Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

support Iptables 1.8 with legacy and nf_tables support #3747

Merged
merged 3 commits into from
Jan 8, 2020
Merged

support Iptables 1.8 with legacy and nf_tables support #3747

merged 3 commits into from
Jan 8, 2020

Conversation

murali-reddy
Copy link
Contributor

Fixes #3465

  • upgrade to alpine image (for amd64 only) with iptables 1.8.3
  • updated alpine image bundles both (legacy and nftable) version iptables, iptables-save, iptables-restore
  • by default iptables* commands soft linked to iptables-legacy*
  • user can explicitly specify the iptable backed
  • have borrowed back-end detection logic from kube-proxy

need to test with Kubernetes 1.17 which has kube-proxy in nft mode

@bboreham
Copy link
Contributor

Should we do anything for the non-Kubernetes case? I.e. the weave script.

@murali-reddy
Copy link
Contributor Author

need to test with Kubernetes 1.17 which has kube-proxy in nft mode

tested the auto detection logic with Kubernetes 1.17(kube-proxy and kubelet using iptables nft mode) and Debain buster (iptables with nftable as default)

Should we do anything for the non-Kubernetes case? I.e. the weave script.

We could ask users to use iptables-legacy on the host (for e.g.) for the moment so even update to the base image should work fine. Alternatively we could soft-link to appropriate binaries in the weave container during weave launch

@murali-reddy murali-reddy changed the title [WIP] support Iptables 1.8 with legacy and nf_tables support support Iptables 1.8 with legacy and nf_tables support Dec 17, 2019
@bboreham bboreham added this to the 2.6.1 milestone Dec 17, 2019
bboreham
bboreham reviewed Dec 17, 2019
View reviewed changes
prog/weave-kube/launch.sh Outdated
rm /sbin/iptables
rm /sbin/iptables-save
rm /sbin/iptables-restore
ln /sbin/iptables-nft /sbin/iptables
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since Alpine appears to use symbolic links (ln -s), I think we should follow suit, just in case it causes confusion.

bboreham
bboreham reviewed Dec 17, 2019
View reviewed changes
prog/weave-kube/launch.sh
# Setup iptables backend to be legacy or nftable
setup_iptables_backend() {
if [ -n "${IPTABLES_BACKEND}" ]; then
mode=$IPTABLES_BACKEND
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add this var to docs

@murali-reddy murali-reddy changed the base branch from master to 2.6 January 8, 2020 10:16
@murali-reddy
Copy link
Contributor Author

Updated base branch to 2.6 and addressed review comments.

@bboreham bboreham merged commit 8bdfcd3 into 2.6 Jan 8, 2020
@bboreham bboreham deleted the iptables1.8 branch January 8, 2020 10:46
@drigz drigz mentioned this pull request May 8, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bboreham bboreham bboreham approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.6.1
Development

Successfully merging this pull request may close these issues.
2 participants
@murali-reddy @bboreham