istio
218 строк · 7.9 Кб
1// Copyright Istio Authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14package dependencies16import (18"fmt"19"io"20"os/exec"21"regexp"22"strings"23utilversion "k8s.io/apimachinery/pkg/util/version"25"istio.io/istio/tools/istio-iptables/pkg/constants"27)28// XTablesExittype is the exit type of xtables commands.30type XTablesExittype int31// Learn from `xtables_exittype` of iptables.33// `XTF_ONLY_ONCE`, `XTF_NO_INVERT`, `XTF_BAD_VALUE`, `XTF_ONE_ACTION` will eventually turned out to be a34// parameter problem with explicit error message. Thus, we do not need to support them here.35const (36// XTablesOtherProblem indicates a problem of other type in xtables37XTablesOtherProblem XTablesExittype = iota + 138// XTablesParameterProblem indicates a parameter problem in xtables39XTablesParameterProblem40// XTablesVersionProblem indicates a version problem in xtables41XTablesVersionProblem42// XTablesResourceProblem indicates a resource problem in xtables43XTablesResourceProblem44)45var exittypeToString = map[XTablesExittype]string{47XTablesOtherProblem: "xtables other problem",48XTablesParameterProblem: "xtables parameter problem",49XTablesVersionProblem: "xtables version problem",50XTablesResourceProblem: "xtables resource problem",51}52// RealDependencies implementation of interface Dependencies, which is used in production54type RealDependencies struct {55NetworkNamespace string56CNIMode bool57}58const iptablesVersionPattern = `v([0-9]+(\.[0-9]+)+)`60type IptablesVersion struct {62DetectedBinary string63DetectedSaveBinary string64DetectedRestoreBinary string65// the actual version66Version *utilversion.Version67// true if legacy mode, false if nf_tables68Legacy bool69// true if we detected that existing rules are present for this variant (legacy, nft, v6)70ExistingRules bool71}72func (v IptablesVersion) CmdToString(cmd constants.IptablesCmd) string {74switch cmd {75case constants.IPTables:76return v.DetectedBinary77case constants.IPTablesSave:78return v.DetectedSaveBinary79case constants.IPTablesRestore:80return v.DetectedRestoreBinary81default:82return ""83}84}85// IsWriteCmd returns true for all command types that do write actions (and thus need a lock)87func (v IptablesVersion) IsWriteCmd(cmd constants.IptablesCmd) bool {88switch cmd {89case constants.IPTables:90return true91case constants.IPTablesRestore:92return true93default:94return false95}96}97// Constants for iptables commands99// These should not be used directly/assumed to be present, but should be contextually detected100const (101iptablesBin = "iptables"102iptablesNftBin = "iptables-nft"103iptablesLegacyBin = "iptables-legacy"104ip6tablesBin = "ip6tables"105ip6tablesNftBin = "ip6tables-nft"106ip6tablesLegacyBin = "ip6tables-legacy"107iptablesRestoreBin = "iptables-restore"108ip6tablesRestoreBin = "ip6tables-restore"109)110// It is not sufficient to check for the presence of one binary or the other in $PATH -112// we must choose a binary that is113// 1. Available in our $PATH114// 2. Matches where rules are actually defined in the netns we're operating in115// (legacy or nft, with a preference for the latter if both present)116//117// This is designed to handle situations where, for instance, the host has nft-defined rules, and our default container118// binary is `legacy`, or vice-versa - we must match the binaries we have in our $PATH to what rules are actually defined119// in our current netns context.120//121// Q: Why not simply "use the host default binary" at $PATH/iptables?122// A: Because we are running in our own container and do not have access to the host default binary.123// We are using our local binaries to update host rules, and we must pick the right match.124//125// Basic selection logic is as follows:126// 1. see if we have `nft` binary set in our $PATH127// 2. see if we have existing rules in `nft` in our netns128// 3. If so, use `nft` binary set129// 4. Otherwise, see if we have `legacy` binary set, and use that.130// 5. Otherwise, see if we have `iptables` binary set, and use that (detecting whether it's nft or legacy).131func (r *RealDependencies) DetectIptablesVersion(ipV6 bool) (IptablesVersion, error) {132// Begin detecting133//134// iptables variants all have ipv6 variants, so decide which set we're looking for135var nftBin, legacyBin, plainBin string136if ipV6 {137nftBin = ip6tablesNftBin138legacyBin = ip6tablesLegacyBin139plainBin = ip6tablesBin140} else {141nftBin = iptablesNftBin142legacyBin = iptablesLegacyBin143plainBin = iptablesBin144}145// 1. What binaries we have147// 2. What binary we should use, based on existing rules defined in our current context.148// does the nft binary set exist, and are nft rules present?149nftVer, err := shouldUseBinaryForCurrentContext(nftBin)150if err == nil && nftVer.ExistingRules {151// if so, immediately use it.152return nftVer, nil153}154// does the legacy binary set exist, and are legacy rules present?155legVer, err := shouldUseBinaryForCurrentContext(legacyBin)156if err == nil && legVer.ExistingRules {157// if so, immediately use it158return legVer, nil159}160// regular non-suffixed binary set is our last resort.161//162// If it's there, and rules do not already exist for a specific variant,163// we should use the default non-suffixed binary.164// If it's NOT there, just propagate the error, we can't do anything, no iptables here165return shouldUseBinaryForCurrentContext(plainBin)166}167// TODO BML verify this won't choke on "-save" binaries having slightly diff. version string prefixes169func parseIptablesVer(rawVer string) (*utilversion.Version, error) {170versionMatcher := regexp.MustCompile(iptablesVersionPattern)171match := versionMatcher.FindStringSubmatch(rawVer)172if match == nil {173return nil, fmt.Errorf("no iptables version found for: %q", rawVer)174}175version, err := utilversion.ParseGeneric(match[1])176if err != nil {177return nil, fmt.Errorf("iptables version %q is not a valid version string: %v", match[1], err)178}179return version, nil180}181// transformToXTablesErrorMessage returns an updated error message with explicit xtables error hints, if applicable.183func transformToXTablesErrorMessage(stderr string, err error) string {184ee, ok := err.(*exec.ExitError)185if !ok {186// Not common, but can happen if file not found error, etc187return err.Error()188}189exitcode := ee.ExitCode()190if errtypeStr, ok := exittypeToString[XTablesExittype(exitcode)]; ok {191// The original stderr is something like:192// `prog_name + prog_vers: error hints`193// `(optional) try help information`.194// e.g.,195// `iptables 1.8.4 (legacy): Couldn't load target 'ISTIO_OUTPUT':No such file or directory`196// `Try 'iptables -h' or 'iptables --help' for more information.`197// Reusing the `error hints` and optional `try help information` parts of the original stderr to form198// an error message with explicit xtables error information.199errStrParts := strings.SplitN(stderr, ":", 2)200errStr := stderr201if len(errStrParts) > 1 {202errStr = errStrParts[1]203}204return fmt.Sprintf("%v: %v", errtypeStr, strings.TrimSpace(errStr))205}206return stderr208}209// Run runs a command211func (r *RealDependencies) Run(cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) error {212return r.executeXTables(cmd, iptVer, false, stdin, args...)213}214// RunQuietlyAndIgnore runs a command quietly and ignores errors216func (r *RealDependencies) RunQuietlyAndIgnore(cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) {217_ = r.executeXTables(cmd, iptVer, true, stdin, args...)218}219