File tree Expand file tree Collapse file tree 2 files changed +53
-1
lines changed Expand file tree Collapse file tree 2 files changed +53
-1
lines changed Original file line number Diff line number Diff line change 1414
1515FROM BASEIMAGE
1616
17+ # Install latest iptables package from buster-backports
18+ RUN echo deb http://deb.debian.org/debian buster-backports main >> /etc/apt/sources.list; \
19+ apt-get update; \
20+ apt-get -t buster-backports -y --no-install-recommends install iptables
21+
22+ # Install other dependencies and then clean up apt caches
1723RUN clean-install \
1824 conntrack \
1925 ebtables \
2026 ipset \
21- iptables \
2227 kmod \
2328 netbase
29+
30+ # Install iptables wrapper scripts to detect the correct iptables mode
31+ # the first time any of them is run
32+ COPY iptables-wrapper /usr/sbin/iptables-wrapper
33+
34+ RUN update-alternatives \
35+ --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \
36+ --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \
37+ --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper
38+ RUN update-alternatives \
39+ --install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \
40+ --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \
41+ --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper
Original file line number Diff line number Diff line change 1+ #! /bin/sh
2+
3+ # Copyright 2019 The Kubernetes Authors.
4+ #
5+ # Licensed under the Apache License, Version 2.0 (the "License");
6+ # you may not use this file except in compliance with the License.
7+ # You may obtain a copy of the License at
8+ #
9+ # http://www.apache.org/licenses/LICENSE-2.0
10+ #
11+ # Unless required by applicable law or agreed to in writing, software
12+ # distributed under the License is distributed on an "AS IS" BASIS,
13+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+ # See the License for the specific language governing permissions and
15+ # limitations under the License.
16+
17+ set -e
18+
19+ # Detect whether the base system is using iptables-legacy or
20+ # iptables-nft. This assumes that some non-containerized process (eg
21+ # kubelet) has already created some iptables rules.
22+ num_legacy_lines=$( (iptables-legacy-save || true ; ip6tables-legacy-save || true) 2> /dev/null | grep ' ^-' | wc -l)
23+ num_nft_lines=$( (iptables-nft-save || true ; ip6tables-nft-save || true) 2> /dev/null | grep ' ^-' | wc -l)
24+ if [ " ${num_legacy_lines} " -ge " ${num_nft_lines} " ; then
25+ mode=legacy
26+ else
27+ mode=nft
28+ fi
29+
30+ update-alternatives --set iptables " /usr/sbin/iptables-${mode} " > /dev/null
31+ update-alternatives --set ip6tables " /usr/sbin/ip6tables-${mode} " > /dev/null
32+
33+ # Now re-exec the original command with the newly-selected alternative
34+ exec " $0 " " $@ "
You can’t perform that action at this time.
0 commit comments