summaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/coreos/go-iptables/iptables/iptables.go112
-rw-r--r--vendor/modules.txt4
2 files changed, 89 insertions, 27 deletions
diff --git a/vendor/github.com/coreos/go-iptables/iptables/iptables.go b/vendor/github.com/coreos/go-iptables/iptables/iptables.go
index 1074275b0..8d6f68906 100644
--- a/vendor/github.com/coreos/go-iptables/iptables/iptables.go
+++ b/vendor/github.com/coreos/go-iptables/iptables/iptables.go
@@ -31,7 +31,6 @@ type Error struct {
exec.ExitError
cmd exec.Cmd
msg string
- proto Protocol
exitStatus *int //for overriding
}
@@ -51,9 +50,8 @@ func (e *Error) IsNotExist() bool {
if e.ExitStatus() != 1 {
return false
}
- cmdIptables := getIptablesCommand(e.proto)
- msgNoRuleExist := fmt.Sprintf("%s: Bad rule (does a matching rule exist in that chain?).\n", cmdIptables)
- msgNoChainExist := fmt.Sprintf("%s: No chain/target/match by that name.\n", cmdIptables)
+ msgNoRuleExist := "Bad rule (does a matching rule exist in that chain?).\n"
+ msgNoChainExist := "No chain/target/match by that name.\n"
return strings.Contains(e.msg, msgNoRuleExist) || strings.Contains(e.msg, msgNoChainExist)
}
@@ -75,6 +73,7 @@ type IPTables struct {
v2 int
v3 int
mode string // the underlying iptables operating mode, e.g. nf_tables
+ timeout int // time to wait for the iptables lock, default waits forever
}
// Stat represents a structured statistic entry.
@@ -91,19 +90,42 @@ type Stat struct {
Options string `json:"options"`
}
-// New creates a new IPTables.
-// For backwards compatibility, this always uses IPv4, i.e. "iptables".
-func New() (*IPTables, error) {
- return NewWithProtocol(ProtocolIPv4)
+type option func(*IPTables)
+
+func IPFamily(proto Protocol) option {
+ return func(ipt *IPTables) {
+ ipt.proto = proto
+ }
}
-// New creates a new IPTables for the given proto.
-// The proto will determine which command is used, either "iptables" or "ip6tables".
-func NewWithProtocol(proto Protocol) (*IPTables, error) {
- path, err := exec.LookPath(getIptablesCommand(proto))
+func Timeout(timeout int) option {
+ return func(ipt *IPTables) {
+ ipt.timeout = timeout
+ }
+}
+
+// New creates a new IPTables configured with the options passed as parameter.
+// For backwards compatibility, by default always uses IPv4 and timeout 0.
+// i.e. you can create an IPv6 IPTables using a timeout of 5 seconds passing
+// the IPFamily and Timeout options as follow:
+// ip6t := New(IPFamily(ProtocolIPv6), Timeout(5))
+func New(opts ...option) (*IPTables, error) {
+
+ ipt := &IPTables{
+ proto: ProtocolIPv4,
+ timeout: 0,
+ }
+
+ for _, opt := range opts {
+ opt(ipt)
+ }
+
+ path, err := exec.LookPath(getIptablesCommand(ipt.proto))
if err != nil {
return nil, err
}
+ ipt.path = path
+
vstring, err := getIptablesVersionString(path)
if err != nil {
return nil, fmt.Errorf("could not get iptables version: %v", err)
@@ -112,21 +134,23 @@ func NewWithProtocol(proto Protocol) (*IPTables, error) {
if err != nil {
return nil, fmt.Errorf("failed to extract iptables version from [%s]: %v", vstring, err)
}
+ ipt.v1 = v1
+ ipt.v2 = v2
+ ipt.v3 = v3
+ ipt.mode = mode
checkPresent, waitPresent, randomFullyPresent := getIptablesCommandSupport(v1, v2, v3)
+ ipt.hasCheck = checkPresent
+ ipt.hasWait = waitPresent
+ ipt.hasRandomFully = randomFullyPresent
- ipt := IPTables{
- path: path,
- proto: proto,
- hasCheck: checkPresent,
- hasWait: waitPresent,
- hasRandomFully: randomFullyPresent,
- v1: v1,
- v2: v2,
- v3: v3,
- mode: mode,
- }
- return &ipt, nil
+ return ipt, nil
+}
+
+// New creates a new IPTables for the given proto.
+// The proto will determine which command is used, either "iptables" or "ip6tables".
+func NewWithProtocol(proto Protocol) (*IPTables, error) {
+ return New(IPFamily(proto), Timeout(0))
}
// Proto returns the protocol used by this IPTables.
@@ -185,6 +209,14 @@ func (ipt *IPTables) Delete(table, chain string, rulespec ...string) error {
return ipt.run(cmd...)
}
+func (ipt *IPTables) DeleteIfExists(table, chain string, rulespec ...string) error {
+ exists, err := ipt.Exists(table, chain, rulespec...)
+ if err == nil && exists {
+ err = ipt.Delete(table, chain, rulespec...)
+ }
+ return err
+}
+
// List rules in specified table/chain
func (ipt *IPTables) List(table, chain string) ([]string, error) {
args := []string{"-t", table, "-S", chain}
@@ -222,6 +254,21 @@ func (ipt *IPTables) ListChains(table string) ([]string, error) {
return chains, nil
}
+// '-S' is fine with non existing rule index as long as the chain exists
+// therefore pass index 1 to reduce overhead for large chains
+func (ipt *IPTables) ChainExists(table, chain string) (bool, error) {
+ err := ipt.run("-t", table, "-S", chain, "1")
+ eerr, eok := err.(*Error)
+ switch {
+ case err == nil:
+ return true, nil
+ case eok && eerr.ExitStatus() == 1:
+ return false, nil
+ default:
+ return false, err
+ }
+}
+
// Stats lists rules including the byte and packet counts
func (ipt *IPTables) Stats(table, chain string) ([][]string, error) {
args := []string{"-t", table, "-L", chain, "-n", "-v", "-x"}
@@ -401,6 +448,18 @@ func (ipt *IPTables) DeleteChain(table, chain string) error {
return ipt.run("-t", table, "-X", chain)
}
+func (ipt *IPTables) ClearAndDeleteChain(table, chain string) error {
+ exists, err := ipt.ChainExists(table, chain)
+ if err != nil || !exists {
+ return err
+ }
+ err = ipt.run("-t", table, "-F", chain)
+ if err == nil {
+ err = ipt.run("-t", table, "-X", chain)
+ }
+ return err
+}
+
// ChangePolicy changes policy on chain to target
func (ipt *IPTables) ChangePolicy(table, chain, target string) error {
return ipt.run("-t", table, "-P", chain, target)
@@ -428,6 +487,9 @@ func (ipt *IPTables) runWithOutput(args []string, stdout io.Writer) error {
args = append([]string{ipt.path}, args...)
if ipt.hasWait {
args = append(args, "--wait")
+ if ipt.timeout != 0 {
+ args = append(args, strconv.Itoa(ipt.timeout))
+ }
} else {
fmu, err := newXtablesFileLock()
if err != nil {
@@ -452,7 +514,7 @@ func (ipt *IPTables) runWithOutput(args []string, stdout io.Writer) error {
if err := cmd.Run(); err != nil {
switch e := err.(type) {
case *exec.ExitError:
- return &Error{*e, cmd, stderr.String(), ipt.proto, nil}
+ return &Error{*e, cmd, stderr.String(), nil}
default:
return err
}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b5e8d974e..875bc3f89 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -65,7 +65,7 @@ github.com/containernetworking/cni/pkg/types/020
github.com/containernetworking/cni/pkg/types/current
github.com/containernetworking/cni/pkg/utils
github.com/containernetworking/cni/pkg/version
-# github.com/containernetworking/plugins v0.9.0
+# github.com/containernetworking/plugins v0.9.1
github.com/containernetworking/plugins/pkg/ip
github.com/containernetworking/plugins/pkg/ns
github.com/containernetworking/plugins/pkg/utils/hwaddr
@@ -226,7 +226,7 @@ github.com/containers/storage/pkg/system
github.com/containers/storage/pkg/tarlog
github.com/containers/storage/pkg/truncindex
github.com/containers/storage/pkg/unshare
-# github.com/coreos/go-iptables v0.4.5
+# github.com/coreos/go-iptables v0.5.0
github.com/coreos/go-iptables/iptables
# github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
github.com/coreos/go-systemd/activation