MinCheckVersion)
+	runner.hasRandomFully = version.AtLeast(RandomFullyMinVersion)
+	runner.waitFlag = getIPTablesWaitFlag(version)
+	runner.restoreWaitFlag = getIPTablesRestoreWaitFlag(version, exec, protocol)
 	return runner
 }
 

pkg/util/iptables/iptables_test.go

@@ -177,13 +177,9 @@ func TestNew(t *testing.T) {
 					command: "iptables --version",
 					action:  func() ([]byte, []byte, error) { return nil, nil, fmt.Errorf("no such file or directory") },
 				},
-				{
-					command: "iptables-restore --version",
-					action:  func() ([]byte, []byte, error) { return nil, nil, fmt.Errorf("no such file or directory") },
-				},
 			},
 			expected: &runner{
-				hasCheck:        true,
+				hasCheck:        false,
 				hasRandomFully:  false,
 				waitFlag:        nil,
 				restoreWaitFlag: nil,
@@ -601,7 +597,7 @@ func TestGetIPTablesHasCheckCommand(t *testing.T) {
 		{"iptables v1.4.11", true},
 		{"iptables v1.4.19.1", true},
 		{"iptables v2.0.0", true},
-		{"total junk", true},
+		{"total junk", false},
 	}
 
 	for _, testCase := range testCases {