github/node-problem-detector
1
0
Fork 0
mirror of https://github.com/kubernetes/node-problem-detector.git synced 2026-03-02 01:30:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #844 from aojea/iptables

Browse Source 
custom iptables version monitor plugin
This commit is contained in:
Kubernetes Prow Robot
2024-01-03 21:18:06 +01:00
committed by GitHub
parent 3704fa72a9 552b530e0b
commit e9eddcc6d3
2 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
config/iptables-mode-monitor.json Normal file
View File

@@ -0,0 +1,20 @@
{
"plugin": "custom",
"pluginConfig": {
"invoke_interval": "86400s",
"timeout": "5s",
"max_output_length": 80,
"concurrency": 1
},
"source": "iptables-mode-monitor",
"metricsReporting": true,
"conditions": [],
"rules": [
{
"type": "temporary",
"reason": "IPTablesVersionsMismatch",
"path": "./config/plugin/iptables_mode.sh",
"timeout": "5s"
}
]
}

30
config/plugin/iptables_mode.sh Executable file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# As of iptables 1.8, the iptables command line clients come in two different versions/modes: "legacy",
# which uses the kernel iptables API just like iptables 1.6 and earlier did, and "nft", which translates
# the iptables command-line API into the kernel nftables API.
# Because they connect to two different subsystems in the kernel, you cannot mix rules from different versions.
# Ref: https://github.com/kubernetes-sigs/iptables-wrappers
readonly OK=0
readonly NONOK=1
readonly UNKNOWN=2
# based on: https://github.com/kubernetes-sigs/iptables-wrappers/blob/97b01f43a8e8db07840fc4b95e833a37c0d36b12/iptables-wrapper-installer.sh
readonly num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep -c '^-' || true)
readonly num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep -c '^-' || true)
if [ "$num_legacy_lines" -gt 0 ] && [ "$num_nft_lines" -gt 0 ]; then
echo "Found rules from both versions, iptables-legacy: ${num_legacy_lines} iptables-nft: ${num_nft_lines}"
echo $NONOK
elif [ "$num_legacy_lines" -gt 0 ] && [ "$num_nft_lines" -eq 0 ]; then
echo "Using iptables-legacy: ${num_legacy_lines} rules"
echo $OK
elif [ "$num_legacy_lines" -eq 0 ] && [ "$num_nft_lines" -gt 0 ]; then
echo "Using iptables-nft: ${num_nft_lines} rules"
echo $OK
else
echo "No iptables rules found"
echo $UNKNOWN
fi