Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

weave-npc doesn't handle named ports #3032

Open
Open
weave-npc doesn't handle named ports#3032
Labels
[component/policy]bug
@mikebryant

Description

@mikebryant
mikebryant
opened on Jun 23, 2017

What you expected to happen?

For weave-npc not to crash

What happened?

I used a NetworkPolicy with a named port, as per https://kubernetes.io/docs/api-reference/extensions/v1beta1/definitions/#_v1beta1_networkpolicyport
This can either be a numerical or named port on a pod.

This causes weave-npc to crash

How to reproduce it?

Use a NetworkPolicy with a named port

Versions:

$ weave version
1.9.5
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.5", GitCommit:"490c6f13df1cb6612e0993c4c14f2ff90f8cdbf3", GitTreeState:"clean", BuildDate:"2017-06-14T20:15:53Z", GoVersion:"go1.7.6", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.1+coreos.0", GitCommit:"9212f77ed8c169a0afa02e58dce87913c6387b3e", GitTreeState:"clean", BuildDate:"2017-04-04T00:32:53Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}

Logs:

INFO: 2017/06/23 14:13:29.046710 EVENT AddNetworkPolicy {"metadata":{"name":"postgres","namespace":"screenful","selfLink":"/apis/extensions/v1beta1/namespaces/screenful/networkpolicies/postgres","uid":"33035a7e-581d-11e7-9212-fa163e65bc02","resourceVersion":"5949240","generation":1,"creationTimestamp":"2017-06-23T14:06:49Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"extensions/v1beta1\",\"kind\":\"NetworkPolicy\",\"metadata\":{\"annotations\":{},\"name\":\"postgres\",\"namespace\":\"screenful\"},\"spec\":{\"ingress\":[{\"from\":[{\"podSelector\":{\"matchLabels\":{\"app\":\"screenful\"}}}],\"ports\":[{\"port\":\"postgres\",\"protocol\":\"TCP\"}]}],\"podSelector\":{\"matchLabels\":{\"app\":\"postgres\"}}}}\n"}},"spec":{"podSelector":{"matchLabels":{"app":"postgres"}},"ingress":[{"ports":[{"protocol":"TCP","port":"postgres"}],"from":[{"podSelector":{"matchLabels":{"app":"screenful"}}}]}]}}
INFO: 2017/06/23 14:13:29.047504 creating ipset: &npc.selectorSpec{key:"", selector:labels.internalSelector{}, ipsetType:"hash:ip", ipsetName:"weave-yw.D0czlULhY^Na(}/meeeGHH"}
INFO: 2017/06/23 14:13:29.052048 creating ipset: &npc.selectorSpec{key:"app=postgres", selector:labels.internalSelector{labels.Requirement{key:"app", operator:"=", strValues:[]string{"postgres"}}}, ipsetType:"hash:ip", ipsetName:"weave-5*HDryZlO>b4*738kizjErDH)"}
INFO: 2017/06/23 14:13:29.056654 creating ipset: &npc.selectorSpec{key:"app=screenful", selector:labels.internalSelector{labels.Requirement{key:"app", operator:"=", strValues:[]string{"screenful"}}}, ipsetType:"hash:ip", ipsetName:"weave-QYIlr%V?kjp#HJ7cHYQjMOivC"}
INFO: 2017/06/23 14:13:29.067510 adding rule: [-p TCP -m set --match-set weave-QYIlr%V?kjp#HJ7cHYQjMOivC src -m set --match-set weave-5*HDryZlO>b4*738kizjErDH) dst --dport postgres -j ACCEPT]
FATA: 2017/06/23 14:13:29.071935 add network policy: exit status 2: iptables v1.6.0: invalid port/service `postgres' specified
Try `iptables -h' or 'iptables --help' for more information.

Metadata

Assignees

No one assigned

    Labels

    [component/policy]bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions