From bdc11c28064680bfb1d16af778179d47724ed882 Mon Sep 17 00:00:00 2001 From: Karthikeyan Govindaraj <30545166+gkarthiks@users.noreply.github.com> Date: Mon, 18 Nov 2019 23:43:51 -0800 Subject: [PATCH 1/4] chore(lint): fix iptable.go file lint --- pkg/util/iptables/iptables.go | 39 +++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/pkg/util/iptables/iptables.go b/pkg/util/iptables/iptables.go index 50dce1543c9..2abcd9a9853 100644 --- a/pkg/util/iptables/iptables.go +++ b/pkg/util/iptables/iptables.go @@ -33,14 +33,17 @@ import ( utiltrace "k8s.io/utils/trace" ) +// RulePosition holds the -I/-A flags for iptable type RulePosition string const ( + // Prepend is the insert flag for iptable Prepend RulePosition = "-I" + // Append is the append flag for iptable Append RulePosition = "-A" ) -// An injectable interface for running iptables commands. Implementations must be goroutine-safe. +// Interface is an injectable interface for running iptables commands. Implementations must be goroutine-safe. type Interface interface { // EnsureChain checks if the specified chain exists and, if not, creates it. If the chain existed, return true. EnsureChain(table Table, chain Chain) (bool, error) @@ -83,28 +86,41 @@ type Interface interface { HasRandomFully() bool } +// Protocol defines the ip protocol either ipv4 or ipv6 type Protocol byte const ( + // ProtocolIpv4 represents ipv4 protocol in iptables ProtocolIpv4 Protocol = iota + 1 + // ProtocolIpv6 represents ipv6 protocol in iptables ProtocolIpv6 ) +// Table represents different iptable like filter,nat, mangle and raw type Table string const ( + // TableNAT represents the built-in nat table TableNAT Table = "nat" + // TableFilter represents the built-in filter table TableFilter Table = "filter" + // TableMangle represents the built-in mangle table TableMangle Table = "mangle" ) +// Chain represents the different rules type Chain string const ( + // ChainPostrouting used for source NAT in nat table ChainPostrouting Chain = "POSTROUTING" + // ChainPrerouting used for DNAT (destination NAT) in nat table ChainPrerouting Chain = "PREROUTING" + // ChainOutput used for the packets going out from local ChainOutput Chain = "OUTPUT" + // ChainInput used for incoming packets ChainInput Chain = "INPUT" + // ChainForward used for the packets for another NIC ChainForward Chain = "FORWARD" ) @@ -117,32 +133,44 @@ const ( cmdIP6Tables string = "ip6tables" ) -// Option flag for Restore +// RestoreCountersFlag is an option flag for Restore type RestoreCountersFlag bool +// RestoreCounters a boolean true constant for the option flag RestoreCountersFlag const RestoreCounters RestoreCountersFlag = true +// NoRestoreCounters a boolean false constant for the option flag RestoreCountersFlag const NoRestoreCounters RestoreCountersFlag = false -// Option flag for Flush +// FlushFlag an option flag for Flush type FlushFlag bool +// FlushTables a boolean true constant for option flag FlushFlag const FlushTables FlushFlag = true +// NoFlushTables a boolean false constant for option flag FlushFlag const NoFlushTables FlushFlag = false +// MinCheckVersion minimum version to be checked // Versions of iptables less than this do not support the -C / --check flag // (test whether a rule exists). var MinCheckVersion = utilversion.MustParseGeneric("1.4.11") +// RandomFullyMinVersion is the minimum version from which the --random-fully flag is supported, +// used for port mapping to be fully randomized var RandomFullyMinVersion = utilversion.MustParseGeneric("1.6.2") -// Minimum iptables versions supporting the -w and -w flags +// WaitMinVersion a minimum iptables versions supporting the -w and -w flags var WaitMinVersion = utilversion.MustParseGeneric("1.4.20") +// WaitSecondsMinVersion a minimum iptables versions supporting the wait seconds var WaitSecondsMinVersion = utilversion.MustParseGeneric("1.4.22") +// WaitRestoreMinVersion a minimum iptables versions supporting the wait restore seconds var WaitRestoreMinVersion = utilversion.MustParseGeneric("1.6.2") +// WaitString a constant for specifying the wait flag const WaitString = "-w" +// WaitSecondsValue a constant for specifying the default wait seconds const WaitSecondsValue = "5" +// LockfilePath16x is the iptables lock file acquired by any process that's making any change in the iptable rule const LockfilePath16x = "/run/xtables.lock" // runner implements Interface in terms of exec("iptables"). @@ -706,7 +734,6 @@ const iptablesStatusResourceProblem = 4 func isResourceError(err error) bool { if ee, isExitError := err.(utilexec.ExitError); isExitError { return ee.ExitStatus() == iptablesStatusResourceProblem - } else { - return false } + return false } From a4631c845e798820de89d0f3f4012ff0d34c52aa Mon Sep 17 00:00:00 2001 From: Karthikeyan Govindaraj <30545166+gkarthiks@users.noreply.github.com> Date: Mon, 18 Nov 2019 23:44:49 -0800 Subject: [PATCH 2/4] chore(lint): lint fix in /pkg/util/iptables --- pkg/util/iptables/monitor_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/util/iptables/monitor_test.go b/pkg/util/iptables/monitor_test.go index 7f4d4176dc8..37e9ddcd3ad 100644 --- a/pkg/util/iptables/monitor_test.go +++ b/pkg/util/iptables/monitor_test.go @@ -130,9 +130,8 @@ func (mfc *monitorFakeCmd) CombinedOutput() ([]byte, error) { case opListChain: if table.Has(chainName) { return []byte{}, nil - } else { - return []byte{}, fmt.Errorf("no such chain %q", chainName) } + return []byte{}, fmt.Errorf("no such chain %q", chainName) case opDeleteChain: table.Delete(chainName) return []byte{}, nil From 1f4cd65be5e1e5b7f5c5d13c58e9a883390f9978 Mon Sep 17 00:00:00 2001 From: Karthikeyan Govindaraj <30545166+gkarthiks@users.noreply.github.com> Date: Mon, 18 Nov 2019 23:49:34 -0800 Subject: [PATCH 3/4] chore(lint): removing the iptables pkg --- hack/.golint_failures | 1 - 1 file changed, 1 deletion(-) diff --git a/hack/.golint_failures b/hack/.golint_failures index 2b9265068b8..cdd105008ca 100644 --- a/hack/.golint_failures +++ b/hack/.golint_failures @@ -219,7 +219,6 @@ pkg/ssh pkg/util/config pkg/util/ebtables pkg/util/goroutinemap/exponentialbackoff -pkg/util/iptables pkg/util/iptables/testing pkg/util/labels # See previous effort in PR #80685 pkg/util/oom From b05749c619ad04c4b7b4353e5c835ef865a81911 Mon Sep 17 00:00:00 2001 From: gkarthiks Date: Tue, 19 Nov 2019 08:30:16 -0800 Subject: [PATCH 4/4] chore(gofmt): go format fix Signed-off-by: gkarthiks --- pkg/util/iptables/iptables.go | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/pkg/util/iptables/iptables.go b/pkg/util/iptables/iptables.go index 2abcd9a9853..e9f519001ed 100644 --- a/pkg/util/iptables/iptables.go +++ b/pkg/util/iptables/iptables.go @@ -40,7 +40,7 @@ const ( // Prepend is the insert flag for iptable Prepend RulePosition = "-I" // Append is the append flag for iptable - Append RulePosition = "-A" + Append RulePosition = "-A" ) // Interface is an injectable interface for running iptables commands. Implementations must be goroutine-safe. @@ -101,7 +101,7 @@ type Table string const ( // TableNAT represents the built-in nat table - TableNAT Table = "nat" + TableNAT Table = "nat" // TableFilter represents the built-in filter table TableFilter Table = "filter" // TableMangle represents the built-in mangle table @@ -115,13 +115,13 @@ const ( // ChainPostrouting used for source NAT in nat table ChainPostrouting Chain = "POSTROUTING" // ChainPrerouting used for DNAT (destination NAT) in nat table - ChainPrerouting Chain = "PREROUTING" + ChainPrerouting Chain = "PREROUTING" // ChainOutput used for the packets going out from local - ChainOutput Chain = "OUTPUT" + ChainOutput Chain = "OUTPUT" // ChainInput used for incoming packets - ChainInput Chain = "INPUT" + ChainInput Chain = "INPUT" // ChainForward used for the packets for another NIC - ChainForward Chain = "FORWARD" + ChainForward Chain = "FORWARD" ) const ( @@ -138,6 +138,7 @@ type RestoreCountersFlag bool // RestoreCounters a boolean true constant for the option flag RestoreCountersFlag const RestoreCounters RestoreCountersFlag = true + // NoRestoreCounters a boolean false constant for the option flag RestoreCountersFlag const NoRestoreCounters RestoreCountersFlag = false @@ -146,6 +147,7 @@ type FlushFlag bool // FlushTables a boolean true constant for option flag FlushFlag const FlushTables FlushFlag = true + // NoFlushTables a boolean false constant for option flag FlushFlag const NoFlushTables FlushFlag = false @@ -160,13 +162,16 @@ var RandomFullyMinVersion = utilversion.MustParseGeneric("1.6.2") // WaitMinVersion a minimum iptables versions supporting the -w and -w flags var WaitMinVersion = utilversion.MustParseGeneric("1.4.20") + // WaitSecondsMinVersion a minimum iptables versions supporting the wait seconds var WaitSecondsMinVersion = utilversion.MustParseGeneric("1.4.22") + // WaitRestoreMinVersion a minimum iptables versions supporting the wait restore seconds var WaitRestoreMinVersion = utilversion.MustParseGeneric("1.6.2") // WaitString a constant for specifying the wait flag const WaitString = "-w" + // WaitSecondsValue a constant for specifying the default wait seconds const WaitSecondsValue = "5"