From 9e50580e9b6bd339bec137cb8657e22aeb0ef1ac Mon Sep 17 00:00:00 2001 From: Matei David Date: Mon, 18 Jul 2022 13:59:51 +0100 Subject: [PATCH] Fix issue with arbitrary iptables binary (#68) To support `nft` we have added support to use arbitrary iptables binaries. Prior to this change, in order to use the `--wait` flag for iptables, we'd check that the command path would be equal to "iptables". After the change, we check if the path has "iptables" as a substring. This has the unfortunate side-effect of applying the `-w` flag to any command that contains the word "iptables", including "iptables-save" which does not support the command. This causes the container to fail when the -w flag is specified. The CNI plugin uses the iptables library and the -w flag and this issue will block it from working. Signed-off-by: Matei David --- iptables/iptables.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/iptables/iptables.go b/iptables/iptables.go index 467c1749..5f9880c4 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -86,7 +86,15 @@ func ConfigureFirewall(firewallConfiguration FirewallConfiguration) error { commands = firewallConfiguration.addOutgoingTrafficRules(commands) + if firewallConfiguration.UseWaitFlag { + log.Debug("'useWaitFlag' set: iptables will wait for xtables to become available") + } + for _, cmd := range commands { + if firewallConfiguration.UseWaitFlag { + cmd.Args = append(cmd.Args, "-w") + } + if err := executeCommand(firewallConfiguration, cmd, nil); err != nil { return err } @@ -215,11 +223,6 @@ func makeMultiportDestinations(portsToIgnore []string) [][]string { } func executeCommand(firewallConfiguration FirewallConfiguration, cmd *exec.Cmd, cmdOut io.Writer) error { - if strings.Contains(cmd.Path, "iptables") && firewallConfiguration.UseWaitFlag { - log.Info("'useWaitFlag' set: iptables will wait for xtables to become available") - cmd.Args = append(cmd.Args, "-w") - } - if len(firewallConfiguration.NetNs) > 0 { nsenterArgs := []string{fmt.Sprintf("--net=%s", firewallConfiguration.NetNs)} originalCmd := strings.Trim(fmt.Sprintf("%v", cmd.Args), "[]")