github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 15:25:57 +00:00
Code Issues Projects Releases Wiki Activity

iptables don't do reverse DNS lookups

Browse Source 
the iptables monitor was using iptables -L to list the chains,
without the -n option, so it was trying to do reverse DNS lookups.
A side effect is that it was holding the lock, so other components
could not use it.
We can use -S instead of -L -n to avoid this, since we only want
to check the chain exists.
This commit is contained in:
Antonio Ojea 2020-07-07 13:30:11 +02:00 committed by Antonio Ojea
parent 7e75a5ef43
commit 924553b7ee
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/util/iptables/iptables.go
View File

@ -607,6 +607,9 @@ func (runner *runner) chainExists(table Table, chain Chain) (bool, error) {
runner.mu.Lock() runner.mu.Lock()
defer runner.mu.Unlock() defer runner.mu.Unlock()
trace := utiltrace.New("iptables Monitor CANARY check")
defer trace.LogIfLong(2 * time.Second)
_, err := runner.run(opListChain, fullArgs) _, err := runner.run(opListChain, fullArgs)
return err == nil, err return err == nil, err
} }
@ -617,7 +620,7 @@ const (
opCreateChain operation = "-N" opCreateChain operation = "-N"
opFlushChain operation = "-F" opFlushChain operation = "-F"
opDeleteChain operation = "-X" opDeleteChain operation = "-X"
opListChain operation = "-L" opListChain operation = "-S"
opAppendRule operation = "-A" opAppendRule operation = "-A"
opCheckRule operation = "-C" opCheckRule operation = "-C"
opDeleteRule operation = "-D" opDeleteRule operation = "-D"