[lxc-devel] [lxd/master] Fix nftables issues on older kernels

stgraber on Github Thu, 12 Mar 2020 07:57:27 -0700

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7014


This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From 4775cb0aed7c8551ceb3858e1a0432ea04968a22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Thu, 12 Mar 2020 10:17:24 -0400
Subject: [PATCH 1/3] lxd/firewall/nft: Flush chain on delete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/firewall/drivers/drivers_nftables.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/firewall/drivers/drivers_nftables.go 
b/lxd/firewall/drivers/drivers_nftables.go
index 3c8a7d5fbe..1a40c6d236 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -429,7 +429,7 @@ func (d Nftables) removeChains(families []string, 
chainSuffix string, chains ...
        for _, family := range families {
                for _, item := range ruleset {
                        if item.Type == "chain" && item.Family == family && 
item.Table == nftablesNamespace && shared.StringInSlice(item.Name, fullChains) {
-                               _, err = shared.RunCommand("nft", "delete", 
"chain", family, nftablesNamespace, item.Name)
+                               _, err = shared.RunCommand("nft", "flush", 
"chain", family, nftablesNamespace, item.Name, ";", "delete", "chain", family, 
nftablesNamespace, item.Name)
                                if err != nil {
                                        return errors.Wrapf(err, "Failed 
deleting nftables chain %q (%s)", item.Name, family)
                                }

From e3d94b0c656164f56766f1f245d7a8bcad530812 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Thu, 12 Mar 2020 10:56:27 -0400
Subject: [PATCH 2/3] lxd/firewall/nft: Handle json errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/firewall/drivers/drivers_nftables.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lxd/firewall/drivers/drivers_nftables.go 
b/lxd/firewall/drivers/drivers_nftables.go
index 1a40c6d236..a4acc3a9f9 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -63,7 +63,7 @@ func (d Nftables) Compat() (bool, bool) {
        ruleset, err := d.nftParseRuleset()
        if err != nil {
                logger.Errorf("Firewall nftables unable to parse existing 
ruleset: %v", err)
-               return true, false
+               return false, false
        }
 
        for _, item := range ruleset {
@@ -122,6 +122,11 @@ func (d Nftables) nftParseRuleset() ([]nftGenericItem, 
error) {
                }
        }
 
+       err = cmd.Wait()
+       if err != nil {
+               return nil, err
+       }
+
        return items, nil
 }
 

From 5e74bfa79ef58755f83a93e5678a11a49c25ee6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Thu, 12 Mar 2020 10:56:42 -0400
Subject: [PATCH 3/3] lxd/firewall/nft: Refuse to run on old kernels
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/firewall/drivers/drivers_nftables.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/lxd/firewall/drivers/drivers_nftables.go 
b/lxd/firewall/drivers/drivers_nftables.go
index a4acc3a9f9..203a4b1410 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -6,6 +6,7 @@ import (
        "fmt"
        "net"
        "os/exec"
+       "strconv"
        "strings"
        "text/template"
 
@@ -39,8 +40,26 @@ func (d Nftables) String() string {
 
 // Compat returns whether the host is compatible with this driver and whether 
the driver backend is in use.
 func (d Nftables) Compat() (bool, bool) {
+       // Get the kernel version.
+       uname, err := shared.Uname()
+       if err != nil {
+               return false, false
+       }
+
+       // We require a 5.x kernel to avoid weird conflicts with xtables.
+       if len(uname.Release) > 1 {
+               verInt, err := strconv.Atoi(uname.Release[0:1])
+               if err != nil {
+                       return false, false
+               }
+
+               if verInt < 5 {
+                       return false, false
+               }
+       }
+
        // Check if nftables nft command exists, if not use xtables.
-       _, err := exec.LookPath("nft")
+       _, err = exec.LookPath("nft")
        if err != nil {
                return false, false
        }

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] Fix nftables issues on older kernels

Reply via email to