-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check DOCKER-USER chain exists in nf_tables #1900
Conversation
The simple check for the loaded nf_tables kernel module is not enough. It can be loaded whilst nf_tables is still not in use. iptables-legacy then most probably is.
tested in RHEL 7 with this kernel
deployment was ok without any error messages
|
@hellt Take a look if you've got comments, otherwise we can merge. |
if err != nil { | ||
return nil, err | ||
} | ||
if len(chains) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we check for docker user chain and not just some chains?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thats what we do. if you look closely you will notice definitions.DockerFWUserChain
as the parameter to getChains(...)
.
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #1900 +/- ##
==========================================
- Coverage 53.65% 53.60% -0.05%
==========================================
Files 154 154
Lines 11227 11233 +6
==========================================
- Hits 6024 6022 -2
- Misses 4343 4348 +5
- Partials 860 863 +3
|
The simple check for the loaded nf_tables kernel module is not enough. It can be loaded whilst nf_tables is still not in use. iptables-legacy then most probably is.
So via this PR, we check if the DOCKER-USER chain exists. If not, we return and iptables will be used.