Use iptables-restore to preserve order with MASQ & FORWARD rules #1264
Conversation
ryarnyah
force-pushed
the
feat/add-iptables-restore-at-startup
branch
from
0eee12d to
190e2aa
Compare
|
Looks good. How can we have an end-to-end test for it? |
|
e2e tests has been added as requested |
|
Do you need something else to have this PR merged? |
|
@Oats87 take a look would you? |
|
@Oats87 sign off on this so we can merge it, youre the iptables ninja |
|
@ryarnyah would you mind rebasing this PR (or just fixing the merge conflict)? |
|
@Oats87 i will look to rebase it this weekend if i have time ;) |
ryarnyah
force-pushed
the
feat/add-iptables-restore-at-startup
branch
from
8dfc176 to
09cafb7
Compare
|
@Oats87 It's seem to be good for review now. |
| } | ||
|
|
||
| // ipTablesRestore internal type | ||
| type ipTablesRestore struct { |
There was a problem hiding this comment.
Is there a reason we don't want to have a timeout for this?
There was a problem hiding this comment.
@Oats87 I'm not sur to understood, can you give me more details ?
| return fmt.Errorf("failed to apply partial iptables-restore %v", err) | ||
| } | ||
|
|
||
| log.Infof("bootstrap done") |
There was a problem hiding this comment.
Can we provide some more context in this error message? Does this have to be done at the info level?
There was a problem hiding this comment.
I'm not sure it's possible
| @@ -0,0 +1,213 @@ | |||
| // Copyright 2015 flannel authors | |||
There was a problem hiding this comment.
This probably actually belongs in coreos/go-iptables but having it here should be fine.
|
@ryarnyah could you rebase and respond to the review comments? |
Hello @rajatchopra if you and @ryarnyah are agree I can do this for @ryarnyah |
|
@louiznk please do |
louiznk
force-pushed
the
feat/add-iptables-restore-at-startup
branch
2 times, most recently
from
45222ed to
b0f38e7
Compare
Hello @luthermonson |
|
Are you still interested in merging this? Could you rebase so that we can review it again? Thanks! |
Hello @manuelbuil , Thanks, I can do that this week |
louiznk
force-pushed
the
feat/add-iptables-restore-at-startup
branch
from
8b689bf to
24062ab
Compare
Hello @manuelbuil , the rebase is done, I fixe some trouble with this new versions (usage of comments on iptables rules for exemples) |
louiznk
force-pushed
the
feat/add-iptables-restore-at-startup
branch
from
24062ab to
04d157d
Compare
There was a problem hiding this comment.
IIUC, some users detected a race condition in which these rules: https://github.com/flannel-io/flannel/blob/master/network/iptables.go#L57-L66, are applied in different order. In my opinion, the simplest solution would be adding a lock here https://github.com/flannel-io/flannel/blob/master/network/iptables.go#L30 and then check the lock around here: https://github.com/flannel-io/flannel/blob/master/network/iptables.go#L244 and not allow any other rule to be added until the lock is released. That way the race condition will not exist anymore and the problem would be fixed, or? Using iptables-restore also fixes the problem but it requires adding ~500 lines of code, which makes me wonder if this is an overkill given that the use of iptables in flannel is minimal (if we had some sort of network policy engine using iptables, I would probably think differently).
I'd love to hear more opinions!
network/iptables_restore.go
Outdated
|
|
||
| // NewIPTablesRestore build new IPTablesRestore for IPv4 | ||
| func NewIPTablesRestore() (IPTablesRestore, error) { | ||
| return NewIPTablesRestoreWithProtocol(iptables.ProtocolIPv4) |
There was a problem hiding this comment.
Is there a reason to hardcode IPv4?
There was a problem hiding this comment.
IIUC, some users detected a race condition in which these rules: https://github.com/flannel-io/flannel/blob/master/network/iptables.go#L57-L66, are applied in different order. In my opinion, the simplest solution would be adding a lock here https://github.com/flannel-io/flannel/blob/master/network/iptables.go#L30 and then check the lock around here: https://github.com/flannel-io/flannel/blob/master/network/iptables.go#L244 and not allow any other rule to be added until the lock is released. That way the race condition will not exist anymore and the problem would be fixed, or? Using iptables-restore also fixes the problem but it requires adding ~500 lines of code, which makes me wonder if this is an overkill given that the use of iptables in flannel is minimal (if we had some sort of network policy engine using iptables, I would probably think differently).
I'd love to hear more opinions!
You're right in the case of flannel is alone. But I have trouble with some concurrent access to iptables from other programs (in production).
In my case it was kube-router (using for network policy).
I know there are better solutions than using flannel + kube-routeur, but unfortunately not in special my case (some external requirements).
So the main advantage for me with iptables-restore is the "transaction" that allows to preserve the order when you have some concurrents access to iptables.
There was a problem hiding this comment.
Is there a reason to hardcode IPv4?
Just for respecting the same convention as implementation based on iptables (New => ipv4 by default and NewWithProtocol => protocol in parameter). For exemple see :
https://github.com/flannel-io/flannel/blob/master/network/iptables.go#L190 and https://github.com/flannel-io/flannel/blob/master/network/iptables.go#L206
I can change it if it's better
There was a problem hiding this comment.
I personally would prefer to use the same functions for both ipv4 and ipv6 and change the arg accordingly. Therefore, I'd prefer NewIPTablesRestoreWithProtocol(iptables.ProtocolIPv6) and NewIPTablesRestoreWithProtocol(iptables.ProtocolIPv4) in the code. It feels to me more confusing if we use different functions for each protocol
There was a problem hiding this comment.
Change done and push @manuelbuil
louiznk
force-pushed
the
feat/add-iptables-restore-at-startup
branch
from
1f59190 to
f8d178c
Compare
louiznk
force-pushed
the
feat/add-iptables-restore-at-startup
branch
from
f8d178c to
70ed47a
Compare
…nd review -> Changes from the review: - refactor protocol to proto - fix check version for wait command available on iptables-restore - apply "Error strings should not be capitalized" - lower case for iptables-restore - refactor function ApplyPartial to ApplyWithoutFlush - remove unused function ApplyFully - comments functions
louiznk
force-pushed
the
feat/add-iptables-restore-at-startup
branch
from
70ed47a to
121db21
Compare
|
Tested and works |
Use iptables-restore to preserve order with MASQ & FORWARD rules.
Description
When anything happen when delete/append iptables rules, sometimes you can have your rules out of order.This PR use only iptables-restore to guaranty order in delete/append rules.
This close #1261 & #1146
Todos
Release Note