/* Copyright 2014 Google Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package iptables import ( "fmt" "sync" utilexec "github.com/GoogleCloudPlatform/kubernetes/pkg/util/exec" "github.com/golang/glog" ) // An injectable interface for running iptables commands. Implementations must be goroutine-safe. type Interface interface { // EnsureChain checks if the specified chain exists and, if not, creates it. If the chain existed, return true. EnsureChain(table Table, chain Chain) (bool, error) // FlushChain clears the specified chain. FlushChain(table Table, chain Chain) error // EnsureRule checks if the specified rule is present and, if not, creates it. If the rule existed, return true. EnsureRule(table Table, chain Chain, args ...string) (bool, error) // DeleteRule checks if the specified rule is present and, if so, deletes it. DeleteRule(table Table, chain Chain, args ...string) error // IsIpv6 returns true if this is managing ipv6 tables IsIpv6() bool } type Protocol bool const ( ProtocolIpv4 Protocol = false ProtocolIpv6 Protocol = true ) type Table string const ( TableNAT Table = "nat" ) type Chain string const ( ChainPostrouting Chain = "POSTROUTING" ChainPrerouting Chain = "PREROUTING" ChainOutput Chain = "OUTPUT" ) // runner implements Interface in terms of exec("iptables"). type runner struct { mu sync.Mutex exec utilexec.Interface protocol Protocol } // New returns a new Interface which will exec iptables. func New(exec utilexec.Interface, protocol Protocol) Interface { return &runner{exec: exec, protocol: protocol} } // EnsureChain is part of Interface. func (runner *runner) EnsureChain(table Table, chain Chain) (bool, error) { fullArgs := makeFullArgs(table, chain) runner.mu.Lock() defer runner.mu.Unlock() out, err := runner.run(opCreateChain, fullArgs) if err != nil { if ee, ok := err.(utilexec.ExitError); ok { if ee.Exited() && ee.ExitStatus() == 1 { return true, nil } } return false, fmt.Errorf("error creating chain %q: %s: %s", chain, err, out) } return false, nil } // FlushChain is part of Interface. func (runner *runner) FlushChain(table Table, chain Chain) error { fullArgs := makeFullArgs(table, chain) runner.mu.Lock() defer runner.mu.Unlock() out, err := runner.run(opFlushChain, fullArgs) if err != nil { return fmt.Errorf("error flushing chain %q: %s: %s", chain, err, out) } return nil } // EnsureRule is part of Interface. func (runner *runner) EnsureRule(table Table, chain Chain, args ...string) (bool, error) { fullArgs := makeFullArgs(table, chain, args...) runner.mu.Lock() defer runner.mu.Unlock() exists, err := runner.checkRule(fullArgs) if err != nil { return false, err } if exists { return true, nil } out, err := runner.run(opAppendRule, fullArgs) if err != nil { return false, fmt.Errorf("error appending rule: %s: %s", err, out) } return false, nil } // DeleteRule is part of Interface. func (runner *runner) DeleteRule(table Table, chain Chain, args ...string) error { fullArgs := makeFullArgs(table, chain, args...) runner.mu.Lock() defer runner.mu.Unlock() exists, err := runner.checkRule(fullArgs) if err != nil { return err } if !exists { return nil } out, err := runner.run(opDeleteRule, fullArgs) if err != nil { return fmt.Errorf("error deleting rule: %s: %s", err, out) } return nil } func (runner *runner) IsIpv6() bool { return runner.protocol == ProtocolIpv6 } func (runner *runner) iptablesCommand() string { if runner.IsIpv6() { return "ip6tables" } else { return "iptables" } } func (runner *runner) run(op operation, args []string) ([]byte, error) { iptablesCmd := runner.iptablesCommand() fullArgs := append([]string{string(op)}, args...) glog.V(1).Infof("running iptables %s %v", string(op), args) return runner.exec.Command(iptablesCmd, fullArgs...).CombinedOutput() // Don't log err here - callers might not think it is an error. } // Returns (bool, nil) if it was able to check the existence of the rule, or // (, error) if the process of checking failed. func (runner *runner) checkRule(args []string) (bool, error) { out, err := runner.run(opCheckRule, args) if err == nil { return true, nil } if ee, ok := err.(utilexec.ExitError); ok { // iptables uses exit(1) to indicate a failure of the operation, // as compared to a malformed commandline, for example. if ee.Exited() && ee.ExitStatus() == 1 { return false, nil } } return false, fmt.Errorf("error checking rule: %s: %s", err, out) } type operation string const ( opCreateChain operation = "-N" opFlushChain operation = "-F" opAppendRule operation = "-A" opCheckRule operation = "-C" opDeleteRule operation = "-D" ) func makeFullArgs(table Table, chain Chain, args ...string) []string { return append([]string{string(chain), "-t", string(table)}, args...) }