[lxc-devel] [lxd/master] Fix nftables issues on older kernels
stgraber on Github
lxc-bot at linuxcontainers.org
Thu Mar 12 14:57:10 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200312/b24cfdb9/attachment.bin>
-------------- next part --------------
From 4775cb0aed7c8551ceb3858e1a0432ea04968a22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 12 Mar 2020 10:17:24 -0400
Subject: [PATCH 1/3] lxd/firewall/nft: Flush chain on delete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/firewall/drivers/drivers_nftables.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lxd/firewall/drivers/drivers_nftables.go b/lxd/firewall/drivers/drivers_nftables.go
index 3c8a7d5fbe..1a40c6d236 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -429,7 +429,7 @@ func (d Nftables) removeChains(families []string, chainSuffix string, chains ...
for _, family := range families {
for _, item := range ruleset {
if item.Type == "chain" && item.Family == family && item.Table == nftablesNamespace && shared.StringInSlice(item.Name, fullChains) {
- _, err = shared.RunCommand("nft", "delete", "chain", family, nftablesNamespace, item.Name)
+ _, err = shared.RunCommand("nft", "flush", "chain", family, nftablesNamespace, item.Name, ";", "delete", "chain", family, nftablesNamespace, item.Name)
if err != nil {
return errors.Wrapf(err, "Failed deleting nftables chain %q (%s)", item.Name, family)
}
From e3d94b0c656164f56766f1f245d7a8bcad530812 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 12 Mar 2020 10:56:27 -0400
Subject: [PATCH 2/3] lxd/firewall/nft: Handle json errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/firewall/drivers/drivers_nftables.go | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lxd/firewall/drivers/drivers_nftables.go b/lxd/firewall/drivers/drivers_nftables.go
index 1a40c6d236..a4acc3a9f9 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -63,7 +63,7 @@ func (d Nftables) Compat() (bool, bool) {
ruleset, err := d.nftParseRuleset()
if err != nil {
logger.Errorf("Firewall nftables unable to parse existing ruleset: %v", err)
- return true, false
+ return false, false
}
for _, item := range ruleset {
@@ -122,6 +122,11 @@ func (d Nftables) nftParseRuleset() ([]nftGenericItem, error) {
}
}
+ err = cmd.Wait()
+ if err != nil {
+ return nil, err
+ }
+
return items, nil
}
From 5e74bfa79ef58755f83a93e5678a11a49c25ee6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 12 Mar 2020 10:56:42 -0400
Subject: [PATCH 3/3] lxd/firewall/nft: Refuse to run on old kernels
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/firewall/drivers/drivers_nftables.go | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/lxd/firewall/drivers/drivers_nftables.go b/lxd/firewall/drivers/drivers_nftables.go
index a4acc3a9f9..203a4b1410 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -6,6 +6,7 @@ import (
"fmt"
"net"
"os/exec"
+ "strconv"
"strings"
"text/template"
@@ -39,8 +40,26 @@ func (d Nftables) String() string {
// Compat returns whether the host is compatible with this driver and whether the driver backend is in use.
func (d Nftables) Compat() (bool, bool) {
+ // Get the kernel version.
+ uname, err := shared.Uname()
+ if err != nil {
+ return false, false
+ }
+
+ // We require a 5.x kernel to avoid weird conflicts with xtables.
+ if len(uname.Release) > 1 {
+ verInt, err := strconv.Atoi(uname.Release[0:1])
+ if err != nil {
+ return false, false
+ }
+
+ if verInt < 5 {
+ return false, false
+ }
+ }
+
// Check if nftables nft command exists, if not use xtables.
- _, err := exec.LookPath("nft")
+ _, err = exec.LookPath("nft")
if err != nil {
return false, false
}
More information about the lxc-devel
mailing list