github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(iptables): be able to override iptables-1.4-compatible lock path

Browse Source
This commit is contained in:
knight42 2020-09-09 18:12:16 +08:00
parent 66334f02e8
commit b25af8e3c9
No known key found for this signature in database
GPG Key ID: 61C5DB9CE28EED62
3 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/util/iptables/iptables.go
View File

@ -186,9 +186,12 @@ const WaitIntervalString = "-W"
// WaitIntervalUsecondsValue a constant for specifying the default wait interval useconds // WaitIntervalUsecondsValue a constant for specifying the default wait interval useconds
const WaitIntervalUsecondsValue = "100000" const WaitIntervalUsecondsValue = "100000"
// LockfilePath16x is the iptables lock file acquired by any process that's making any change in the iptable rule // LockfilePath16x is the iptables 1.6.x lock file acquired by any process that's making any change in the iptable rule
const LockfilePath16x = "/run/xtables.lock" const LockfilePath16x = "/run/xtables.lock"
// LockfilePath14x is the iptables 1.4.x lock file acquired by any process that's making any change in the iptable rule
const LockfilePath14x = "@xtables"
// runner implements Interface in terms of exec("iptables"). // runner implements Interface in terms of exec("iptables").
type runner struct { type runner struct {
mu sync.Mutex mu sync.Mutex
@ -198,20 +201,24 @@ type runner struct {
hasRandomFully bool hasRandomFully bool
waitFlag []string waitFlag []string
restoreWaitFlag []string restoreWaitFlag []string
lockfilePath string lockfilePath14x string
lockfilePath16x string
} }
// newInternal returns a new Interface which will exec iptables, and allows the // newInternal returns a new Interface which will exec iptables, and allows the
// caller to change the iptables-restore lockfile path // caller to change the iptables-restore lockfile path
func newInternal(exec utilexec.Interface, protocol Protocol, lockfilePath string) Interface { func newInternal(exec utilexec.Interface, protocol Protocol, lockfilePath14x, lockfilePath16x string) Interface {
version, err := getIPTablesVersion(exec, protocol) version, err := getIPTablesVersion(exec, protocol)
if err != nil { if err != nil {
klog.Warningf("Error checking iptables version, assuming version at least %s: %v", MinCheckVersion, err) klog.Warningf("Error checking iptables version, assuming version at least %s: %v", MinCheckVersion, err)
version = MinCheckVersion version = MinCheckVersion
} }
if lockfilePath == "" { if lockfilePath16x == "" {
lockfilePath = LockfilePath16x lockfilePath16x = LockfilePath16x
}
if lockfilePath14x == "" {
lockfilePath14x = LockfilePath14x
} }
runner := &runner{ runner := &runner{
@ -221,14 +228,15 @@ func newInternal(exec utilexec.Interface, protocol Protocol, lockfilePath string
hasRandomFully: version.AtLeast(RandomFullyMinVersion), hasRandomFully: version.AtLeast(RandomFullyMinVersion),
waitFlag: getIPTablesWaitFlag(version), waitFlag: getIPTablesWaitFlag(version),
restoreWaitFlag: getIPTablesRestoreWaitFlag(version, exec, protocol), restoreWaitFlag: getIPTablesRestoreWaitFlag(version, exec, protocol),
lockfilePath: lockfilePath, lockfilePath14x: lockfilePath14x,
lockfilePath16x: lockfilePath16x,
} }
return runner return runner
} }
// New returns a new Interface which will exec iptables. // New returns a new Interface which will exec iptables.
func New(exec utilexec.Interface, protocol Protocol) Interface { func New(exec utilexec.Interface, protocol Protocol) Interface {
return newInternal(exec, protocol, "") return newInternal(exec, protocol, "", "")
} }
// EnsureChain is part of Interface. // EnsureChain is part of Interface.
@ -390,7 +398,7 @@ func (runner *runner) restoreInternal(args []string, data []byte, flush FlushFla
// from stepping on each other. iptables-restore 1.6.2 will have // from stepping on each other. iptables-restore 1.6.2 will have
// a --wait option like iptables itself, but that's not widely deployed. // a --wait option like iptables itself, but that's not widely deployed.
if len(runner.restoreWaitFlag) == 0 { if len(runner.restoreWaitFlag) == 0 {
locker, err := grabIptablesLocks(runner.lockfilePath) locker, err := grabIptablesLocks(runner.lockfilePath14x, runner.lockfilePath16x)
if err != nil { if err != nil {
return err return err
} }

8
pkg/util/iptables/iptables_linux.go
View File

@ -49,7 +49,7 @@ func (l *locker) Close() error {
return utilerrors.NewAggregate(errList) return utilerrors.NewAggregate(errList)
} }
func grabIptablesLocks(lockfilePath string) (iptablesLocker, error) { func grabIptablesLocks(lockfilePath14x, lockfilePath16x string) (iptablesLocker, error) {
var err error var err error
var success bool var success bool
@ -66,9 +66,9 @@ func grabIptablesLocks(lockfilePath string) (iptablesLocker, error) {
// can't assume which lock method it'll use. // can't assume which lock method it'll use.
// Roughly duplicate iptables 1.6.x xtables_lock() function. // Roughly duplicate iptables 1.6.x xtables_lock() function.
l.lock16, err = os.OpenFile(lockfilePath, os.O_CREATE, 0600) l.lock16, err = os.OpenFile(lockfilePath16x, os.O_CREATE, 0600)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to open iptables lock %s: %v", lockfilePath, err) return nil, fmt.Errorf("failed to open iptables lock %s: %v", lockfilePath16x, err)
} }
if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) { if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) {
@ -82,7 +82,7 @@ func grabIptablesLocks(lockfilePath string) (iptablesLocker, error) {
// Roughly duplicate iptables 1.4.x xtables_lock() function. // Roughly duplicate iptables 1.4.x xtables_lock() function.
if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) { if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) {
l.lock14, err = net.ListenUnix("unix", &net.UnixAddr{Name: "@xtables", Net: "unix"}) l.lock14, err = net.ListenUnix("unix", &net.UnixAddr{Name: lockfilePath14x, Net: "unix"})
if err != nil { if err != nil {
return false, nil return false, nil
} }

2
pkg/util/iptables/iptables_unsupported.go
View File

@ -23,7 +23,7 @@ import (
"os" "os"
) )
func grabIptablesLocks(lockfilePath string) (iptablesLocker, error) { func grabIptablesLocks(lock14filePath, lock16filePath string) (iptablesLocker, error) {
return nil, fmt.Errorf("iptables unsupported on this platform") return nil, fmt.Errorf("iptables unsupported on this platform")
} }