From 924553b7ee11b3275e430953d944967761c0e62f Mon Sep 17 00:00:00 2001 From: Antonio Ojea Date: Tue, 7 Jul 2020 13:30:11 +0200 Subject: [PATCH] iptables don't do reverse DNS lookups the iptables monitor was using iptables -L to list the chains, without the -n option, so it was trying to do reverse DNS lookups. A side effect is that it was holding the lock, so other components could not use it. We can use -S instead of -L -n to avoid this, since we only want to check the chain exists. --- pkg/util/iptables/iptables.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/util/iptables/iptables.go b/pkg/util/iptables/iptables.go index 2a246ff20cd..728d5b30c09 100644 --- a/pkg/util/iptables/iptables.go +++ b/pkg/util/iptables/iptables.go @@ -607,6 +607,9 @@ func (runner *runner) chainExists(table Table, chain Chain) (bool, error) { runner.mu.Lock() defer runner.mu.Unlock() + trace := utiltrace.New("iptables Monitor CANARY check") + defer trace.LogIfLong(2 * time.Second) + _, err := runner.run(opListChain, fullArgs) return err == nil, err } @@ -617,7 +620,7 @@ const ( opCreateChain operation = "-N" opFlushChain operation = "-F" opDeleteChain operation = "-X" - opListChain operation = "-L" + opListChain operation = "-S" opAppendRule operation = "-A" opCheckRule operation = "-C" opDeleteRule operation = "-D"