Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(capture): ignore known copy failure and fix iptables issue #903

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

mainred
Copy link
Contributor

@mainred mainred commented Oct 29, 2024

Description

  • correct the logic to pick iptables mode
  • ignore copy command failure

Related Issue

If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request.

Checklist

  • I have read the contributing documentation.
  • I signed and signed-off the commits (git commit -S -s ...). See this documentation on signing commits.
  • I have correctly attributed the author(s) of the code.
  • I have tested the changes locally.
  • I have followed the project's style guidelines.
  • I have updated the documentation, if necessary.
  • I have added tests, if applicable.

Screenshots (if applicable) or Testing Completed

image

Additional Notes

None


Please refer to the CONTRIBUTING.md file for more information on how to contribute to this project.

@mainred mainred requested a review from a team as a code owner October 29, 2024 09:43
@mainred
Copy link
Contributor Author

mainred commented Oct 29, 2024

We install iptables legacy on Mariner image when building the image, but when it runs on ubuntu host, the command returns empty result, which works fine on iptables nft mode.

Copy link
Contributor

@anubhabMajumdar anubhabMajumdar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add Testing Done section.

nftIptablesModeAvaiable := true
legacyIptablesModeAvaiable := true
legacySaveOut, err := exec.Command("iptables-legacy-save").CombinedOutput()
if err != nil && strings.Contains(err.Error(), "command not found") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about errors with running the command? How should we handle them?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I treat all command errors as unavailability of that mode and log the error for us to investigate.

// Since iptables v1.8, nf_tables are introduced as an improvement of legacy iptables, but provides the same user
// interface as legacy iptables through iptables-nft command.
// based on: https://github.com/kubernetes-sigs/iptables-wrappers/blob/97b01f43a8e8db07840fc4b95e833a37c0d36b12/iptables-wrapper-installer.sh
legacySaveOut, _ := exec.Command("iptables-legacy-save").CombinedOutput()

// when both iptables modes available, we choose the one with more rules.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the thinking behind this? Can you not list all the rules using either one of the modes? Given one is named legacy, shouldn't nft be default?

Copy link
Contributor Author

@mainred mainred Oct 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When both modes available, we should use the one list more rules, and the one list less rules normally just return empty rules.

I am referring to https://github.com/kubernetes-sigs/iptables-wrappers/blob/97b01f43a8e8db07840fc4b95e833a37c0d36b12/iptables-wrapper-installer.sh, which is also mentioned in L377

nftIptablesMode iptablesMode = "nft"
)

func obtainIptablesMode(l *log.ZapLogger) iptablesMode {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should return unhandled errors along with mode.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ideas in my mind is the failed iptables rules does not break the whole capture.

pkg/capture/provider/network_capture_unix.go Outdated Show resolved Hide resolved
@mainred mainred changed the title fix(captur): ignore know copy failure and fix iptables issue fix(capture): ignore known copy failure and fix iptables issue Oct 30, 2024
Signed-off-by: Qingchuan Hao <[email protected]>
@kamilprz kamilprz linked an issue Nov 4, 2024 that may be closed by this pull request
@mainred
Copy link
Contributor Author

mainred commented Nov 19, 2024

ping @timraymond and @anubhabMajumdar for another look.
cc @kamilprz

@timraymond
Copy link
Member

LGTM on @anubhabMajumdar 's approval

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Capture Create fails to execute IP Tables commands
3 participants