[lxc-devel] [lxd/master] Fix nftables issues on older kernels

stgraber on Github lxc-bot at linuxcontainers.org
Thu Mar 12 14:57:10 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200312/b24cfdb9/attachment.bin>
-------------- next part --------------
From 4775cb0aed7c8551ceb3858e1a0432ea04968a22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 12 Mar 2020 10:17:24 -0400
Subject: [PATCH 1/3] lxd/firewall/nft: Flush chain on delete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/firewall/drivers/drivers_nftables.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/firewall/drivers/drivers_nftables.go b/lxd/firewall/drivers/drivers_nftables.go
index 3c8a7d5fbe..1a40c6d236 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -429,7 +429,7 @@ func (d Nftables) removeChains(families []string, chainSuffix string, chains ...
 	for _, family := range families {
 		for _, item := range ruleset {
 			if item.Type == "chain" && item.Family == family && item.Table == nftablesNamespace && shared.StringInSlice(item.Name, fullChains) {
-				_, err = shared.RunCommand("nft", "delete", "chain", family, nftablesNamespace, item.Name)
+				_, err = shared.RunCommand("nft", "flush", "chain", family, nftablesNamespace, item.Name, ";", "delete", "chain", family, nftablesNamespace, item.Name)
 				if err != nil {
 					return errors.Wrapf(err, "Failed deleting nftables chain %q (%s)", item.Name, family)
 				}

From e3d94b0c656164f56766f1f245d7a8bcad530812 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 12 Mar 2020 10:56:27 -0400
Subject: [PATCH 2/3] lxd/firewall/nft: Handle json errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/firewall/drivers/drivers_nftables.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lxd/firewall/drivers/drivers_nftables.go b/lxd/firewall/drivers/drivers_nftables.go
index 1a40c6d236..a4acc3a9f9 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -63,7 +63,7 @@ func (d Nftables) Compat() (bool, bool) {
 	ruleset, err := d.nftParseRuleset()
 	if err != nil {
 		logger.Errorf("Firewall nftables unable to parse existing ruleset: %v", err)
-		return true, false
+		return false, false
 	}
 
 	for _, item := range ruleset {
@@ -122,6 +122,11 @@ func (d Nftables) nftParseRuleset() ([]nftGenericItem, error) {
 		}
 	}
 
+	err = cmd.Wait()
+	if err != nil {
+		return nil, err
+	}
+
 	return items, nil
 }
 

From 5e74bfa79ef58755f83a93e5678a11a49c25ee6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 12 Mar 2020 10:56:42 -0400
Subject: [PATCH 3/3] lxd/firewall/nft: Refuse to run on old kernels
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/firewall/drivers/drivers_nftables.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/lxd/firewall/drivers/drivers_nftables.go b/lxd/firewall/drivers/drivers_nftables.go
index a4acc3a9f9..203a4b1410 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net"
 	"os/exec"
+	"strconv"
 	"strings"
 	"text/template"
 
@@ -39,8 +40,26 @@ func (d Nftables) String() string {
 
 // Compat returns whether the host is compatible with this driver and whether the driver backend is in use.
 func (d Nftables) Compat() (bool, bool) {
+	// Get the kernel version.
+	uname, err := shared.Uname()
+	if err != nil {
+		return false, false
+	}
+
+	// We require a 5.x kernel to avoid weird conflicts with xtables.
+	if len(uname.Release) > 1 {
+		verInt, err := strconv.Atoi(uname.Release[0:1])
+		if err != nil {
+			return false, false
+		}
+
+		if verInt < 5 {
+			return false, false
+		}
+	}
+
 	// Check if nftables nft command exists, if not use xtables.
-	_, err := exec.LookPath("nft")
+	_, err = exec.LookPath("nft")
 	if err != nil {
 		return false, false
 	}

More information about the lxc-devel mailing list