Skip to content

Commit

Permalink
Exec iptables from the host filesystem
Browse files Browse the repository at this point in the history
Depends-On: submariner-io/submariner-charts#3

Both iptables and nftables use netfilter framework in the kernel for
packet filtering. Many distributions are moving in the direction of
using nftables over iptables. Although, nftables uses a new command
line utility (named nft), starting from iptables >=1.8, it uses
nftables under the hood while continuing to support the same iptables
syntax from the user.

Quoting from Dan's comment [#]

"In iptables 1.8, the maintainers have "deprecated" the classic ip_tables:
the iptables tool now does userspace translation from the legacy UI/UX,
and uses nf_tables under the hood. So, the commands look and feel the
same, but they're now programming a different kernel subsystem.

The problem arises when you mix and match invocations of iptables 1.6
(the previous stable) and 1.8 on the same machine, because although they
look identical, they're programming different kernel subsystems.

Empirically, this causes weird and wonderful things to happen - things
like if you trace a packet coming from a pod, you see it flowing through
both ip_tables and nf_tables, but even if both accept the packet, it then
vanishes entirely and never gets forwarded"

So, as long as we are programming either nf_tables or iptables, we would
not have any issues. Currently, there is no easy way to identify what type
of rules are programmed on the host. This patch follows the same approach
(as described here [*]) that is taken in OpenShift where the host file
system is mounted inside the docker container and iptables utility on the
host is exec'ed for programming any firewall rules.

[#] kubernetes/kubernetes#71305 (comment)
[*] kubernetes/kubernetes#71305 (comment)
  • Loading branch information
sridhargaddam committed Aug 27, 2019
1 parent 2da974b commit 7b01e84
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 2 deletions.
7 changes: 5 additions & 2 deletions package/Dockerfile.routeagent
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,17 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal
WORKDIR /var/submariner

# These are all available in the UBI8 base OS repository
RUN microdnf -y install --nodocs iproute iptables && \
RUN microdnf -y install --nodocs iproute && \
microdnf clean all

COPY submariner-route-agent.sh /usr/local/bin

RUN chmod +x /usr/local/bin/submariner-route-agent.sh

COPY submariner-route-agent /usr/local/bin
# We use iptables from the host
COPY ./iptables /usr/sbin/
COPY ./iptables-save /usr/sbin/

# temporary sleep infinity so that we can do our debugging
ENTRYPOINT submariner-route-agent.sh
ENTRYPOINT submariner-route-agent.sh
3 changes: 3 additions & 0 deletions package/iptables
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/sh

exec chroot /host /usr/sbin/iptables "$@"
3 changes: 3 additions & 0 deletions package/iptables-save
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/sh

exec chroot /host /usr/sbin/iptables-save "$@"

0 comments on commit 7b01e84

Please sign in to comment.