Skip to content

Commit

Permalink
Avoid passing extra ipv6 flag around
Browse files Browse the repository at this point in the history
  • Loading branch information
alpeb committed Mar 19, 2024
1 parent 6163337 commit 03a7172
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 19 deletions.
15 changes: 10 additions & 5 deletions cni-plugin/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -299,11 +299,16 @@ func cmdAdd(args *skel.CmdArgs) error {
options.IPTablesMode = cmd.IPTablesModeLegacy
}

if err := buildAndConfigure(logEntry, &options, false); err != nil {
// always trigger the IPv4 rules
optIPv4 := options
optIPv4.IPv6 = false
if err := buildAndConfigure(logEntry, &optIPv4); err != nil {
return err
}

// trigger the IPv6 rules
if options.IPv6 {
if err := buildAndConfigure(logEntry, &options, true); err != nil {
if err := buildAndConfigure(logEntry, &options); err != nil {
return err
}
}
Expand Down Expand Up @@ -357,8 +362,8 @@ func getAPIServerPorts(ctx context.Context, api *kubernetes.Clientset) ([]string
return ports, nil
}

func buildAndConfigure(logEntry *logrus.Entry, options *cmd.RootOptions, ipv6 bool) error {
firewallConfiguration, err := cmd.BuildFirewallConfiguration(options, ipv6)
func buildAndConfigure(logEntry *logrus.Entry, options *cmd.RootOptions) error {
firewallConfiguration, err := cmd.BuildFirewallConfiguration(options)
if err != nil {
logEntry.Errorf("linkerd-cni: could not create a Firewall Configuration from the options: %v", options)
return err
Expand All @@ -367,7 +372,7 @@ func buildAndConfigure(logEntry *logrus.Entry, options *cmd.RootOptions, ipv6 bo
err = iptables.ConfigureFirewall(*firewallConfiguration)
// We couldn't find a robust way of checking IPv6 support besides trying to just call ip6tables-save.
// If IPv4 rules worked but not IPv6, let's not fail the container (the actual problem will get logged).
if !ipv6 && err != nil {
if !options.IPv6 && err != nil {
logEntry.Errorf("linkerd-cni: could not configure firewall: %s", err)
return err
}
Expand Down
26 changes: 15 additions & 11 deletions proxy-init/cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ import (
const (
// IPTablesModeLegacy signals the usage of the iptables-legacy commands
IPTablesModeLegacy = "legacy"
// ipTablesModeNFT signals the usage of the iptables-nft commands
ipTablesModeNFT = "nft"
// IPTablesModeNFT signals the usage of the iptables-nft commands
IPTablesModeNFT = "nft"

cmdLegacy = "iptables-legacy"
cmdLegacySave = "iptables-legacy-save"
Expand Down Expand Up @@ -102,7 +102,10 @@ func NewRootCmd() *cobra.Command {
return err
}

config, err := BuildFirewallConfiguration(options, false)
// always trigger the IPv4 rules
optIPv4 := *options
optIPv4.IPv6 = false
config, err := BuildFirewallConfiguration(&optIPv4)
if err != nil {
return err
}
Expand All @@ -115,7 +118,8 @@ func NewRootCmd() *cobra.Command {
return nil
}

config, err = BuildFirewallConfiguration(options, true)
// trigger the IPv6 rules
config, err = BuildFirewallConfiguration(options)
if err != nil {
return err
}
Expand Down Expand Up @@ -157,12 +161,12 @@ func NewRootCmd() *cobra.Command {
}

// BuildFirewallConfiguration returns an iptables FirewallConfiguration suitable to use to configure iptables.
func BuildFirewallConfiguration(options *RootOptions, ipv6 bool) (*iptables.FirewallConfiguration, error) {
func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfiguration, error) {
if options.FirewallBinPath != "" || options.FirewallSaveBinPath != "" {
return nil, errors.New("--firewal-bin-path and firewall-save-bin-path are no longer supported; please use --iptables-mode instead")
}

if options.IPTablesMode != IPTablesModeLegacy && options.IPTablesMode != ipTablesModeNFT {
if options.IPTablesMode != IPTablesModeLegacy && options.IPTablesMode != IPTablesModeNFT {
return nil, errors.New("--iptables-mode valid values are only \"legacy\" and \"nft\"")
}

Expand All @@ -174,7 +178,7 @@ func BuildFirewallConfiguration(options *RootOptions, ipv6 bool) (*iptables.Fire
return nil, fmt.Errorf("--outgoing-proxy-port must be a valid TCP port number")
}

cmd, cmdSave := getCommands(options.IPTablesMode, ipv6)
cmd, cmdSave := getCommands(options)

sanitizedSubnets := []string{}
for _, subnet := range options.SubnetsToIgnore {
Expand Down Expand Up @@ -220,15 +224,15 @@ func getFormatter(format string) log.Formatter {
}
}

func getCommands(mode string, ipv6 bool) (string, string) {
if mode == IPTablesModeLegacy {
if ipv6 {
func getCommands(options *RootOptions) (string, string) {
if options.IPTablesMode == IPTablesModeLegacy {
if options.IPv6 {
return cmdLegacyIPv6, cmdLegacyIPv6Save
}
return cmdLegacy, cmdLegacySave
}

if ipv6 {
if options.IPv6 {
return cmdNFTIPv6, cmdNFTIPv6Save
}

Expand Down
7 changes: 4 additions & 3 deletions proxy-init/cmd/root_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,9 @@ func TestBuildFirewallConfiguration(t *testing.T) {
options.IncomingProxyPort = expectedIncomingProxyPort
options.OutgoingProxyPort = expectedOutgoingProxyPort
options.ProxyUserID = expectedProxyUserID
options.IPv6 = false

config, err := BuildFirewallConfiguration(options, false)
config, err := BuildFirewallConfiguration(options)
if err != nil {
t.Fatalf("Unexpected error: %s", err)
}
Expand Down Expand Up @@ -87,7 +88,7 @@ func TestBuildFirewallConfiguration(t *testing.T) {
errorMessage: "0.0.0.0 is not a valid CIDR address",
},
} {
_, err := BuildFirewallConfiguration(tt.options, false)
_, err := BuildFirewallConfiguration(tt.options)
if err == nil {
t.Fatalf("Expected error for config [%v], got nil", tt.options)
}
Expand All @@ -112,7 +113,7 @@ func TestBuildFirewallConfiguration(t *testing.T) {
errorMessage: "",
},
} {
_, err := BuildFirewallConfiguration(tt.options, false)
_, err := BuildFirewallConfiguration(tt.options)
if err != nil {
t.Fatalf("Got error error for config [%v]", tt.options)
}
Expand Down

0 comments on commit 03a7172

Please sign in to comment.