github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 05:03:09 +00:00
Code Issues Projects Releases Wiki Activity

Verify iptable rules are applied for tcp, udp and icmp

Browse Source 
Signed-off-by: Harshal Patil <harpatil@redhat.com>
This commit is contained in:
Harshal Patil 2020-10-27 15:04:24 +05:30
parent d9b576d61e
commit f3bfc9fd67
1 changed files with 14 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
test/e2e_node/remote/utils.go
View File

@ -19,7 +19,6 @@ package remote
import ( import (
"fmt" "fmt"
"path/filepath" "path/filepath"
"strings"
"k8s.io/klog/v2" "k8s.io/klog/v2"
) )
@ -79,36 +78,22 @@ func setupCNI(host, workspace string) error {
// configureFirewall configures iptable firewall rules. // configureFirewall configures iptable firewall rules.
func configureFirewall(host string) error { func configureFirewall(host string) error {
klog.V(2).Infof("Configure iptables firewall rules on %q", host) klog.V(2).Infof("Configure iptables HEYHO firewall rules on %q", host)
// TODO: consider calling bootstrap script to configure host based on OS
output, err := SSH(host, "iptables", "-L", "INPUT") // Since the goal is to enable connectivity without taking into account current rule,
if err != nil { // we can just prepend the accept rules directly without any check
return fmt.Errorf("failed to get iptables INPUT on %q: %v output: %q", host, err, output)
}
if strings.Contains(output, "Chain INPUT (policy DROP)") {
cmd := getSSHCommand("&&", cmd := getSSHCommand("&&",
"(iptables -C INPUT -w -p TCP -j ACCEPT || iptables -A INPUT -w -p TCP -j ACCEPT)", "iptables -I INPUT 1 -w -p tcp -j ACCEPT",
"(iptables -C INPUT -w -p UDP -j ACCEPT || iptables -A INPUT -w -p UDP -j ACCEPT)", "iptables -I INPUT 1 -w -p udp -j ACCEPT",
"(iptables -C INPUT -w -p ICMP -j ACCEPT || iptables -A INPUT -w -p ICMP -j ACCEPT)") "iptables -I INPUT 1 -w -p icmp -j ACCEPT",
"iptables -I FORWARD 1 -w -p tcp -j ACCEPT",
"iptables -I FORWARD 1 -w -p udp -j ACCEPT",
"iptables -I FORWARD 1 -w -p icmp -j ACCEPT",
)
output, err := SSH(host, "sh", "-c", cmd) output, err := SSH(host, "sh", "-c", cmd)
if err != nil { if err != nil {
return fmt.Errorf("failed to configured firewall on %q: %v output: %v", host, err, output) return fmt.Errorf("failed to configured firewall on %q: %v output: %v", host, err, output)
} }
}
output, err = SSH(host, "iptables", "-L", "FORWARD")
if err != nil {
return fmt.Errorf("failed to get iptables FORWARD on %q: %v output: %q", host, err, output)
}
if strings.Contains(output, "Chain FORWARD (policy DROP)") {
cmd := getSSHCommand("&&",
"(iptables -C FORWARD -w -p TCP -j ACCEPT || iptables -A FORWARD -w -p TCP -j ACCEPT)",
"(iptables -C FORWARD -w -p UDP -j ACCEPT || iptables -A FORWARD -w -p UDP -j ACCEPT)",
"(iptables -C FORWARD -w -p ICMP -j ACCEPT || iptables -A FORWARD -w -p ICMP -j ACCEPT)")
output, err = SSH(host, "sh", "-c", cmd)
if err != nil {
return fmt.Errorf("failed to configured firewall on %q: %v output: %v", host, err, output)
}
}
return nil return nil
} }