github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

Make iptables use semver lib

Browse Source
This commit is contained in:
Tim Hockin 2015-08-15 21:10:12 -07:00
parent 3a5c23d727
commit 3d309700d0
2 changed files with 15 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
pkg/util/iptables/iptables.go
View File

@ -21,10 +21,10 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
"regexp" "regexp"
"strconv"
"strings" "strings"
"sync" "sync"
"github.com/coreos/go-semver/semver"
"github.com/golang/glog" "github.com/golang/glog"
"k8s.io/kubernetes/pkg/util" "k8s.io/kubernetes/pkg/util"
utilexec "k8s.io/kubernetes/pkg/util/exec" utilexec "k8s.io/kubernetes/pkg/util/exec"
@ -106,6 +106,10 @@ type FlushFlag bool
const FlushTables FlushFlag = true const FlushTables FlushFlag = true
const NoFlushTables FlushFlag = false const NoFlushTables FlushFlag = false
// Versions of iptables less than this do not support the -C / --check flag
// (test whether a rule exists).
const MinCheckVersion = "1.4.11"
// runner implements Interface in terms of exec("iptables"). // runner implements Interface in terms of exec("iptables").
type runner struct { type runner struct {
mu sync.Mutex mu sync.Mutex
@ -399,44 +403,24 @@ func makeFullArgs(table Table, chain Chain, args ...string) []string {
// Checks if iptables has the "-C" flag // Checks if iptables has the "-C" flag
func getIptablesHasCheckCommand(exec utilexec.Interface) (bool, error) { func getIptablesHasCheckCommand(exec utilexec.Interface) (bool, error) {
minVersion, err := semver.NewVersion(MinCheckVersion)
if err != nil {
return false, err
}
// Returns "vX.Y.Z".
vstring, err := GetIptablesVersionString(exec) vstring, err := GetIptablesVersionString(exec)
if err != nil { if err != nil {
return false, err return false, err
} }
// Make a semver of the part after the v in "vX.X.X".
v1, v2, v3, err := extractIptablesVersion(vstring) version, err := semver.NewVersion(vstring[1:])
if err != nil { if err != nil {
return false, err return false, err
} }
if version.LessThan(*minVersion) {
return iptablesHasCheckCommand(v1, v2, v3), nil return false, nil
} }
return true, nil
// extractIptablesVersion returns the first three components of the iptables version.
// e.g. "iptables v1.3.66" would return (1, 3, 66, nil)
func extractIptablesVersion(str string) (int, int, int, error) {
versionMatcher := regexp.MustCompile("v([0-9]+)\\.([0-9]+)\\.([0-9]+)")
result := versionMatcher.FindStringSubmatch(str)
if result == nil {
return 0, 0, 0, fmt.Errorf("no iptables version found in string: %s", str)
}
v1, err := strconv.Atoi(result[1])
if err != nil {
return 0, 0, 0, err
}
v2, err := strconv.Atoi(result[2])
if err != nil {
return 0, 0, 0, err
}
v3, err := strconv.Atoi(result[3])
if err != nil {
return 0, 0, 0, err
}
return v1, v2, v3, nil
} }
// GetIptablesVersionString runs "iptables --version" to get the version string, // GetIptablesVersionString runs "iptables --version" to get the version string,
@ -455,17 +439,3 @@ func GetIptablesVersionString(exec utilexec.Interface) (string, error) {
} }
return match[0], nil return match[0], nil
} }
// Checks if an iptables version is after 1.4.11, when --check was added
func iptablesHasCheckCommand(v1 int, v2 int, v3 int) bool {
if v1 > 1 {
return true
}
if v1 == 1 && v2 > 4 {
return true
}
if v1 == 1 && v2 == 4 && v3 >= 11 {
return true
}
return false
}

59
pkg/util/iptables/iptables_test.go
View File

@ -438,65 +438,6 @@ func TestGetIptablesHasCheckCommand(t *testing.T) {
} }
} }
func TestExtractIptablesVersion(t *testing.T) {
testCases := []struct {
Version string
V1 int
V2 int
V3 int
Err bool
}{
{"iptables v1.4.7", 1, 4, 7, false},
{"iptables v1.4.11", 1, 4, 11, false},
{"iptables v0.2.5", 0, 2, 5, false},
{"iptables v1.2.3.4.5.6", 1, 2, 3, false},
{"iptables v1.4", 0, 0, 0, true},
{"iptables v12345.12345.12345.12344", 12345, 12345, 12345, false},
{"total junk", 0, 0, 0, true},
}
for _, testCase := range testCases {
v1, v2, v3, err := extractIptablesVersion(testCase.Version)
if (err != nil) != testCase.Err {
t.Errorf("Expected error: %v, Got error: %v", testCase.Err, err)
}
if err == nil {
if v1 != testCase.V1 {
t.Errorf("First version number incorrect for string \"%s\", got %d, expected %d", testCase.Version, v1, testCase.V1)
}
if v2 != testCase.V2 {
t.Errorf("Second version number incorrect for string \"%s\", got %d, expected %d", testCase.Version, v2, testCase.V2)
}
if v3 != testCase.V3 {
t.Errorf("Third version number incorrect for string \"%s\", got %d, expected %d", testCase.Version, v3, testCase.V3)
}
}
}
}
func TestIptablesHasCheckCommand(t *testing.T) {
testCases := []struct {
V1 int
V2 int
V3 int
Result bool
}{
{0, 55, 55, false},
{1, 0, 55, false},
{1, 4, 10, false},
{1, 4, 11, true},
{1, 4, 19, true},
{1, 5, 0, true},
{2, 0, 0, true},
}
for _, testCase := range testCases {
if result := iptablesHasCheckCommand(testCase.V1, testCase.V2, testCase.V3); result != testCase.Result {
t.Errorf("For %d.%d.%d expected %v got %v", testCase.V1, testCase.V2, testCase.V3, testCase.Result, result)
}
}
}
func TestCheckRuleWithoutCheckPresent(t *testing.T) { func TestCheckRuleWithoutCheckPresent(t *testing.T) {
iptables_save_output := `# Generated by iptables-save v1.4.7 on Wed Oct 29 14:56:01 2014 iptables_save_output := `# Generated by iptables-save v1.4.7 on Wed Oct 29 14:56:01 2014
*nat *nat