From e3d563b0f0833b3f661f1f82cd3cab3f2698812f Mon Sep 17 00:00:00 2001 From: Joe Julian Date: Thu, 3 Mar 2022 16:52:00 -0800 Subject: [PATCH] bug: return errors when iptables and ip6tables are unusable Signed-off-by: Joe Julian --- plugins/meta/portmap/portmap.go | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/plugins/meta/portmap/portmap.go b/plugins/meta/portmap/portmap.go index 8178bfbc..728ce712 100644 --- a/plugins/meta/portmap/portmap.go +++ b/plugins/meta/portmap/portmap.go @@ -120,10 +120,13 @@ func checkPorts(config *PortMapConf, containerNet net.IPNet) error { dnatChain := genDnatChain(config.Name, config.ContainerID) fillDnatRules(&dnatChain, config, containerNet) - ip4t := maybeGetIptables(false) - ip6t := maybeGetIptables(true) + ip4t, err4 := maybeGetIptables(false) + ip6t, err6 := maybeGetIptables(true) if ip4t == nil && ip6t == nil { - return fmt.Errorf("neither iptables nor ip6tables usable") + err := fmt.Errorf("neither iptables nor ip6tables is usable") + err = fmt.Errorf("%v, (iptables) %v", err, err4) + err = fmt.Errorf("%v, (ip6tables) %v", err, err6) + return err } if ip4t != nil { @@ -354,10 +357,13 @@ func unforwardPorts(config *PortMapConf) error { // Might be lying around from old versions oldSnatChain := genOldSnatChain(config.Name, config.ContainerID) - ip4t := maybeGetIptables(false) - ip6t := maybeGetIptables(true) + ip4t, err4 := maybeGetIptables(false) + ip6t, err6 := maybeGetIptables(true) if ip4t == nil && ip6t == nil { - return fmt.Errorf("neither iptables nor ip6tables usable") + err := fmt.Errorf("neither iptables nor ip6tables is usable") + err = fmt.Errorf("%v, (iptables) %v", err, err4) + err = fmt.Errorf("%v, (ip6tables) %v", err, err6) + return err } if ip4t != nil { @@ -378,7 +384,7 @@ func unforwardPorts(config *PortMapConf) error { // maybeGetIptables implements the soft error swallowing. If iptables is // usable for the given protocol, returns a handle, otherwise nil -func maybeGetIptables(isV6 bool) *iptables.IPTables { +func maybeGetIptables(isV6 bool) (*iptables.IPTables, error) { proto := iptables.ProtocolIPv4 if isV6 { proto = iptables.ProtocolIPv6 @@ -386,15 +392,15 @@ func maybeGetIptables(isV6 bool) *iptables.IPTables { ipt, err := iptables.NewWithProtocol(proto) if err != nil { - return nil + return nil, err } _, err = ipt.List("nat", "OUTPUT") if err != nil { - return nil + return nil, err } - return ipt + return ipt, nil } // deletePortmapStaleConnections delete the UDP conntrack entries on the specified IP family