Merge pull request #2638 from thockin/iptables
Fix iptables for old systems
This commit is contained in:
@@ -578,11 +578,20 @@ var localhostIPv6 = net.ParseIP("::1")
|
|||||||
|
|
||||||
// Build a slice of iptables args for a portal rule.
|
// Build a slice of iptables args for a portal rule.
|
||||||
func iptablesPortalArgs(destIP net.IP, destPort int, protocol api.Protocol, proxyIP net.IP, proxyPort int, service string) []string {
|
func iptablesPortalArgs(destIP net.IP, destPort int, protocol api.Protocol, proxyIP net.IP, proxyPort int, service string) []string {
|
||||||
|
// This list needs to include all fields as they are eventually spit out
|
||||||
|
// by iptables-save. This is because some systems do not support the
|
||||||
|
// 'iptables -C' arg, and so fall back on parsing iptables-save output.
|
||||||
|
// If this does not match, it will not pass the check. For example:
|
||||||
|
// adding the /32 on the destination IP arg is not strictly required,
|
||||||
|
// but causes this list to not match the final iptables-save output.
|
||||||
|
// This is fragile and I hope one day we can stop supporting such old
|
||||||
|
// iptables versions.
|
||||||
args := []string{
|
args := []string{
|
||||||
"-m", "comment",
|
"-m", "comment",
|
||||||
"--comment", service,
|
"--comment", service,
|
||||||
"-p", strings.ToLower(string(protocol)),
|
"-p", strings.ToLower(string(protocol)),
|
||||||
"-d", destIP.String(),
|
"-m", strings.ToLower(string(protocol)),
|
||||||
|
"-d", fmt.Sprintf("%s/32", destIP.String()),
|
||||||
"--dport", fmt.Sprintf("%d", destPort),
|
"--dport", fmt.Sprintf("%d", destPort),
|
||||||
}
|
}
|
||||||
// This is tricky. If the proxy is bound (see Proxier.listenAddress)
|
// This is tricky. If the proxy is bound (see Proxier.listenAddress)
|
||||||
|
@@ -189,6 +189,7 @@ func (runner *runner) checkRule(table Table, chain Chain, args ...string) (bool,
|
|||||||
// Executes the rule check without using the "-C" flag, instead parsing iptables-save.
|
// Executes the rule check without using the "-C" flag, instead parsing iptables-save.
|
||||||
// Present for compatibility with <1.4.11 versions of iptables.
|
// Present for compatibility with <1.4.11 versions of iptables.
|
||||||
func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...string) (bool, error) {
|
func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...string) (bool, error) {
|
||||||
|
glog.V(1).Infof("running iptables-save -t %s", string(table))
|
||||||
out, err := runner.exec.Command("iptables-save", "-t", string(table)).CombinedOutput()
|
out, err := runner.exec.Command("iptables-save", "-t", string(table)).CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, fmt.Errorf("error checking rule: %v", err)
|
return false, fmt.Errorf("error checking rule: %v", err)
|
||||||
@@ -206,6 +207,7 @@ func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...st
|
|||||||
if util.NewStringSet(fields...).IsSuperset(argset) {
|
if util.NewStringSet(fields...).IsSuperset(argset) {
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
glog.V(5).Infof("DBG: fields is not a superset of args: fields=%v args=%v", fields, args)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user