datapath: Inconsistency between IPv4 and IPv6 iptables rules propagation

@vadorovsky

In the agent datapath package we try to detect and load iptables kernel modules:

cilium/pkg/datapath/iptables/iptables.go

Lines 422 to 436 in 3b9b098

    
           if err := modulesManager.FindOrLoadModules( 
        
           	"ip_tables", "iptable_nat", "iptable_mangle", "iptable_raw", 
        
           	"iptable_filter"); err != nil { 
        
           	log.WithError(err).Warning( 
        
           		"iptables modules could not be initialized. It probably means that iptables is not available on this system") 
        
           } 
        
           if err := modulesManager.FindOrLoadModules( 
        
           	"ip6_tables", "ip6table_mangle", "ip6table_raw", "ip6table_filter"); err != nil { 
        
           	if option.Config.EnableIPv6 { 
        
           		log.WithError(err).Warning( 
        
           			"IPv6 is enabled and ip6tables modules could not be initialized (try loading ip6_tables, ip6table_mangle, ip6table_raw and ip6table_filter modules)") 
        
           	} 
        
           	log.WithError(err).Debug( 
        
           		"ip6tables kernel modules could not be loaded, so IPv6 cannot be used") 
        
           	haveIp6tables = false

. If any v6 module cannot be loaded, we declare that the IPv6 cannot be used (i.e., we set haveIp6tables=false), while in the case of v4 we don't have such a declaration.

Later on in the code, we remove some chains, then re-add them and install rules. In the case of v6, not all operations are protected with if m.haveIp6Tables {} which can lead to the following error:

level=debug msg="Copying &{ip6tables cilium_node_set_v6 [-w 5]} TPROXY rule from OLD_CILIUM_PRE_mangle to CILIUM_PRE_mangle" obj="[-t mangle -A CILIUM_PRE_mangle -p udp -m mark --mark 0x27800200 -m comment --comment cilium: TPROXY to host cilium-dns-egress proxy -j TPROXY --on-port 32807 --on-ip :: --tproxy-mark 0x200/0xffffffff]" subsys=iptables
level=fatal msg="Error while creating daemon" error="error while initializing daemon: cannot add custom chain CILIUM_INPUT: exit status 1" subsys=daemon

The explanation for the error above is that the removal of the v6 chain CILIUM_INPUT is not performed due to the haveIp6Tables guard, while the insertion is not guarded.

Regarding the first inconsistency, I wonder why we have it. Maybe @vadorovsky or @joestringer has the answer? The code was introduced in 5b17c99.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	if err := modulesManager.FindOrLoadModules(
	"ip_tables", "iptable_nat", "iptable_mangle", "iptable_raw",
	"iptable_filter"); err != nil {
	log.WithError(err).Warning(
	"iptables modules could not be initialized. It probably means that iptables is not available on this system")
	}
	if err := modulesManager.FindOrLoadModules(
	"ip6_tables", "ip6table_mangle", "ip6table_raw", "ip6table_filter"); err != nil {
	if option.Config.EnableIPv6 {
	log.WithError(err).Warning(
	"IPv6 is enabled and ip6tables modules could not be initialized (try loading ip6_tables, ip6table_mangle, ip6table_raw and ip6table_filter modules)")
	}
	log.WithError(err).Debug(
	"ip6tables kernel modules could not be loaded, so IPv6 cannot be used")
	haveIp6tables = false

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions