mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-05 07:27:21 +00:00
iptables: simplify version handling
This commit is contained in:
Dan Winship
@@ -43,8 +43,6 @@ const (
|
||||
|
||||
// An injectable interface for running iptables commands. Implementations must be goroutine-safe.
|
||||
type Interface interface {
|
||||
// GetVersion returns the "X.Y.Z" version string for iptables.
|
||||
GetVersion() (string, error)
|
||||
// EnsureChain checks if the specified chain exists and, if not, creates it. If the chain existed, return true.
|
||||
EnsureChain(table Table, chain Chain) (bool, error)
|
||||
// FlushChain clears the specified chain. If the chain did not exist, return error.
|
||||
@@ -121,12 +119,13 @@ const NoFlushTables FlushFlag = false
|
||||
|
||||
// Versions of iptables less than this do not support the -C / --check flag
|
||||
// (test whether a rule exists).
|
||||
const MinCheckVersion = "1.4.11"
|
||||
var MinCheckVersion = utilversion.MustParseGeneric("1.4.11")
|
||||
|
||||
// Minimum iptables versions supporting the -w and -w<seconds> flags
|
||||
const WaitMinVersion = "1.4.20"
|
||||
const WaitSecondsMinVersion = "1.4.22"
|
||||
const WaitRestoreMinVersion = "1.6.2"
|
||||
var WaitMinVersion = utilversion.MustParseGeneric("1.4.20")
|
||||
var WaitSecondsMinVersion = utilversion.MustParseGeneric("1.4.22")
|
||||
var WaitRestoreMinVersion = utilversion.MustParseGeneric("1.6.2")
|
||||
|
||||
const WaitString = "-w"
|
||||
const WaitSecondsValue = "5"
|
||||
|
||||
@@ -151,10 +150,10 @@ type runner struct {
|
||||
// newInternal returns a new Interface which will exec iptables, and allows the
|
||||
// caller to change the iptables-restore lockfile path
|
||||
func newInternal(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol, lockfilePath string) Interface {
|
||||
vstring, err := getIPTablesVersionString(exec, protocol)
|
||||
version, err := getIPTablesVersion(exec, protocol)
|
||||
if err != nil {
|
||||
klog.Warningf("Error checking iptables version, assuming version at least %s: %v", MinCheckVersion, err)
|
||||
vstring = MinCheckVersion
|
||||
version = MinCheckVersion
|
||||
}
|
||||
|
||||
if lockfilePath == "" {
|
||||
@@ -165,10 +164,10 @@ func newInternal(exec utilexec.Interface, dbus utildbus.Interface, protocol Prot
|
||||
exec: exec,
|
||||
dbus: dbus,
|
||||
protocol: protocol,
|
||||
hasCheck: getIPTablesHasCheckCommand(vstring),
|
||||
hasCheck: version.AtLeast(MinCheckVersion),
|
||||
hasListener: false,
|
||||
waitFlag: getIPTablesWaitFlag(vstring),
|
||||
restoreWaitFlag: getIPTablesRestoreWaitFlag(vstring),
|
||||
waitFlag: getIPTablesWaitFlag(version),
|
||||
restoreWaitFlag: getIPTablesRestoreWaitFlag(version),
|
||||
lockfilePath: lockfilePath,
|
||||
}
|
||||
return runner
|
||||
@@ -215,11 +214,6 @@ func (runner *runner) connectToFirewallD() {
|
||||
go runner.dbusSignalHandler(bus)
|
||||
}
|
||||
|
||||
// GetVersion returns the version string.
|
||||
func (runner *runner) GetVersion() (string, error) {
|
||||
return getIPTablesVersionString(runner.exec, runner.protocol)
|
||||
}
|
||||
|
||||
// EnsureChain is part of Interface.
|
||||
func (runner *runner) EnsureChain(table Table, chain Chain) (bool, error) {
|
||||
fullArgs := makeFullArgs(table, chain)
|
||||
@@ -540,83 +534,46 @@ func makeFullArgs(table Table, chain Chain, args ...string) []string {
|
||||
return append([]string{string(chain), "-t", string(table)}, args...)
|
||||
}
|
||||
|
||||
// Checks if iptables has the "-C" flag
|
||||
func getIPTablesHasCheckCommand(vstring string) bool {
|
||||
minVersion, err := utilversion.ParseGeneric(MinCheckVersion)
|
||||
if err != nil {
|
||||
klog.Errorf("MinCheckVersion (%s) is not a valid version string: %v", MinCheckVersion, err)
|
||||
return true
|
||||
}
|
||||
version, err := utilversion.ParseGeneric(vstring)
|
||||
if err != nil {
|
||||
klog.Errorf("vstring (%s) is not a valid version string: %v", vstring, err)
|
||||
return true
|
||||
}
|
||||
return version.AtLeast(minVersion)
|
||||
}
|
||||
|
||||
// Checks if iptables version has a "wait" flag
|
||||
func getIPTablesWaitFlag(vstring string) []string {
|
||||
version, err := utilversion.ParseGeneric(vstring)
|
||||
if err != nil {
|
||||
klog.Errorf("vstring (%s) is not a valid version string: %v", vstring, err)
|
||||
return nil
|
||||
}
|
||||
|
||||
minVersion, err := utilversion.ParseGeneric(WaitMinVersion)
|
||||
if err != nil {
|
||||
klog.Errorf("WaitMinVersion (%s) is not a valid version string: %v", WaitMinVersion, err)
|
||||
return nil
|
||||
}
|
||||
if version.LessThan(minVersion) {
|
||||
return nil
|
||||
}
|
||||
|
||||
minVersion, err = utilversion.ParseGeneric(WaitSecondsMinVersion)
|
||||
if err != nil {
|
||||
klog.Errorf("WaitSecondsMinVersion (%s) is not a valid version string: %v", WaitSecondsMinVersion, err)
|
||||
return nil
|
||||
}
|
||||
if version.LessThan(minVersion) {
|
||||
return []string{WaitString}
|
||||
}
|
||||
return []string{WaitString, WaitSecondsValue}
|
||||
}
|
||||
|
||||
// getIPTablesVersionString runs "iptables --version" to get the version string
|
||||
// in the form "X.X.X"
|
||||
func getIPTablesVersionString(exec utilexec.Interface, protocol Protocol) (string, error) {
|
||||
// getIPTablesVersion runs "iptables --version" and parses the returned version
|
||||
func getIPTablesVersion(exec utilexec.Interface, protocol Protocol) (*utilversion.Version, error) {
|
||||
// this doesn't access mutable state so we don't need to use the interface / runner
|
||||
iptablesCmd := iptablesCommand(protocol)
|
||||
bytes, err := exec.Command(iptablesCmd, "--version").CombinedOutput()
|
||||
if err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
versionMatcher := regexp.MustCompile("v([0-9]+(\\.[0-9]+)+)")
|
||||
match := versionMatcher.FindStringSubmatch(string(bytes))
|
||||
if match == nil {
|
||||
return "", fmt.Errorf("no iptables version found in string: %s", bytes)
|
||||
return nil, fmt.Errorf("no iptables version found in string: %s", bytes)
|
||||
}
|
||||
version, err := utilversion.ParseGeneric(match[1])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("iptables version %q is not a valid version string: %v", match[1], err)
|
||||
}
|
||||
|
||||
return version, nil
|
||||
}
|
||||
|
||||
// Checks if iptables version has a "wait" flag
|
||||
func getIPTablesWaitFlag(version *utilversion.Version) []string {
|
||||
switch {
|
||||
case version.AtLeast(WaitSecondsMinVersion):
|
||||
return []string{WaitString, WaitSecondsValue}
|
||||
case version.AtLeast(WaitMinVersion):
|
||||
return []string{WaitString}
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
return match[1], nil
|
||||
}
|
||||
|
||||
// Checks if iptables-restore has a "wait" flag
|
||||
func getIPTablesRestoreWaitFlag(vstring string) []string {
|
||||
version, err := utilversion.ParseGeneric(vstring)
|
||||
if err != nil {
|
||||
klog.Errorf("vstring (%s) is not a valid version string: %v", vstring, err)
|
||||
func getIPTablesRestoreWaitFlag(version *utilversion.Version) []string {
|
||||
if version.AtLeast(WaitRestoreMinVersion) {
|
||||
return []string{WaitString, WaitSecondsValue}
|
||||
} else {
|
||||
return nil
|
||||
}
|
||||
|
||||
minVersion, err := utilversion.ParseGeneric(WaitRestoreMinVersion)
|
||||
if err != nil {
|
||||
klog.Errorf("WaitRestoreMinVersion (%s) is not a valid version string: %v", WaitRestoreMinVersion, err)
|
||||
return nil
|
||||
}
|
||||
if version.LessThan(minVersion) {
|
||||
return nil
|
||||
}
|
||||
return []string{WaitString, WaitSecondsValue}
|
||||
}
|
||||
|
||||
// goroutine to listen for D-Bus signals
|
||||
|
||||
Reference in New Issue
Block a user