Skip to content

Commit e9eddcc

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #844 from aojea/iptables
custom iptables version monitor plugin
2 parents 3704fa7 + 552b530 commit e9eddcc

File tree

2 files changed

+50
-0
lines changed

2 files changed

+50
-0
lines changed

config/iptables-mode-monitor.json

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
{
2+
"plugin": "custom",
3+
"pluginConfig": {
4+
"invoke_interval": "86400s",
5+
"timeout": "5s",
6+
"max_output_length": 80,
7+
"concurrency": 1
8+
},
9+
"source": "iptables-mode-monitor",
10+
"metricsReporting": true,
11+
"conditions": [],
12+
"rules": [
13+
{
14+
"type": "temporary",
15+
"reason": "IPTablesVersionsMismatch",
16+
"path": "./config/plugin/iptables_mode.sh",
17+
"timeout": "5s"
18+
}
19+
]
20+
}

config/plugin/iptables_mode.sh

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
#!/bin/bash
2+
3+
# As of iptables 1.8, the iptables command line clients come in two different versions/modes: "legacy",
4+
# which uses the kernel iptables API just like iptables 1.6 and earlier did, and "nft", which translates
5+
# the iptables command-line API into the kernel nftables API.
6+
# Because they connect to two different subsystems in the kernel, you cannot mix rules from different versions.
7+
# Ref: https://github.com/kubernetes-sigs/iptables-wrappers
8+
9+
readonly OK=0
10+
readonly NONOK=1
11+
readonly UNKNOWN=2
12+
13+
# based on: https://github.com/kubernetes-sigs/iptables-wrappers/blob/97b01f43a8e8db07840fc4b95e833a37c0d36b12/iptables-wrapper-installer.sh
14+
readonly num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep -c '^-' || true)
15+
readonly num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep -c '^-' || true)
16+
17+
18+
if [ "$num_legacy_lines" -gt 0 ] && [ "$num_nft_lines" -gt 0 ]; then
19+
echo "Found rules from both versions, iptables-legacy: ${num_legacy_lines} iptables-nft: ${num_nft_lines}"
20+
echo $NONOK
21+
elif [ "$num_legacy_lines" -gt 0 ] && [ "$num_nft_lines" -eq 0 ]; then
22+
echo "Using iptables-legacy: ${num_legacy_lines} rules"
23+
echo $OK
24+
elif [ "$num_legacy_lines" -eq 0 ] && [ "$num_nft_lines" -gt 0 ]; then
25+
echo "Using iptables-nft: ${num_nft_lines} rules"
26+
echo $OK
27+
else
28+
echo "No iptables rules found"
29+
echo $UNKNOWN
30+
fi

0 commit comments

Comments
 (0)