Merge pull request #23 from aojea/mangle

aojea · web-flow · commit 2b60cc56e884 · 2024-04-08T12:05:35.000+01:00
use mangle table for iptables-legacy to be compatible with other comp…
diff --git a/cmd/main.go b/cmd/main.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"time"
 
 	"github.com/aojea/kube-netpol/pkg/networkpolicy"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -88,4 +89,6 @@ func main() {
 	case <-ctx.Done():
 	}
 
+	// grace period to cleanup resources
+	time.Sleep(5 * time.Second)
 }
diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
@@ -382,7 +382,13 @@ func (c *Controller) syncIptablesRules() {
 		queueRule = append(queueRule, "--queue-bypass")
 	}
 
-	if err := c.ipt.InsertUnique("filter", "FORWARD", 1, queueRule...); err != nil {
+	// kube-proxy install the reject rules for Services with Endpoints on the FORWARD hook
+	// nfqueue either accepts or drops https://netfilter-devel.vger.kernel.narkive.com/dGk9ZPzK/nfqueue-target-with-treat-accept-as-continue
+	// We can append the rule after the kube-proxy ones, but that will always depend on the order of the components
+	// to be installed so it will be racy.
+	// Since nftables does not seem to have that problem and we only offer iptables-legacy for backwards compatibility
+	// use the mangle table that happens before for filtering.
+	if err := c.ipt.InsertUnique("mangle", "FORWARD", 1, queueRule...); err != nil {
 		klog.Infof("error syncing iptables rule %v", err)
 	}
 }
@@ -393,7 +399,7 @@ func (c *Controller) cleanIptablesRules() {
 		queueRule = append(queueRule, "--queue-bypass")
 	}
 
-	if err := c.ipt.Delete("filter", "FORWARD", queueRule...); err != nil {
+	if err := c.ipt.Delete("mangle", "FORWARD", queueRule...); err != nil {
 		klog.Infof("error deleting iptables rule %v", err)
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"net/http"`
`8`	`8`	`"os"`
`9`	`9`	`"os/signal"`
	`10`	`+ "time"`
`10`	`11`
`11`	`12`	`"github.com/aojea/kube-netpol/pkg/networkpolicy"`
`12`	`13`	`"github.com/prometheus/client_golang/prometheus/promhttp"`
`@@ -88,4 +89,6 @@ func main() {`
`88`	`89`	`case <-ctx.Done():`
`89`	`90`	`}`
`90`	`91`
	`92`	`+ // grace period to cleanup resources`
	`93`	`+ time.Sleep(5 * time.Second)`
`91`	`94`	`}`
Original file line number	Diff line number	Diff line change
`@@ -382,7 +382,13 @@ func (c *Controller) syncIptablesRules() {`
`382`	`382`	`queueRule = append(queueRule, "--queue-bypass")`
`383`	`383`	`}`
`384`	`384`
`385`		`- if err := c.ipt.InsertUnique("filter", "FORWARD", 1, queueRule...); err != nil {`
	`385`	`+ // kube-proxy install the reject rules for Services with Endpoints on the FORWARD hook`
	`386`	`+ // nfqueue either accepts or drops https://netfilter-devel.vger.kernel.narkive.com/dGk9ZPzK/nfqueue-target-with-treat-accept-as-continue`
	`387`	`+ // We can append the rule after the kube-proxy ones, but that will always depend on the order of the components`
	`388`	`+ // to be installed so it will be racy.`
	`389`	`+ // Since nftables does not seem to have that problem and we only offer iptables-legacy for backwards compatibility`
	`390`	`+ // use the mangle table that happens before for filtering.`
	`391`	`+ if err := c.ipt.InsertUnique("mangle", "FORWARD", 1, queueRule...); err != nil {`
`386`	`392`	`klog.Infof("error syncing iptables rule %v", err)`
`387`	`393`	`}`
`388`	`394`	`}`
`@@ -393,7 +399,7 @@ func (c *Controller) cleanIptablesRules() {`
`393`	`399`	`queueRule = append(queueRule, "--queue-bypass")`
`394`	`400`	`}`
`395`	`401`
`396`		`- if err := c.ipt.Delete("filter", "FORWARD", queueRule...); err != nil {`
	`402`	`+ if err := c.ipt.Delete("mangle", "FORWARD", queueRule...); err != nil {`
`397`	`403`	`klog.Infof("error deleting iptables rule %v", err)`
`398`	`404`	`}`
`399`	`405`	`}`