From ac477e49f2dbdb882aae07cd980b9c2bdfa2ab2a Mon Sep 17 00:00:00 2001 From: Thomas Ferrandiz Date: Thu, 23 May 2024 13:10:08 +0000 Subject: [PATCH] WIP --- main.go | 9 +++-- pkg/trafficmngr/iptables/iptables.go | 36 ++++++++------------ pkg/trafficmngr/iptables/iptables_windows.go | 3 +- pkg/trafficmngr/nftables/nftables.go | 7 ++-- pkg/trafficmngr/nftables/nftables_windows.go | 3 +- pkg/trafficmngr/trafficmngr.go | 2 +- 6 files changed, 30 insertions(+), 30 deletions(-) diff --git a/main.go b/main.go index e8ab0626eb..38e46f30ec 100644 --- a/main.go +++ b/main.go @@ -400,10 +400,15 @@ func main() { // In Docker 1.12 and earlier, the default FORWARD chain policy was ACCEPT. // In Docker 1.13 and later, Docker sets the default policy of the FORWARD chain to DROP. if opts.iptablesForwardRules { - trafficMngr.SetupAndEnsureForwardRules(ctx, + if err := trafficMngr.SetupAndEnsureForwardRules(ctx, config.Network, config.IPv6Network, - opts.iptablesResyncSeconds) + opts.iptablesResyncSeconds); err != nil { + log.Errorf("Failed to setup forward rules, %v", err) + cancel() + wg.Wait() + os.Exit(1) + } } if err := sm.HandleSubnetFile(opts.subnetFile, config, opts.ipMasq, bn.Lease().Subnet, bn.Lease().IPv6Subnet, bn.MTU()); err != nil { diff --git a/pkg/trafficmngr/iptables/iptables.go b/pkg/trafficmngr/iptables/iptables.go index 87bcfd379a..ec228e7768 100644 --- a/pkg/trafficmngr/iptables/iptables.go +++ b/pkg/trafficmngr/iptables/iptables.go @@ -126,7 +126,10 @@ func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne log.Infof("Setting up masking rules") iptm.CreateIP4Chain("nat", "FLANNEL-POSTRTG") - go iptm.setupAndEnsureIP4Tables(ctx, iptm.masqRules(flannelIPv4Net, currentlease), resyncPeriod) + + if err := iptm.setupAndEnsureIP4Tables(ctx, iptm.masqRules(flannelIPv4Net, currentlease)); err != nil { + return err + } } if !flannelIPv6Net.Empty() { // recycle iptables rules only when network configured or subnet leased is not equal to current one. @@ -223,17 +226,20 @@ func (iptm *IPTablesManager) masqIP6Rules(ccidr ip.IP6Net, lease *lease.Lease) [ return rules } -func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) { +func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error { if !flannelIPv4Network.Empty() { log.Infof("Changing default FORWARD chain policy to ACCEPT") iptm.CreateIP4Chain("filter", "FLANNEL-FWD") - go iptm.setupAndEnsureIP4Tables(ctx, iptm.forwardRules(flannelIPv4Network.String()), resyncPeriod) + if err := iptm.setupAndEnsureIP4Tables(ctx, iptm.forwardRules(flannelIPv4Network.String())); err != nil { + return err + } } if !flannelIPv6Network.Empty() { log.Infof("IPv6: Changing default FORWARD chain policy to ACCEPT") iptm.CreateIP6Chain("filter", "FLANNEL-FWD") go iptm.setupAndEnsureIP6Tables(ctx, iptm.forwardRules(flannelIPv6Network.String()), resyncPeriod) } + return nil } func (iptm *IPTablesManager) forwardRules(flannelNetwork string) []trafficmngr.IPTablesRule { @@ -376,40 +382,26 @@ func ipTablesBootstrap(ctx context.Context, ipt IPTables, iptRestore IPTablesRes return nil } -func (iptm *IPTablesManager) setupAndEnsureIP4Tables(ctx context.Context, rules []trafficmngr.IPTablesRule, resyncPeriod int) { +func (iptm *IPTablesManager) setupAndEnsureIP4Tables(ctx context.Context, rules []trafficmngr.IPTablesRule) error { ipt, err := iptables.New() if err != nil { // if we can't find iptables, give up and return - log.Errorf("Failed to setup IPTables. iptables binary was not found: %v", err) - return + return fmt.Errorf("Failed to setup IPTables. iptables binary was not found: %v", err) } iptRestore, err := NewIPTablesRestoreWithProtocol(iptables.ProtocolIPv4) if err != nil { // if we can't find iptables-restore, give up and return - log.Errorf("Failed to setup IPTables. iptables-restore binary was not found: %v", err) - return + return fmt.Errorf("Failed to setup IPTables. iptables-restore binary was not found: %v", err) } err = ipTablesBootstrap(ctx, ipt, iptRestore, rules) if err != nil { // if we can't find iptables, give up and return - log.Errorf("Failed to bootstrap IPTables: %v", err) + return fmt.Errorf("Failed to bootstrap IPTables: %v", err) } iptm.ipv4Rules = append(iptm.ipv4Rules, rules...) - for { - select { - case <-ctx.Done(): - //clean-up is setup in Init - return - case <-time.After(time.Duration(resyncPeriod) * time.Second): - // Ensure that all the iptables rules exist every 5 seconds - if err := ensureIPTables(ctx, ipt, iptRestore, rules); err != nil { - log.Errorf("Failed to ensure iptables rules: %v", err) - } - } - - } + return ensureIPTables(ctx, ipt, iptRestore, rules) } func (iptm *IPTablesManager) setupAndEnsureIP6Tables(ctx context.Context, rules []trafficmngr.IPTablesRule, resyncPeriod int) { diff --git a/pkg/trafficmngr/iptables/iptables_windows.go b/pkg/trafficmngr/iptables/iptables_windows.go index c3a8d0ed0e..f05d7b0e15 100644 --- a/pkg/trafficmngr/iptables/iptables_windows.go +++ b/pkg/trafficmngr/iptables/iptables_windows.go @@ -40,7 +40,8 @@ func (iptm IPTablesManager) Init(ctx context.Context, wg *sync.WaitGroup) error return nil } -func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) { +func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error { + return nil } func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net, diff --git a/pkg/trafficmngr/nftables/nftables.go b/pkg/trafficmngr/nftables/nftables.go index 8e885aa525..f870bf33af 100644 --- a/pkg/trafficmngr/nftables/nftables.go +++ b/pkg/trafficmngr/nftables/nftables.go @@ -89,7 +89,7 @@ func initTable(ctx context.Context, ipFamily knftables.Family, name string) (knf // It is needed when using nftables? accept seems to be the default // warning: never add a default 'drop' policy on the forwardChain as it breaks connectivity to the node func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context, - flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) { + flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error { if !flannelIPv4Network.Empty() { log.Infof("Changing default FORWARD chain policy to ACCEPT") tx := nftm.nftv4.NewTransaction() @@ -121,7 +121,7 @@ func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context, }) err := nftm.nftv4.Run(ctx, tx) if err != nil { - log.Errorf("nftables: couldn't setup forward rules: %v", err) + return fmt.Errorf("nftables: couldn't setup forward rules: %v", err) } } if !flannelIPv6Network.Empty() { @@ -155,9 +155,10 @@ func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context, }) err := nftm.nftv6.Run(ctx, tx) if err != nil { - log.Errorf("nftables: couldn't setup forward rules (ipv6): %v", err) + return fmt.Errorf("nftables: couldn't setup forward rules (ipv6): %v", err) } } + return nil } func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net, diff --git a/pkg/trafficmngr/nftables/nftables_windows.go b/pkg/trafficmngr/nftables/nftables_windows.go index d6e9f1a18e..29aa19299a 100644 --- a/pkg/trafficmngr/nftables/nftables_windows.go +++ b/pkg/trafficmngr/nftables/nftables_windows.go @@ -34,7 +34,8 @@ func (nftm *NFTablesManager) Init(ctx context.Context, wg *sync.WaitGroup) error } func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context, - flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) { + flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error { + return nil } func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net, diff --git a/pkg/trafficmngr/trafficmngr.go b/pkg/trafficmngr/trafficmngr.go index ba59b73223..837d9495a8 100644 --- a/pkg/trafficmngr/trafficmngr.go +++ b/pkg/trafficmngr/trafficmngr.go @@ -47,7 +47,7 @@ type TrafficManager interface { // This is done for IPv4 and/or IPv6 based on whether flannelIPv4Network and flannelIPv6Network are set. // SetupAndEnsureForwardRules starts a go routine that // rewrites these rules every resyncPeriod seconds if needed - SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) + SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) error // Install kernel rules to setup NATing of packets sent to the flannel interface // This is done for IPv4 and/or IPv6 based on whether flannelIPv4Network and flannelIPv6Network are set. // prevSubnet,prevNetworks, prevIPv6Subnet, prevIPv6Networks are used