Fix iptables option (#47)

* use iptables --match-set instead of deprecated --set option Signed-off-by: lyyao09 <lyyao09@163.com> * fix wrong spelling Signed-off-by: lyyao09 <lyyao09@163.com>
nirmata · Jul 14, 2020 · 60bd207 · 60bd207
1 parent 73e0eef
commit 60bd207
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 egressip-controller
+.idea
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -437,7 +437,7 @@ func (c *Controller) updateStaticEgressIP(old, current interface{}) {
 					}
 				}
 				if isGateway {
-					err = c.trafficDirector.ClaerStaleRouteToGateway(generateRuleId(oldStaticEgressIPObj.Namespace, oldStaticEgressIPObj.Name, i), rule.Cidr, rule.EgressIP)
+					err = c.trafficDirector.ClearStaleRouteToGateway(generateRuleId(oldStaticEgressIPObj.Namespace, oldStaticEgressIPObj.Name, i), rule.Cidr, rule.EgressIP)
 					if err != nil {
 						glog.Errorf("Failed to cleanup old rules configured for gateway", err.Error())
 					}

diff --git a/pkg/director/director.go b/pkg/director/director.go
@@ -124,7 +124,7 @@ func (d *EgressDirector) AddRouteToGateway(setName string, sourceIPs []string, d
 
 	// create iptables rule in mangle table PREROUTING chain to match src to ipset created and destination
 	// matching  destinationIP then fwmark the packets
-	ruleSpec := []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "MARK", "--set-mark", staticEgressIPFWMARK}
+	ruleSpec := []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "MARK", "--set-mark", staticEgressIPFWMARK}
 	hasRule, err := d.ipt.Exists("mangle", "PREROUTING", ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in PREROUTING chain of mangle table to fwmark egress traffic that needs static egress IP" + err.Error())
@@ -138,7 +138,7 @@ func (d *EgressDirector) AddRouteToGateway(setName string, sourceIPs []string, d
 	}
 	glog.Infof("iptables rule in mangle table PREROUTING chain to match src to ipset")
 
-	ruleSpec = []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
+	ruleSpec = []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
 	hasRule, err = d.ipt.Exists("nat", bypassCNIMasquradeChainName, ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in BYPASS_CNI_MASQURADE chain of nat table to bypass the CNI masqurade" + err.Error())
@@ -200,7 +200,7 @@ func (d *EgressDirector) DeleteRouteToGateway(setName string, destinationIP, egr
 
 	// create iptables rule in mangle table PREROUTING chain to match src to ipset created and destination
 	// matching  destinationIP then fwmark the packets
-	ruleSpec := []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "MARK", "--set-mark", staticEgressIPFWMARK}
+	ruleSpec := []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "MARK", "--set-mark", staticEgressIPFWMARK}
 	hasRule, err := d.ipt.Exists("mangle", "PREROUTING", ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in PREROUTING chain of mangle table to fwmark egress traffic that needs static egress IP" + err.Error())
@@ -213,7 +213,7 @@ func (d *EgressDirector) DeleteRouteToGateway(setName string, destinationIP, egr
 		glog.Infof("deleted rule in PREROUTING chain of mangle table to fwmark egress traffic that needs static egress IP")
 	}
 
-	ruleSpec = []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
+	ruleSpec = []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
 	hasRule, err = d.ipt.Exists("nat", bypassCNIMasquradeChainName, ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in BYPASS_CNI_MASQURADE chain of nat table to bypass the CNI masqurade" + err.Error())
@@ -245,11 +245,11 @@ func (d *EgressDirector) DeleteRouteToGateway(setName string, destinationIP, egr
 	return nil
 }
 
-func (d *EgressDirector) ClaerStaleRouteToGateway(setName string, destinationIP, egressGateway string) error {
+func (d *EgressDirector) ClearStaleRouteToGateway(setName string, destinationIP, egressGateway string) error {
 
 	// create iptables rule in mangle table PREROUTING chain to match src to ipset created and destination
 	// matching  destinationIP then fwmark the packets
-	ruleSpec := []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "MARK", "--set-mark", staticEgressIPFWMARK}
+	ruleSpec := []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "MARK", "--set-mark", staticEgressIPFWMARK}
 	hasRule, err := d.ipt.Exists("mangle", "PREROUTING", ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in PREROUTING chain of mangle table to fwmark egress traffic that needs static egress IP" + err.Error())
@@ -262,7 +262,7 @@ func (d *EgressDirector) ClaerStaleRouteToGateway(setName string, destinationIP,
 		glog.Infof("deleted rule in PREROUTING chain of mangle table to fwmark egress traffic that needs static egress IP")
 	}
 
-	ruleSpec = []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
+	ruleSpec = []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
 	hasRule, err = d.ipt.Exists("nat", bypassCNIMasquradeChainName, ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in BYPASS_CNI_MASQURADE chain of nat table to bypass the CNI masqurade" + err.Error())

diff --git a/pkg/gateway/gateway.go b/pkg/gateway/gateway.go
@@ -95,7 +95,7 @@ func (gateway *EgressGateway) AddStaticIptablesRule(setName string, sourceIPs []
 	}
 	glog.Infof("Added ips %v to the ipset name: %s", sourceIPs, setName)
 
-	ruleSpec := []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
+	ruleSpec := []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
 	hasRule, err := gateway.ipt.Exists("filter", egressGatewayFWChainName, ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in " + egressGatewayFWChainName + " chain of filter table" + err.Error())
@@ -142,7 +142,7 @@ func (gateway *EgressGateway) DeleteStaticIptablesRule(setName string, destinati
 	}
 
 	// delete rule in FORWARD chain of filter table
-	ruleSpec = []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
+	ruleSpec = []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
 	hasRule, err := gateway.ipt.Exists("filter", egressGatewayFWChainName, ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in " + egressGatewayFWChainName + " chain of filter table" + err.Error())
@@ -176,7 +176,7 @@ func (gateway *EgressGateway) ClearStaticIptablesRule(setName string, destinatio
 	}
 
 	// delete rule in FORWARD chain of filter table
-	ruleSpec = []string{"-m", "set", "--set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
+	ruleSpec = []string{"-m", "set", "--match-set", setName, "src", "-d", destinationIP, "-j", "ACCEPT"}
 	hasRule, err := gateway.ipt.Exists("filter", egressGatewayFWChainName, ruleSpec...)
 	if err != nil {
 		return errors.New("Failed to verify rule exists in " + egressGatewayFWChainName + " chain of filter table" + err.Error())