Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Reload router iptables rules if they get cleared #3802

Merged
merged 8 commits into from
Jul 24, 2020
Merged

Reload router iptables rules if they get cleared #3802

merged 8 commits into from
Jul 24, 2020

Conversation

foot
Copy link
Contributor

@foot foot commented May 13, 2020
edited
Loading

Adds a CANARY iptable chain and reloads all the weavenet iptable chains if the CANARY is removed by something (usually firewalld).

Partially addresses #3586

Details

  • This exposes ConfigureIPTables and tries to make it safe to call again and again.
  • The destructive resets are pulled out into ResetIPTables and are called at launch so iptable state should remain mostly the same as prior to this PR.

foot
foot commented May 13, 2020
View reviewed changes
foot
foot commented May 13, 2020
View reviewed changes
@foot foot requested a review from bboreham May 13, 2020 17:31
bboreham
bboreham reviewed May 14, 2020
View reviewed changes
bboreham
bboreham approved these changes May 14, 2020
View reviewed changes
Copy link
Contributor

@bboreham bboreham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

foot
foot commented May 15, 2020
View reviewed changes
@foot
Copy link
Contributor Author

foot commented May 15, 2020

Manual testing:

  • I've loaded this up in a 3 node k8s cluster on GCP / RHEL7
  • Disabled the npc container
  • Restart firewalld
  • weave-net recovers all its iptable rules!

bboreham
bboreham reviewed May 19, 2020
View reviewed changes
Copy link
Contributor

@bboreham bboreham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Few new thoughts below.

@bboreham bboreham mentioned this pull request May 27, 2020
Closed
@foot foot force-pushed the reload-ip-tables branch from 6a39262 to 01230ed Compare July 3, 2020 14:34
@foot
Copy link
Contributor Author

foot commented Jul 3, 2020

@bboreham PTAL at the last 2 commits when you have a moment!

bboreham
bboreham reviewed Jul 6, 2020
View reviewed changes
Copy link
Contributor

@bboreham bboreham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good but a few nits in how things are described.

@bboreham bboreham changed the title Reload iptables periodically Reload router iptables rules if they get cleared Jul 6, 2020
foot added 6 commits July 15, 2020 11:35
@foot
Make ConfigureIPTables idempotent and poll it
94e75e4 
- Instead of EnsureBridge
- Adds ipset.ExistEntry method
- Refactor ipset method names Exist <-> EntryExists
- Turn on iptable-refresh by default (10s)
- Adds a test that checks iptables are refreshed, check EXPOSE recovers
@foot
Adds a CANARY chain and Monitor loop instead of reapplying iptables
66eb80d
@foot
Review feedback: don't recreate NoMasqLocalIpset onCanaryDeleted
ca7103d
@foot
Clean up the Monitor go routine
709b434
@foot
Removes disabling iptable canary
899490c 
- Should always be on. Simpler.
@foot
Update tests after removing canary refresh flag
c0e5008
@foot foot force-pushed the reload-ip-tables branch from 79eff79 to c0e5008 Compare July 15, 2020 09:40
bboreham
bboreham approved these changes Jul 23, 2020
View reviewed changes
Copy link
Contributor

@bboreham bboreham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm; one nit about a comment / function name but we can fix that another day if you don't have time now.

@bboreham bboreham merged commit 7b927a7 into master Jul 24, 2020
@bboreham bboreham deleted the reload-ip-tables branch July 24, 2020 13:33
@bboreham bboreham added this to the 2.7 milestone Jul 29, 2020
@bboreham bboreham mentioned this pull request Aug 4, 2020
Open
@nicolas-goudry nicolas-goudry mentioned this pull request Oct 5, 2021
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bboreham bboreham bboreham approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.7
Development

Successfully merging this pull request may close these issues.
2 participants
@foot @bboreham