Skip to content

Commit

Permalink
bug: return errors when iptables and ip6tables are unusable
Browse files Browse the repository at this point in the history
Signed-off-by: Joe Julian <me@joejulian.name>
  • Loading branch information
joejulian committed Apr 1, 2022
1 parent 16e4a82 commit f90abab
Showing 1 changed file with 24 additions and 10 deletions.
34 changes: 24 additions & 10 deletions plugins/meta/portmap/portmap.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,10 +120,21 @@ func checkPorts(config *PortMapConf, containerNet net.IPNet) error {
dnatChain := genDnatChain(config.Name, config.ContainerID)
fillDnatRules(&dnatChain, config, containerNet)

ip4t := maybeGetIptables(false)
ip6t := maybeGetIptables(true)
ip4t, err4 := maybeGetIptables(false)
ip6t, err6 := maybeGetIptables(true)
if ip4t == nil && ip6t == nil {
return fmt.Errorf("neither iptables nor ip6tables usable")
err := fmt.Errorf("neither iptables nor ip6tables is usable")
if err4 != nil {
err = fmt.Errorf("%v, (iptables) %v", err, err4)
} else {
err = fmt.Errorf("%v, (iptables) ip4t is nil", err)
}
if err6 != nil {
err = fmt.Errorf("%v, (ip6tables) %v", err, err6)
} else {
err = fmt.Errorf("%v, (ip6tables) ip6t is nil", err)
}
return err
}

if ip4t != nil {
Expand Down Expand Up @@ -354,10 +365,13 @@ func unforwardPorts(config *PortMapConf) error {
// Might be lying around from old versions
oldSnatChain := genOldSnatChain(config.Name, config.ContainerID)

ip4t := maybeGetIptables(false)
ip6t := maybeGetIptables(true)
ip4t, err4 := maybeGetIptables(false)
ip6t, err6 := maybeGetIptables(true)
if ip4t == nil && ip6t == nil {
return fmt.Errorf("neither iptables nor ip6tables usable")
err := fmt.Errorf("neither iptables nor ip6tables is usable")
err = fmt.Errorf("%v, (iptables) %v", err, err4)
err = fmt.Errorf("%v, (ip6tables) %v", err, err6)
return err
}

if ip4t != nil {
Expand All @@ -378,23 +392,23 @@ func unforwardPorts(config *PortMapConf) error {

// maybeGetIptables implements the soft error swallowing. If iptables is
// usable for the given protocol, returns a handle, otherwise nil
func maybeGetIptables(isV6 bool) *iptables.IPTables {
func maybeGetIptables(isV6 bool) (*iptables.IPTables, error) {
proto := iptables.ProtocolIPv4
if isV6 {
proto = iptables.ProtocolIPv6
}

ipt, err := iptables.NewWithProtocol(proto)
if err != nil {
return nil
return nil, err
}

_, err = ipt.List("nat", "OUTPUT")
if err != nil {
return nil
return nil, err
}

return ipt
return ipt, nil
}

// deletePortmapStaleConnections delete the UDP conntrack entries on the specified IP family
Expand Down

0 comments on commit f90abab

Please sign in to comment.