github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 09:49:50 +00:00
Code Issues Projects Releases Wiki Activity

Fix dup rule generation with older iptables

Browse Source 
With older iptables binary, kube-proxy generates duplicate
iptables rules in NAT table every few seconds.

This fixes the problem by properly unquoting && parsing
older iptables-save output.
This commit is contained in:
Jihoon Chung 2015-08-18 10:45:49 +09:00
parent 736945faba
commit 837edf850d
1 changed files with 12 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/util/iptables/iptables.go
View File

@ -326,12 +326,15 @@ func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...st
return false, fmt.Errorf("error checking rule: %v", err) return false, fmt.Errorf("error checking rule: %v", err)
} }
// Sadly, iptables has inconsistent quoting rules for comments. // Sadly, iptables has inconsistent quoting rules for comments. Just remove all quotes.
// Just unquote any arg that is wrapped in quotes. // Also, quoted multi-word comments (which are counted as a single arg)
argsCopy := make([]string, len(args)) // will be unpacked into multiple args,
copy(argsCopy, args) // in order to compare against iptables-save output (which will be split at whitespace boundary)
for i := range argsCopy { // e.g. a single arg('"this must be before the NodePort rules"') will be unquoted and unpacked into 7 args.
unquote(&argsCopy[i]) var argsCopy []string
for i := range args {
tmpField := strings.Trim(args[i], "\"")
argsCopy = append(argsCopy, strings.Fields(tmpField)...)
} }
argset := util.NewStringSet(argsCopy...) argset := util.NewStringSet(argsCopy...)
@ -340,14 +343,14 @@ func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...st
// Check that this is a rule for the correct chain, and that it has // Check that this is a rule for the correct chain, and that it has
// the correct number of argument (+2 for "-A <chain name>") // the correct number of argument (+2 for "-A <chain name>")
if !strings.HasPrefix(line, fmt.Sprintf("-A %s", string(chain))) || len(fields) != len(args)+2 { if !strings.HasPrefix(line, fmt.Sprintf("-A %s", string(chain))) || len(fields) != len(argsCopy)+2 {
continue continue
} }
// Sadly, iptables has inconsistent quoting rules for comments. // Sadly, iptables has inconsistent quoting rules for comments.
// Just unquote any arg that is wrapped in quotes. // Just remove all quotes.
for i := range fields { for i := range fields {
unquote(&fields[i]) fields[i] = strings.Trim(fields[i], "\"")
} }
// TODO: This misses reorderings e.g. "-x foo ! -y bar" will match "! -x foo -y bar" // TODO: This misses reorderings e.g. "-x foo ! -y bar" will match "! -x foo -y bar"
@ -360,12 +363,6 @@ func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...st
return false, nil return false, nil
} }
func unquote(strp *string) {
if len(*strp) >= 2 && (*strp)[0] == '"' && (*strp)[len(*strp)-1] == '"' {
*strp = strings.TrimPrefix(strings.TrimSuffix(*strp, `"`), `"`)
}
}
// Executes the rule check using the "-C" flag // Executes the rule check using the "-C" flag
func (runner *runner) checkRuleUsingCheck(args []string) (bool, error) { func (runner *runner) checkRuleUsingCheck(args []string) (bool, error) {
out, err := runner.run(opCheckRule, args) out, err := runner.run(opCheckRule, args)