Improve utiliptables error handling when there's no iptables binary

If `iptables --version` failed, utiliptables.New() would log a warning and assume that the problem was that you had an implausibly ancient version of iptables installed. Change it to instead assume that the problem is that you don't have iptables installed at all (and don't log anything; the caller will discover this later).
2025-07-29 14:37:00 +00:00 · 2025-01-25 10:48:27 -05:00 · 2025-01-25 10:48:27 -05:00 · b031258969
commit b031258969
parent f1d0eb4fe4
2 changed files with 15 additions and 16 deletions
--- a/pkg/util/iptables/iptables.go
+++ b/pkg/util/iptables/iptables.go
@ -219,12 +219,6 @@ type runner struct {
 // newInternal returns a new Interface which will exec iptables, and allows the
 // caller to change the iptables-restore lockfile path
 func newInternal(exec utilexec.Interface, protocol Protocol, lockfilePath14x, lockfilePath16x string) Interface {
-	version, err := getIPTablesVersion(exec, protocol)
-	if err != nil {
-		klog.InfoS("Error checking iptables version, assuming version at least", "version", MinCheckVersion, "err", err)
-		version = MinCheckVersion
-	}
-
 	if lockfilePath16x == "" {
 		lockfilePath16x = LockfilePath16x
 	}
@ -235,13 +229,22 @@ func newInternal(exec utilexec.Interface, protocol Protocol, lockfilePath14x, lo
 	runner := &runner{
 		exec:            exec,
 		protocol:        protocol,
-		hasCheck:        version.AtLeast(MinCheckVersion),
-		hasRandomFully:  version.AtLeast(RandomFullyMinVersion),
-		waitFlag:        getIPTablesWaitFlag(version),
-		restoreWaitFlag: getIPTablesRestoreWaitFlag(version, exec, protocol),
 		lockfilePath14x: lockfilePath14x,
 		lockfilePath16x: lockfilePath16x,
 	}
+
+	version, err := getIPTablesVersion(exec, protocol)
+	if err != nil {
+		// The only likely error is "no such file or directory", in which case any
+		// further commands will fail the same way, so we don't need to do
+		// anything special here.
+		return runner
+	}
+
+	runner.hasCheck = version.AtLeast(MinCheckVersion)
+	runner.hasRandomFully = version.AtLeast(RandomFullyMinVersion)
+	runner.waitFlag = getIPTablesWaitFlag(version)
+	runner.restoreWaitFlag = getIPTablesRestoreWaitFlag(version, exec, protocol)
 	return runner
 }

--- a/pkg/util/iptables/iptables_test.go
+++ b/pkg/util/iptables/iptables_test.go
@ -177,13 +177,9 @@ func TestNew(t *testing.T) {
 					command: "iptables --version",
 					action:  func() ([]byte, []byte, error) { return nil, nil, fmt.Errorf("no such file or directory") },
 				},
-				{
-					command: "iptables-restore --version",
-					action:  func() ([]byte, []byte, error) { return nil, nil, fmt.Errorf("no such file or directory") },
-				},
 			},
 			expected: &runner{
-				hasCheck:        true,
+				hasCheck:        false,
 				hasRandomFully:  false,
 				waitFlag:        nil,
 				restoreWaitFlag: nil,
@ -601,7 +597,7 @@ func TestGetIPTablesHasCheckCommand(t *testing.T) {
 		{"iptables v1.4.11", true},
 		{"iptables v1.4.19.1", true},
 		{"iptables v2.0.0", true},
-		{"total junk", true},
+		{"total junk", false},
 	}

 	for _, testCase := range testCases {