Merge pull request #77303 from danwinship/iptables-is-not-found-error

Update iptables.IsNotFoundError for iptables-nft error messages
2025-07-23 11:50:44 +00:00 · 2019-05-01 14:32:55 -07:00 · 2019-05-01 14:32:55 -07:00 · 53b41dd1fe
commit 53b41dd1fe
parent d457a5d214 4d77d3e75f
1 changed files with 30 additions and 7 deletions
--- a/pkg/util/iptables/iptables.go
+++ b/pkg/util/iptables/iptables.go
@ -696,16 +696,39 @@ func (runner *runner) reload() {
 	}
 }

+var iptablesNotFoundStrings = []string{
+	// iptables-legacy [-A|-I] BAD-CHAIN [...]
+	// iptables-legacy [-C|-D] GOOD-CHAIN [...non-matching rule...]
+	// iptables-legacy [-X|-F|-Z] BAD-CHAIN
+	// iptables-nft -X BAD-CHAIN
+	// NB: iptables-nft [-F|-Z] BAD-CHAIN exits with no error
+	"No chain/target/match by that name",
+
+	// iptables-legacy [...] -j BAD-CHAIN
+	// iptables-nft-1.8.0 [-A|-I] BAD-CHAIN [...]
+	// iptables-nft-1.8.0 [-A|-I] GOOD-CHAIN -j BAD-CHAIN
+	// NB: also matches some other things like "-m BAD-MODULE"
+	"No such file or directory",
+
+	// iptables-legacy [-C|-D] BAD-CHAIN [...]
+	// iptables-nft [-C|-D] GOOD-CHAIN [...non-matching rule...]
+	"does a matching rule exist",
+
+	// iptables-nft-1.8.2 [-A|-C|-D|-I] BAD-CHAIN [...]
+	// iptables-nft-1.8.2 [...] -j BAD-CHAIN
+	"does not exist",
+}
+
 // IsNotFoundError returns true if the error indicates "not found".  It parses
-// the error string looking for known values, which is imperfect but works in
-// practice.
+// the error string looking for known values, which is imperfect; beware using
+// this function for anything beyond deciding between logging or ignoring an
+// error.
 func IsNotFoundError(err error) bool {
 	es := err.Error()
-	if strings.Contains(es, "No such file or directory") {
-		return true
-	}
-	if strings.Contains(es, "No chain/target/match by that name") {
-		return true
+	for _, str := range iptablesNotFoundStrings {
+		if strings.Contains(es, str) {
+			return true
+		}
 	}
 	return false
 }