iptables_linux.go

Documentation: k8s.io/kubernetes/pkg/util/iptables

     1  //go:build linux
     2  // +build linux
     3  
     4  /*
     5  Copyright 2017 The Kubernetes Authors.
     6  
     7  Licensed under the Apache License, Version 2.0 (the "License");
     8  you may not use this file except in compliance with the License.
     9  You may obtain a copy of the License at
    10  
    11      http://www.apache.org/licenses/LICENSE-2.0
    12  
    13  Unless required by applicable law or agreed to in writing, software
    14  distributed under the License is distributed on an "AS IS" BASIS,
    15  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  See the License for the specific language governing permissions and
    17  limitations under the License.
    18  */
    19  
    20  package iptables
    21  
    22  import (
    23  	"fmt"
    24  	"net"
    25  	"os"
    26  	"time"
    27  
    28  	"golang.org/x/sys/unix"
    29  	utilerrors "k8s.io/apimachinery/pkg/util/errors"
    30  	"k8s.io/apimachinery/pkg/util/wait"
    31  )
    32  
    33  type locker struct {
    34  	lock16 *os.File
    35  	lock14 *net.UnixListener
    36  }
    37  
    38  func (l *locker) Close() error {
    39  	errList := []error{}
    40  	if l.lock16 != nil {
    41  		if err := l.lock16.Close(); err != nil {
    42  			errList = append(errList, err)
    43  		}
    44  	}
    45  	if l.lock14 != nil {
    46  		if err := l.lock14.Close(); err != nil {
    47  			errList = append(errList, err)
    48  		}
    49  	}
    50  	return utilerrors.NewAggregate(errList)
    51  }
    52  
    53  func grabIptablesLocks(lockfilePath14x, lockfilePath16x string) (iptablesLocker, error) {
    54  	var err error
    55  	var success bool
    56  
    57  	l := &locker{}
    58  	defer func(l *locker) {
    59  		// Clean up immediately on failure
    60  		if !success {
    61  			l.Close()
    62  		}
    63  	}(l)
    64  
    65  	// Grab both 1.6.x and 1.4.x-style locks; we don't know what the
    66  	// iptables-restore version is if it doesn't support --wait, so we
    67  	// can't assume which lock method it'll use.
    68  
    69  	// Roughly duplicate iptables 1.6.x xtables_lock() function.
    70  	l.lock16, err = os.OpenFile(lockfilePath16x, os.O_CREATE, 0600)
    71  	if err != nil {
    72  		return nil, fmt.Errorf("failed to open iptables lock %s: %v", lockfilePath16x, err)
    73  	}
    74  
    75  	if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) {
    76  		if err := grabIptablesFileLock(l.lock16); err != nil {
    77  			return false, nil
    78  		}
    79  		return true, nil
    80  	}); err != nil {
    81  		return nil, fmt.Errorf("failed to acquire new iptables lock: %v", err)
    82  	}
    83  
    84  	// Roughly duplicate iptables 1.4.x xtables_lock() function.
    85  	if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) {
    86  		l.lock14, err = net.ListenUnix("unix", &net.UnixAddr{Name: lockfilePath14x, Net: "unix"})
    87  		if err != nil {
    88  			return false, nil
    89  		}
    90  		return true, nil
    91  	}); err != nil {
    92  		return nil, fmt.Errorf("failed to acquire old iptables lock: %v", err)
    93  	}
    94  
    95  	success = true
    96  	return l, nil
    97  }
    98  
    99  func grabIptablesFileLock(f *os.File) error {
   100  	return unix.Flock(int(f.Fd()), unix.LOCK_EX|unix.LOCK_NB)
   101  }
   102
View as plain text