Made changes to assume iptables-nft as the default backend for iptabl…

…es, and provisioned for changing to legacy mode if required
rajch · Dec 22, 2024 · 999aeb7 · 999aeb7
1 parent 9057156
commit 999aeb7
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 14 deletions.
diff --git a/prog/weave-kube/launch.sh b/prog/weave-kube/launch.sh
@@ -27,14 +27,17 @@ setup_iptables_backend() {
       fi
     fi
     printf "iptables backend mode: %s\n" "$mode"
-    if [ "$mode" = "nft" ]; then
+    # The weave-kube image uses the iptables-nft tools as default
+    # from weave 2.9.0 onwards, but includes the legacy tools. If
+    # legacy is detected, change the default symlinks.
+    if [ "$mode" = "legacy" ]; then
       [ -n "$WEAVE_DEBUG" ] && echo "Changing iptables symlinks..."
       rm /sbin/iptables
       rm /sbin/iptables-save
       rm /sbin/iptables-restore
-      ln -s /sbin/iptables-nft /sbin/iptables
-      ln -s /sbin/iptables-nft-save /sbin/iptables-save
-      ln -s /sbin/iptables-nft-restore /sbin/iptables-restore
+      ln -s /sbin/iptables-legacy /sbin/iptables
+      ln -s /sbin/iptables-legacy-save /sbin/iptables-save
+      ln -s /sbin/iptables-legacy-restore /sbin/iptables-restore
     fi
 }
 

diff --git a/reweave/CHANGELOG.md b/reweave/CHANGELOG.md
@@ -2,6 +2,27 @@
 
 All changes made to the weave net codebase since the fork will be documented in this file.
 
+## 2.9.0-beta1
+
+From this version onwards, we will assume that the default backend for `iptables` is `iptables-nft`. For backward compatibility, we will include `iptables-legacy` in the weave images, and provide a way to use that if required.
+
+### Changed
+
+* Upgraded golang.org/x/crypto to v0.31.1
+* Upgraded golang.org/x/net to v0.33.0
+* Which upgraded:
+	golang.org/x/mod v0.17.0
+    golang.org/x/sync v0.10.0
+	golang.org/x/term v0.27.0
+	golang.org/x/text v0.21.0
+* Ran `go mod tidy` and `go mod vendor`
+
+### Added
+
+* The Dockerfile was modified to keep the default iptables backend (nft) for all Alpine-based images, and to include the legacy backend but not set it as default.
+* The `weave` script was modified to accept and propogate a new environment variable called `IPTABLES_BACKEND`, whose default value is `nft`. If its value is set to `legacy`, the script will use the command `iptables-legacy` instead of `iptables` when invoking that tool.
+* The `launch.sh` script, which is the entry point for the `weave-kube` and `weave-npc` images, was modified to assume the `nft` backend as default, and to change the backend only if legacy mode was autodiscovered or set via the existing environment variable `IPTABLES_BACKEND`.
+
 ## 2.8.10
 
 ### Changed

diff --git a/reweave/build/Dockerfile b/reweave/build/Dockerfile
@@ -86,7 +86,7 @@ EOMAKE
 # Stage 3: Alpine Base
 # This stage exists in case there are any additional tweaks 
 # required in the alpine base image.
-FROM --platform=linux/${TARGETARCH} ${ALPINE_BASEIMAGE} as alpinebase
+FROM --platform=linux/${TARGETARCH} ${ALPINE_BASEIMAGE} AS alpinebase
 # Any additional tweaks will appear here
 # Last update on top of alpine:3.19.1
 RUN apk update \
@@ -124,11 +124,13 @@ RUN <<EOWEAVER
                   bind-tools \
                   ca-certificates
       # Alpine 3.19 made nftables the default backend for iptables
-      # For backward compatibility, the following is required:
+      # From weave version 2.9.0 onwards, weave will also assume 
+      # the same, but will include iptables-legacy for backward
+      # compatibility.
       apk add iptables-legacy
-      ln -sf /sbin/iptables-legacy /sbin/iptables
-      ln -sf /sbin/iptables-legacy-save /sbin/iptables-save
-      ln -sf /sbin/iptables-legacy-restore /sbin/iptables-restore
+      # ln -sf /sbin/iptables-legacy /sbin/iptables
+      # ln -sf /sbin/iptables-legacy-save /sbin/iptables-save
+      # ln -sf /sbin/iptables-legacy-restore /sbin/iptables-restore
       rm -rf /var/cache/apk/*
 EOWEAVER
 
@@ -218,11 +220,13 @@ RUN <<EONPC
       mknod /var/log/ulogd.pcap p
 
       # Alpine 3.19 made nftables the default backend for iptables
-      # For backward compatibility, the following is required:
+      # From weave version 2.9.0 onwards, weave will also assume 
+      # the same, but will include iptables-legacy for backward
+      # compatibility.
       apk add iptables-legacy
-      ln -sf /sbin/iptables-legacy /sbin/iptables
-      ln -sf /sbin/iptables-legacy-save /sbin/iptables-save
-      ln -sf /sbin/iptables-legacy-restore /sbin/iptables-restore
+      # ln -sf /sbin/iptables-legacy /sbin/iptables
+      # ln -sf /sbin/iptables-legacy-save /sbin/iptables-save
+      # ln -sf /sbin/iptables-legacy-restore /sbin/iptables-restore
 
       rm -rf /var/cache/apk/*
 EONPC

diff --git a/weave b/weave
@@ -26,6 +26,12 @@ PROXY_HOST=${PROXY_HOST:-$(echo "${DOCKER_HOST#tcp://}" | cut -s -d: -f1)}
 PROXY_HOST=${PROXY_HOST:-127.0.0.1}
 DOCKER_CLIENT_HOST=${DOCKER_CLIENT_HOST:-$DOCKER_HOST}
 
+# From weave 2.9.0 onwards, the weave image sets up
+# the iptables-nft backend as default. To use the
+# iptables-legacy backend, the environment variable
+# IPTABLES_BACKEND needs to be set to "legacy"
+IPTABLES_BACKEND=${IPTABLES_BACKEND:-nft}
+
 # Define some regular expressions for matching addresses.
 # The regexp here is far from precise, but good enough.
 IP_REGEXP="[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
@@ -160,6 +166,7 @@ exec_remote() {
         -e CHECKPOINT_DISABLE \
         -e AWSVPC   \
         -e DOCKER_API_VERSION \
+        -e IPTABLES_BACKEND \
         -t \
         $WEAVEEXEC_DOCKER_ARGS $EXEC_IMAGE --local "$@"
 }
@@ -322,7 +329,17 @@ run_iptables() {
         CHECKED_IPTABLES_W=1
     fi
 
-    iptables $IPTABLES_W "$@"
+    # From weave 2.9.0 onwards, the weave image sets up
+    # the iptables-nft backend as default. To use the
+    # iptables-legacy backend, the environment variable
+    # IPTABLES_BACKEND needs to be set to "legacy"
+    if [ "$IPTABLES_BACKEND" = "legacy" ];then
+        iptables-legacy "$IPTABLES_W" "$@"
+    else
+        iptables "$IPTABLES_W" "$@"
+    fi
+
+
 }
 
 # Insert a rule in iptables, if it doesn't exist already
@@ -372,6 +389,7 @@ util_op() {
         weaveutil "$@"
     else
         docker run --rm --pid host $(docker_run_options) \
+            -e IPTABLES_BACKEND \
             --entrypoint=/usr/bin/weaveutil $EXEC_IMAGE "$@"
     fi
 }
@@ -1223,6 +1241,7 @@ launch() {
         -e WEAVE_PASSWORD \
         -e EXEC_IMAGE=$EXEC_IMAGE \
         -e CHECKPOINT_DISABLE \
+        -e IPTABLES_BACKEND \
         $WEAVE_DOCKER_ARGS \
         $IMAGE \
         $COVERAGE_ARGS \