WIP

flannel-io · Nov 20, 2024 · ac477e4 · ac477e4
1 parent aaf6cc7
commit ac477e4
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 30 deletions.
diff --git a/main.go b/main.go
@@ -400,10 +400,15 @@ func main() {
 	// In Docker 1.12 and earlier, the default FORWARD chain policy was ACCEPT.
 	// In Docker 1.13 and later, Docker sets the default policy of the FORWARD chain to DROP.
 	if opts.iptablesForwardRules {
-		trafficMngr.SetupAndEnsureForwardRules(ctx,
+		if err := trafficMngr.SetupAndEnsureForwardRules(ctx,
 			config.Network,
 			config.IPv6Network,
-			opts.iptablesResyncSeconds)
+			opts.iptablesResyncSeconds); err != nil {
+			log.Errorf("Failed to setup forward rules, %v", err)
+			cancel()
+			wg.Wait()
+			os.Exit(1)
+		}
 	}
 
 	if err := sm.HandleSubnetFile(opts.subnetFile, config, opts.ipMasq, bn.Lease().Subnet, bn.Lease().IPv6Subnet, bn.MTU()); err != nil {

diff --git a/pkg/trafficmngr/iptables/iptables.go b/pkg/trafficmngr/iptables/iptables.go
@@ -126,7 +126,10 @@ func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne
 
 		log.Infof("Setting up masking rules")
 		iptm.CreateIP4Chain("nat", "FLANNEL-POSTRTG")
-		go iptm.setupAndEnsureIP4Tables(ctx, iptm.masqRules(flannelIPv4Net, currentlease), resyncPeriod)
+
+		if err := iptm.setupAndEnsureIP4Tables(ctx, iptm.masqRules(flannelIPv4Net, currentlease)); err != nil {
+			return err
+		}
 	}
 	if !flannelIPv6Net.Empty() {
 		// recycle iptables rules only when network configured or subnet leased is not equal to current one.
@@ -223,17 +226,20 @@ func (iptm *IPTablesManager) masqIP6Rules(ccidr ip.IP6Net, lease *lease.Lease) [
 	return rules
 }
 
-func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) {
+func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error {
 	if !flannelIPv4Network.Empty() {
 		log.Infof("Changing default FORWARD chain policy to ACCEPT")
 		iptm.CreateIP4Chain("filter", "FLANNEL-FWD")
-		go iptm.setupAndEnsureIP4Tables(ctx, iptm.forwardRules(flannelIPv4Network.String()), resyncPeriod)
+		if err := iptm.setupAndEnsureIP4Tables(ctx, iptm.forwardRules(flannelIPv4Network.String())); err != nil {
+			return err
+		}
 	}
 	if !flannelIPv6Network.Empty() {
 		log.Infof("IPv6: Changing default FORWARD chain policy to ACCEPT")
 		iptm.CreateIP6Chain("filter", "FLANNEL-FWD")
 		go iptm.setupAndEnsureIP6Tables(ctx, iptm.forwardRules(flannelIPv6Network.String()), resyncPeriod)
 	}
+	return nil
 }
 
 func (iptm *IPTablesManager) forwardRules(flannelNetwork string) []trafficmngr.IPTablesRule {
@@ -376,40 +382,26 @@ func ipTablesBootstrap(ctx context.Context, ipt IPTables, iptRestore IPTablesRes
 	return nil
 }
 
-func (iptm *IPTablesManager) setupAndEnsureIP4Tables(ctx context.Context, rules []trafficmngr.IPTablesRule, resyncPeriod int) {
+func (iptm *IPTablesManager) setupAndEnsureIP4Tables(ctx context.Context, rules []trafficmngr.IPTablesRule) error {
 	ipt, err := iptables.New()
 	if err != nil {
 		// if we can't find iptables, give up and return
-		log.Errorf("Failed to setup IPTables. iptables binary was not found: %v", err)
-		return
+		return fmt.Errorf("Failed to setup IPTables. iptables binary was not found: %v", err)
 	}
 	iptRestore, err := NewIPTablesRestoreWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		// if we can't find iptables-restore, give up and return
-		log.Errorf("Failed to setup IPTables. iptables-restore binary was not found: %v", err)
-		return
+		return fmt.Errorf("Failed to setup IPTables. iptables-restore binary was not found: %v", err)
 	}
 
 	err = ipTablesBootstrap(ctx, ipt, iptRestore, rules)
 	if err != nil {
 		// if we can't find iptables, give up and return
-		log.Errorf("Failed to bootstrap IPTables: %v", err)
+		return fmt.Errorf("Failed to bootstrap IPTables: %v", err)
 	}
 
 	iptm.ipv4Rules = append(iptm.ipv4Rules, rules...)
-	for {
-		select {
-		case <-ctx.Done():
-			//clean-up is setup in Init
-			return
-		case <-time.After(time.Duration(resyncPeriod) * time.Second):
-			// Ensure that all the iptables rules exist every 5 seconds
-			if err := ensureIPTables(ctx, ipt, iptRestore, rules); err != nil {
-				log.Errorf("Failed to ensure iptables rules: %v", err)
-			}
-		}
-
-	}
+	return ensureIPTables(ctx, ipt, iptRestore, rules)
 }
 
 func (iptm *IPTablesManager) setupAndEnsureIP6Tables(ctx context.Context, rules []trafficmngr.IPTablesRule, resyncPeriod int) {

diff --git a/pkg/trafficmngr/iptables/iptables_windows.go b/pkg/trafficmngr/iptables/iptables_windows.go
@@ -40,7 +40,8 @@ func (iptm IPTablesManager) Init(ctx context.Context, wg *sync.WaitGroup) error
 	return nil
 }
 
-func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) {
+func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error {
+	return nil
 }
 
 func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net,

diff --git a/pkg/trafficmngr/nftables/nftables.go b/pkg/trafficmngr/nftables/nftables.go
@@ -89,7 +89,7 @@ func initTable(ctx context.Context, ipFamily knftables.Family, name string) (knf
 // It is needed when using nftables? accept seems to be the default
 // warning: never add a default 'drop' policy on the forwardChain as it breaks connectivity to the node
 func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context,
-	flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) {
+	flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error {
 	if !flannelIPv4Network.Empty() {
 		log.Infof("Changing default FORWARD chain policy to ACCEPT")
 		tx := nftm.nftv4.NewTransaction()
@@ -121,7 +121,7 @@ func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context,
 		})
 		err := nftm.nftv4.Run(ctx, tx)
 		if err != nil {
-			log.Errorf("nftables: couldn't setup forward rules: %v", err)
+			return fmt.Errorf("nftables: couldn't setup forward rules: %v", err)
 		}
 	}
 	if !flannelIPv6Network.Empty() {
@@ -155,9 +155,10 @@ func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context,
 		})
 		err := nftm.nftv6.Run(ctx, tx)
 		if err != nil {
-			log.Errorf("nftables: couldn't setup forward rules (ipv6): %v", err)
+			return fmt.Errorf("nftables: couldn't setup forward rules (ipv6): %v", err)
 		}
 	}
+	return nil
 }
 
 func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net,

diff --git a/pkg/trafficmngr/nftables/nftables_windows.go b/pkg/trafficmngr/nftables/nftables_windows.go
@@ -34,7 +34,8 @@ func (nftm *NFTablesManager) Init(ctx context.Context, wg *sync.WaitGroup) error
 }
 
 func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context,
-	flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) {
+	flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error {
+	return nil
 }
 
 func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net,

diff --git a/pkg/trafficmngr/trafficmngr.go b/pkg/trafficmngr/trafficmngr.go
@@ -47,7 +47,7 @@ type TrafficManager interface {
 	// This is done for IPv4 and/or IPv6 based on whether flannelIPv4Network and flannelIPv6Network are set.
 	// SetupAndEnsureForwardRules starts a go routine that
 	// rewrites these rules every resyncPeriod seconds if needed
-	SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int)
+	SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error
 	// Install kernel rules to setup NATing of packets sent to the flannel interface
 	// This is done for IPv4 and/or IPv6 based on whether flannelIPv4Network and flannelIPv6Network are set.
 	// prevSubnet,prevNetworks, prevIPv6Subnet, prevIPv6Networks are used