[23.0 backport] Check iptables options before looking for ip6tables binary#44727
Merged
Conversation
- use local variables for chains instead of sharing global variables - make createNewChain a t.Helper Signed-off-by: Chee Hau Lim <[email protected]> (cherry picked from commit a2cea99) Signed-off-by: Sebastiaan van Stijn <[email protected]>
iptables package has a function `detectIptables()` called to initialize some local variables. Since v20.10.0, it first looks for iptables bin, then ip6tables and finally it checks what iptables flags are available (including -C). It early exits when ip6tables isn't available, and doesn't execute the last check. To remove port mappings (eg. when a container stops/dies), Docker first checks if those NAT rules exist and then deletes them. However, in the particular case where there's no ip6tables bin available, iptables `-C` flag is considered unavailable and thus it looks for NAT rules by using some substring matching. This substring matching then fails because `iptables -t nat -S POSTROUTING` dumps rules in a slighly format than what's expected. For instance, here's what `iptables -t nat -S POSTROUTING` dumps: ``` -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 9999 -j MASQUERADE ``` And here's what Docker looks for: ``` POSTROUTING -p tcp -s 172.18.0.2 -d 172.18.0.2 --dport 9999 -j MASQUERADE ``` Because of that, those rules are considered non-existant by Docker and thus never deleted. To fix that, this change reorders the code in `detectIptables()`. Fixes moby#42127. Signed-off-by: Albin Kerouanton <[email protected]> (cherry picked from commit af7236f) Signed-off-by: Sebastiaan van Stijn <[email protected]>
The former was doing some checks and logging warnings, whereas the latter was doing the same checks but to set some internal variables. As both are called only once and from the same place, there're now merged together. Signed-off-by: Albin Kerouanton <[email protected]> (cherry picked from commit 205e527) Signed-off-by: Sebastiaan van Stijn <[email protected]>
iptables -C flag was introduced in v1.4.11, which was released ten years ago. Thus, there're no more Linux distributions supported by Docker using this version. As such, this commit removes the old way of checking if an iptables rule exists (by using substring matching). Signed-off-by: Albin Kerouanton <[email protected]> (cherry picked from commit 799cc14) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added
status/2-code-review
area/networking
This was referenced Dec 31, 2022
Member
Author
|
@corhere @neersighted ptal |
neersighted
approved these changes
Jan 9, 2023
Member
Author
|
Let me bring this one in 👍 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backports: