Split addIptRules into insertIptRules & appendIptRules

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
ovn-org · Jan 27, 2023 · a37c4f9 · a37c4f9
1 parent b36148a
commit a37c4f9
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 11 deletions.
diff --git a/go-controller/pkg/node/gateway_iptables.go b/go-controller/pkg/node/gateway_iptables.go
@@ -62,10 +62,11 @@ type iptRule struct {
 	protocol iptables.Protocol
 }
 
-func addIptRules(rules []iptRule) error {
+func addIptRules(rules []iptRule, append bool) error {
 	addErrors := errors.New("")
 	var err error
 	var ipt util.IPTablesHelper
+	var exists bool
 	for _, r := range rules {
 		klog.V(5).Infof("Adding rule in table: %s, chain: %s with args: \"%s\" for protocol: %v ",
 			r.table, r.chain, strings.Join(r.args, " "), r.protocol)
@@ -78,9 +79,13 @@ func addIptRules(rules []iptRule) error {
 			klog.V(5).Infof("Chain: \"%s\" in table: \"%s\" already exists, skipping creation: %v",
 				r.chain, r.table, err)
 		}
-		exists, err := ipt.Exists(r.table, r.chain, r.args...)
+		exists, err = ipt.Exists(r.table, r.chain, r.args...)
 		if !exists && err == nil {
-			err = ipt.Insert(r.table, r.chain, 1, r.args...)
+			if append {
+				err = ipt.Append(r.table, r.chain, r.args...)
+			} else {
+				err = ipt.Insert(r.table, r.chain, 1, r.args...)
+			}
 		}
 		if err != nil {
 			addErrors = errors.Wrapf(addErrors, "failed to add iptables %s/%s rule %q: %v",
@@ -93,6 +98,18 @@ func addIptRules(rules []iptRule) error {
 	return addErrors
 }
 
+// insertIptRules adds the provided rules in an insert fashion
+// i.e each rule gets added at the first position in the chain
+func insertIptRules(rules []iptRule) error {
+	return addIptRules(rules, false)
+}
+
+// appendIptRules adds the provided rules in an append fashion
+// i.e each rule gets added at the last position in the chain
+func appendIptRules(rules []iptRule) error {
+	return addIptRules(rules, true)
+}
+
 func delIptRules(rules []iptRule) error {
 	delErrors := errors.New("")
 	var err error
@@ -381,7 +398,7 @@ func getLocalGatewayNATRules(ifname string, cidr *net.IPNet) []iptRule {
 
 // initLocalGatewayNATRules sets up iptables rules for interfaces
 func initLocalGatewayNATRules(ifname string, cidr *net.IPNet) error {
-	return addIptRules(getLocalGatewayNATRules(ifname, cidr))
+	return insertIptRules(getLocalGatewayNATRules(ifname, cidr))
 }
 
 func addChaintoTable(ipt util.IPTablesHelper, tableName, chain string) {
@@ -413,14 +430,14 @@ func handleGatewayIPTables(iptCallback func(rules []iptRule) error, genGatewayCh
 }
 
 func initSharedGatewayIPTables() error {
-	if err := handleGatewayIPTables(addIptRules, getGatewayInitRules); err != nil {
+	if err := handleGatewayIPTables(insertIptRules, getGatewayInitRules); err != nil {
 		return err
 	}
 	return nil
 }
 
 func initLocalGatewayIPTables() error {
-	if err := handleGatewayIPTables(addIptRules, getGatewayInitRules); err != nil {
+	if err := handleGatewayIPTables(insertIptRules, getGatewayInitRules); err != nil {
 		return err
 	}
 	return nil
@@ -453,7 +470,7 @@ func recreateIPTRules(table, chain string, keepIPTRules []iptRule) error {
 			errors = append(errors, fmt.Errorf("error clearing chain: %s in table: %s, err: %v", chain, table, err))
 		}
 	}
-	if err = addIptRules(keepIPTRules); err != nil {
+	if err = insertIptRules(keepIPTRules); err != nil {
 		errors = append(errors, err)
 	}
 	return apierrors.NewAggregate(errors)

diff --git a/go-controller/pkg/node/gateway_localnet_linux_test.go b/go-controller/pkg/node/gateway_localnet_linux_test.go
@@ -289,7 +289,7 @@ var _ = Describe("Node Operations", func() {
 				)
 
 				fakeRules := getExternalIPTRules(service.Spec.Ports[0], externalIP, service.Spec.ClusterIP, false, false)
-				Expect(addIptRules(fakeRules)).To(Succeed())
+				Expect(insertIptRules(fakeRules)).To(Succeed())
 				fakeRules = getExternalIPTRules(
 					v1.ServicePort{
 						Port:     27000,
@@ -301,7 +301,7 @@ var _ = Describe("Node Operations", func() {
 					false,
 					false,
 				)
-				Expect(addIptRules(fakeRules)).To(Succeed())
+				Expect(insertIptRules(fakeRules)).To(Succeed())
 
 				expectedTables := map[string]util.FakeTable{
 					"nat": {

diff --git a/go-controller/pkg/node/gateway_shared_intf_linux.go b/go-controller/pkg/node/gateway_shared_intf_linux.go
@@ -62,7 +62,7 @@ func deleteLocalNodeAccessBridge() error {
 func addGatewayIptRules(service *kapi.Service, localEndpoints []string, svcHasLocalHostNetEndPnt bool) error {
 	rules := getGatewayIPTRules(service, localEndpoints, svcHasLocalHostNetEndPnt)
 
-	if err := addIptRules(rules); err != nil {
+	if err := insertIptRules(rules); err != nil {
 		return fmt.Errorf("failed to add iptables rules for service %s/%s: %v",
 			service.Namespace, service.Name, err)
 	}
@@ -128,7 +128,7 @@ func updateEgressSVCIptRules(svc *kapi.Service, npw *nodePortWatcher) error {
 
 	// Add rules for endpoints without one.
 	addRules := egressSVCIPTRulesForEndpoints(svc, v4ToAdd, v6ToAdd)
-	if err := addIptRules(addRules); err != nil {
+	if err := insertIptRules(addRules); err != nil {
 		return fmt.Errorf("failed to add iptables rules for service %s/%s during update: %v",
 			svc.Namespace, svc.Name, err)
 	}