Fix issue with arbitrary iptables binary (#68)

To support `nft` we have added support to use arbitrary iptables binaries. Prior to this change, in order to use the `--wait` flag for iptables, we'd check that the command path would be equal to "iptables". After the change, we check if the path has "iptables" as a substring. This has the unfortunate side-effect of applying the `-w` flag to any command that contains the word "iptables", including "iptables-save" which does not support the command. This causes the container to fail when the -w flag is specified. The CNI plugin uses the iptables library and the -w flag and this issue will block it from working. Signed-off-by: Matei David <[email protected]>
linkerd · Jul 18, 2022 · 9e50580 · 9e50580
1 parent d35ee5b
commit 9e50580
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/iptables/iptables.go b/iptables/iptables.go
@@ -86,7 +86,15 @@ func ConfigureFirewall(firewallConfiguration FirewallConfiguration) error {
 
 	commands = firewallConfiguration.addOutgoingTrafficRules(commands)
 
+	if firewallConfiguration.UseWaitFlag {
+		log.Debug("'useWaitFlag' set: iptables will wait for xtables to become available")
+	}
+
 	for _, cmd := range commands {
+		if firewallConfiguration.UseWaitFlag {
+			cmd.Args = append(cmd.Args, "-w")
+		}
+
 		if err := executeCommand(firewallConfiguration, cmd, nil); err != nil {
 			return err
 		}
@@ -215,11 +223,6 @@ func makeMultiportDestinations(portsToIgnore []string) [][]string {
 }
 
 func executeCommand(firewallConfiguration FirewallConfiguration, cmd *exec.Cmd, cmdOut io.Writer) error {
-	if strings.Contains(cmd.Path, "iptables") && firewallConfiguration.UseWaitFlag {
-		log.Info("'useWaitFlag' set: iptables will wait for xtables to become available")
-		cmd.Args = append(cmd.Args, "-w")
-	}
-
 	if len(firewallConfiguration.NetNs) > 0 {
 		nsenterArgs := []string{fmt.Sprintf("--net=%s", firewallConfiguration.NetNs)}
 		originalCmd := strings.Trim(fmt.Sprintf("%v", cmd.Args), "[]")