*: update kube vendor to v1.7.4
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca
parent
c67859731f
commit
d56bf090ce
1032 changed files with 273965 additions and 40081 deletions
141
vendor/k8s.io/kubernetes/pkg/util/iptables/iptables.go
generated
vendored
141
vendor/k8s.io/kubernetes/pkg/util/iptables/iptables.go
generated
vendored
|
|
@ -54,13 +54,11 @@ type Interface interface {
|
|||
DeleteRule(table Table, chain Chain, args ...string) error
|
||||
// IsIpv6 returns true if this is managing ipv6 tables
|
||||
IsIpv6() bool
|
||||
// Save calls `iptables-save` for table.
|
||||
Save(table Table) ([]byte, error)
|
||||
// SaveAll calls `iptables-save`.
|
||||
SaveAll() ([]byte, error)
|
||||
// SaveInto calls `iptables-save` for table and stores result in a given buffer.
|
||||
SaveInto(table Table, buffer *bytes.Buffer) error
|
||||
// Restore runs `iptables-restore` passing data through []byte.
|
||||
// table is the Table to restore
|
||||
// data should be formatted like the output of Save()
|
||||
// data should be formatted like the output of SaveInto()
|
||||
// flush sets the presence of the "--noflush" flag. see: FlushFlag
|
||||
// counters sets the "--counters" flag. see: RestoreCountersFlag
|
||||
Restore(table Table, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
|
||||
|
|
@ -122,37 +120,56 @@ const MinCheckVersion = "1.4.11"
|
|||
const MinWaitVersion = "1.4.20"
|
||||
const MinWait2Version = "1.4.22"
|
||||
|
||||
const LockfilePath16x = "/run/xtables.lock"
|
||||
|
||||
// runner implements Interface in terms of exec("iptables").
|
||||
type runner struct {
|
||||
mu sync.Mutex
|
||||
exec utilexec.Interface
|
||||
dbus utildbus.Interface
|
||||
protocol Protocol
|
||||
hasCheck bool
|
||||
waitFlag []string
|
||||
mu sync.Mutex
|
||||
exec utilexec.Interface
|
||||
dbus utildbus.Interface
|
||||
protocol Protocol
|
||||
hasCheck bool
|
||||
waitFlag []string
|
||||
restoreWaitFlag []string
|
||||
lockfilePath string
|
||||
|
||||
reloadFuncs []func()
|
||||
signal chan *godbus.Signal
|
||||
}
|
||||
|
||||
// New returns a new Interface which will exec iptables.
|
||||
func New(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol) Interface {
|
||||
// newInternal returns a new Interface which will exec iptables, and allows the
|
||||
// caller to change the iptables-restore lockfile path
|
||||
func newInternal(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol, lockfilePath string) Interface {
|
||||
vstring, err := getIPTablesVersionString(exec)
|
||||
if err != nil {
|
||||
glog.Warningf("Error checking iptables version, assuming version at least %s: %v", MinCheckVersion, err)
|
||||
vstring = MinCheckVersion
|
||||
}
|
||||
runner := &runner{
|
||||
exec: exec,
|
||||
dbus: dbus,
|
||||
protocol: protocol,
|
||||
hasCheck: getIPTablesHasCheckCommand(vstring),
|
||||
waitFlag: getIPTablesWaitFlag(vstring),
|
||||
|
||||
if lockfilePath == "" {
|
||||
lockfilePath = LockfilePath16x
|
||||
}
|
||||
|
||||
runner := &runner{
|
||||
exec: exec,
|
||||
dbus: dbus,
|
||||
protocol: protocol,
|
||||
hasCheck: getIPTablesHasCheckCommand(vstring),
|
||||
waitFlag: getIPTablesWaitFlag(vstring),
|
||||
restoreWaitFlag: getIPTablesRestoreWaitFlag(exec),
|
||||
lockfilePath: lockfilePath,
|
||||
}
|
||||
// TODO this needs to be moved to a separate Start() or Run() function so that New() has zero side
|
||||
// effects.
|
||||
runner.connectToFirewallD()
|
||||
return runner
|
||||
}
|
||||
|
||||
// New returns a new Interface which will exec iptables.
|
||||
func New(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol) Interface {
|
||||
return newInternal(exec, dbus, protocol, "")
|
||||
}
|
||||
|
||||
// Destroy is part of Interface.
|
||||
func (runner *runner) Destroy() {
|
||||
if runner.signal != nil {
|
||||
|
|
@ -287,25 +304,23 @@ func (runner *runner) IsIpv6() bool {
|
|||
return runner.protocol == ProtocolIpv6
|
||||
}
|
||||
|
||||
// Save is part of Interface.
|
||||
func (runner *runner) Save(table Table) ([]byte, error) {
|
||||
// SaveInto is part of Interface.
|
||||
func (runner *runner) SaveInto(table Table, buffer *bytes.Buffer) error {
|
||||
runner.mu.Lock()
|
||||
defer runner.mu.Unlock()
|
||||
|
||||
// run and return
|
||||
args := []string{"-t", string(table)}
|
||||
glog.V(4).Infof("running iptables-save %v", args)
|
||||
return runner.exec.Command(cmdIPTablesSave, args...).CombinedOutput()
|
||||
}
|
||||
|
||||
// SaveAll is part of Interface.
|
||||
func (runner *runner) SaveAll() ([]byte, error) {
|
||||
runner.mu.Lock()
|
||||
defer runner.mu.Unlock()
|
||||
|
||||
// run and return
|
||||
glog.V(4).Infof("running iptables-save")
|
||||
return runner.exec.Command(cmdIPTablesSave, []string{}...).CombinedOutput()
|
||||
cmd := runner.exec.Command(cmdIPTablesSave, args...)
|
||||
// Since CombinedOutput() doesn't support redirecting it to a buffer,
|
||||
// we need to workaround it by redirecting stdout and stderr to buffer
|
||||
// and explicitly calling Run() [CombinedOutput() underneath itself
|
||||
// creates a new buffer, redirects stdout and stderr to it and also
|
||||
// calls Run()].
|
||||
cmd.SetStdout(buffer)
|
||||
cmd.SetStderr(buffer)
|
||||
return cmd.Run()
|
||||
}
|
||||
|
||||
// Restore is part of Interface.
|
||||
|
|
@ -322,6 +337,10 @@ func (runner *runner) RestoreAll(data []byte, flush FlushFlag, counters RestoreC
|
|||
return runner.restoreInternal(args, data, flush, counters)
|
||||
}
|
||||
|
||||
type iptablesLocker interface {
|
||||
Close()
|
||||
}
|
||||
|
||||
// restoreInternal is the shared part of Restore/RestoreAll
|
||||
func (runner *runner) restoreInternal(args []string, data []byte, flush FlushFlag, counters RestoreCountersFlag) error {
|
||||
runner.mu.Lock()
|
||||
|
|
@ -334,9 +353,21 @@ func (runner *runner) restoreInternal(args []string, data []byte, flush FlushFla
|
|||
args = append(args, "--counters")
|
||||
}
|
||||
|
||||
// Grab the iptables lock to prevent iptables-restore and iptables
|
||||
// from stepping on each other. iptables-restore 1.6.2 will have
|
||||
// a --wait option like iptables itself, but that's not widely deployed.
|
||||
if len(runner.restoreWaitFlag) == 0 {
|
||||
locker, err := grabIptablesLocks(runner.lockfilePath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer locker.Close()
|
||||
}
|
||||
|
||||
// run the command and return the output or an error including the output and error
|
||||
glog.V(4).Infof("running iptables-restore %v", args)
|
||||
cmd := runner.exec.Command(cmdIPTablesRestore, args...)
|
||||
fullArgs := append(runner.restoreWaitFlag, args...)
|
||||
glog.V(4).Infof("running iptables-restore %v", fullArgs)
|
||||
cmd := runner.exec.Command(cmdIPTablesRestore, fullArgs...)
|
||||
cmd.SetStdin(bytes.NewBuffer(data))
|
||||
b, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
|
|
@ -358,7 +389,7 @@ func (runner *runner) run(op operation, args []string) ([]byte, error) {
|
|||
|
||||
fullArgs := append(runner.waitFlag, string(op))
|
||||
fullArgs = append(fullArgs, args...)
|
||||
glog.V(4).Infof("running iptables %s %v", string(op), args)
|
||||
glog.V(5).Infof("running iptables %s %v", string(op), args)
|
||||
return runner.exec.Command(iptablesCmd, fullArgs...).CombinedOutput()
|
||||
// Don't log err here - callers might not think it is an error.
|
||||
}
|
||||
|
|
@ -519,6 +550,46 @@ func getIPTablesVersionString(exec utilexec.Interface) (string, error) {
|
|||
return match[1], nil
|
||||
}
|
||||
|
||||
// Checks if iptables-restore has a "wait" flag
|
||||
// --wait support landed in v1.6.1+ right before --version support, so
|
||||
// any version of iptables-restore that supports --version will also
|
||||
// support --wait
|
||||
func getIPTablesRestoreWaitFlag(exec utilexec.Interface) []string {
|
||||
vstring, err := getIPTablesRestoreVersionString(exec)
|
||||
if err != nil || vstring == "" {
|
||||
glog.V(3).Infof("couldn't get iptables-restore version; assuming it doesn't support --wait")
|
||||
return nil
|
||||
}
|
||||
if _, err := utilversion.ParseGeneric(vstring); err != nil {
|
||||
glog.V(3).Infof("couldn't parse iptables-restore version; assuming it doesn't support --wait")
|
||||
return nil
|
||||
}
|
||||
|
||||
return []string{"--wait=2"}
|
||||
}
|
||||
|
||||
// getIPTablesRestoreVersionString runs "iptables-restore --version" to get the version string
|
||||
// in the form "X.X.X"
|
||||
func getIPTablesRestoreVersionString(exec utilexec.Interface) (string, error) {
|
||||
// this doesn't access mutable state so we don't need to use the interface / runner
|
||||
|
||||
// iptables-restore hasn't always had --version, and worse complains
|
||||
// about unrecognized commands but doesn't exit when it gets them.
|
||||
// Work around that by setting stdin to nothing so it exits immediately.
|
||||
cmd := exec.Command(cmdIPTablesRestore, "--version")
|
||||
cmd.SetStdin(bytes.NewReader([]byte{}))
|
||||
bytes, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
versionMatcher := regexp.MustCompile("v([0-9]+(\\.[0-9]+)+)")
|
||||
match := versionMatcher.FindStringSubmatch(string(bytes))
|
||||
if match == nil {
|
||||
return "", fmt.Errorf("no iptables version found in string: %s", bytes)
|
||||
}
|
||||
return match[1], nil
|
||||
}
|
||||
|
||||
// goroutine to listen for D-Bus signals
|
||||
func (runner *runner) dbusSignalHandler(bus utildbus.Connection) {
|
||||
firewalld := bus.Object(firewalldName, firewalldPath)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue