Skip to content

Commit

Permalink
fix(NPC): don't rely on exit code for chain check (#1157)
Browse files Browse the repository at this point in the history 
Don't use the exit code of NewChain() to decide if the chain exists or
not as it doesn't appear to be consistent between nftables and legacy
iptables implementations.
  • Loading branch information
@aauren
aauren committed Nov 3, 2021
1 parent a60c5a8 commit c7ed2d5
Showing 1 changed file with 18 additions and 6 deletions.
24 changes: 18 additions & 6 deletions pkg/controllers/netpol/network_policy_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -346,9 +346,15 @@ func (npc *NetworkPolicyController) ensureTopLevelChains() {
}

for builtinChain, customChain := range defaultChains {
err = iptablesCmdHandler.NewChain("filter", customChain)
if err != nil && err.(*iptables.Error).ExitStatus() != 1 {
klog.Fatalf("Failed to run iptables command to create %s chain due to %s", customChain, err.Error())
exists, err := iptablesCmdHandler.ChainExists("filter", customChain)
if err != nil {
klog.Fatalf("failed to check for the existence of chain %s, error: %v", customChain, err)
}
if !exists {
err = iptablesCmdHandler.NewChain("filter", customChain)
if err != nil {
klog.Fatalf("failed to run iptables command to create %s chain due to %s", customChain, err.Error())
}
}
args := []string{"-m", "comment", "--comment", "kube-router netpol", "-j", customChain}
uuid, err := addUUIDForRuleSpec(builtinChain, &args)
Expand Down Expand Up @@ -413,9 +419,15 @@ func (npc *NetworkPolicyController) ensureDefaultNetworkPolicyChain() {
markComment := "rule to mark traffic matching a network policy"
markArgs = append(markArgs, "-j", "MARK", "-m", "comment", "--comment", markComment, "--set-xmark", "0x10000/0x10000")

err = iptablesCmdHandler.NewChain("filter", kubeDefaultNetpolChain)
if err != nil && err.(*iptables.Error).ExitStatus() != 1 {
klog.Fatalf("Failed to run iptables command to create %s chain due to %s", kubeDefaultNetpolChain, err.Error())
exists, err := iptablesCmdHandler.ChainExists("filter", kubeDefaultNetpolChain)
if err != nil {
klog.Fatalf("failed to check for the existence of chain %s, error: %v", kubeDefaultNetpolChain, err)
}
if !exists {
err = iptablesCmdHandler.NewChain("filter", kubeDefaultNetpolChain)
if err != nil {
klog.Fatalf("failed to run iptables command to create %s chain due to %s", kubeDefaultNetpolChain, err.Error())
}
}
err = iptablesCmdHandler.AppendUnique("filter", kubeDefaultNetpolChain, markArgs...)
if err != nil {
Expand Down

0 comments on commit c7ed2d5

Please sign in to comment.