Skip to content

Commit d246770

Browse files
retr0hretr0h
committed
Ability to configure wait for the xtables lock
Any invocation of the iptables command results in an xtables lock, which can lead to the iptables command exiting(4). Racy systems which make use of inspecting iptables can cause an error. However, maybe this is ultimately not an issue as kubernetes will retry failed pods. > IPTABLES(8): -w, --wait [seconds] Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait (indefinitely or for optional seconds) until the exclusive lock can be obtained. Signed-off-by: נυαη נυαηѕση <[email protected]>
1 parent 63942df commit d246770

File tree

1 file changed

+11
-10
lines changed

1 file changed

+11
-10
lines changed

entry

+11-10
Original file line numberDiff line numberDiff line change
@@ -27,37 +27,38 @@ check_iptables_mode() {
2727
}
2828

2929
set_nft() {
30-
for i in iptables iptables-save iptables-restore ip6tables; do
30+
for i in iptables iptables-save iptables-restore ip6tables; do
3131
ln -sf /sbin/xtables-nft-multi "$BIN_DIR/$i";
3232
done
3333
}
3434

3535
set_legacy() {
36-
for i in iptables iptables-save iptables-restore ip6tables; do
36+
for i in iptables iptables-save iptables-restore ip6tables; do
3737
ln -sf /sbin/xtables-legacy-multi "$BIN_DIR/$i";
3838
done
3939
}
4040

4141
start_proxy() {
42+
wait_seconds="${WAIT_SECONDS:-0}"
4243
for src_range in ${SRC_RANGES}; do
4344
if echo ${src_range} | grep -Eq ":"; then
44-
ip6tables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT
45+
ip6tables -w ${wait_seconds} -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT
4546
else
46-
iptables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT
47+
iptables -w ${wait_seconds} -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT
4748
fi
4849
done
4950

5051
for dest_ip in ${DEST_IPS}; do
5152
if echo ${dest_ip} | grep -Eq ":"; then
5253
[ $(cat /proc/sys/net/ipv6/conf/all/forwarding) == 1 ] || exit 1
53-
ip6tables -t filter -A FORWARD -d ${dest_ip}/128 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP
54-
ip6tables -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to [${dest_ip}]:${DEST_PORT}
55-
ip6tables -t nat -I POSTROUTING -d ${dest_ip}/128 -p ${DEST_PROTO} -j MASQUERADE
54+
ip6tables -w ${wait_seconds} -t filter -A FORWARD -d ${dest_ip}/128 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP
55+
ip6tables -w ${wait_seconds}-t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to [${dest_ip}]:${DEST_PORT}
56+
ip6tables -w ${wait_seconds}-t nat -I POSTROUTING -d ${dest_ip}/128 -p ${DEST_PROTO} -j MASQUERADE
5657
else
5758
[ $(cat /proc/sys/net/ipv4/ip_forward) == 1 ] || exit 1
58-
iptables -t filter -A FORWARD -d ${dest_ip}/32 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP
59-
iptables -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to ${dest_ip}:${DEST_PORT}
60-
iptables -t nat -I POSTROUTING -d ${dest_ip}/32 -p ${DEST_PROTO} -j MASQUERADE
59+
iptables -w ${wait_seconds} -t filter -A FORWARD -d ${dest_ip}/32 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP
60+
iptables -w ${wait_seconds} -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to ${dest_ip}:${DEST_PORT}
61+
iptables -w ${wait_seconds} -t nat -I POSTROUTING -d ${dest_ip}/32 -p ${DEST_PROTO} -j MASQUERADE
6162
fi
6263
done
6364
}

0 commit comments

Comments
 (0)