Merge pull request kubernetes#95906 from harche/iptables_fix

k8s-ci-robot · web-flow · commit 36d12390a724 · 2020-11-17T22:08:04.000-08:00
Verify iptable rules are applied for tcp, udp and icmp
diff --git a/test/e2e_node/remote/utils.go b/test/e2e_node/remote/utils.go
@@ -19,7 +19,6 @@ package remote
 import (
 	"fmt"
 	"path/filepath"
-	"strings"
 
 	"k8s.io/klog/v2"
 )
@@ -79,35 +78,21 @@ func setupCNI(host, workspace string) error {
 
 // configureFirewall configures iptable firewall rules.
 func configureFirewall(host string) error {
-	klog.V(2).Infof("Configure iptables firewall rules on %q", host)
-	// TODO: consider calling bootstrap script to configure host based on OS
-	output, err := SSH(host, "iptables", "-L", "INPUT")
-	if err != nil {
-		return fmt.Errorf("failed to get iptables INPUT on %q: %v output: %q", host, err, output)
-	}
-	if strings.Contains(output, "Chain INPUT (policy DROP)") {
-		cmd := getSSHCommand("&&",
-			"(iptables -C INPUT -w -p TCP -j ACCEPT || iptables -A INPUT -w -p TCP -j ACCEPT)",
-			"(iptables -C INPUT -w -p UDP -j ACCEPT || iptables -A INPUT -w -p UDP -j ACCEPT)",
-			"(iptables -C INPUT -w -p ICMP -j ACCEPT || iptables -A INPUT -w -p ICMP -j ACCEPT)")
-		output, err := SSH(host, "sh", "-c", cmd)
-		if err != nil {
-			return fmt.Errorf("failed to configured firewall on %q: %v output: %v", host, err, output)
-		}
-	}
-	output, err = SSH(host, "iptables", "-L", "FORWARD")
+	klog.V(2).Infof("Configure iptables HEYHO firewall rules on %q", host)
+
+	// Since the goal is to enable connectivity without taking into account current rule,
+	// we can just prepend the accept rules directly without any check
+	cmd := getSSHCommand("&&",
+		"iptables -I INPUT 1 -w -p tcp -j ACCEPT",
+		"iptables -I INPUT 1 -w -p udp -j ACCEPT",
+		"iptables -I INPUT 1 -w -p icmp -j ACCEPT",
+		"iptables -I FORWARD 1 -w -p tcp -j ACCEPT",
+		"iptables -I FORWARD 1 -w -p udp -j ACCEPT",
+		"iptables -I FORWARD 1 -w -p icmp -j ACCEPT",
+	)
+	output, err := SSH(host, "sh", "-c", cmd)
 	if err != nil {
-		return fmt.Errorf("failed to get iptables FORWARD on %q: %v output: %q", host, err, output)
-	}
-	if strings.Contains(output, "Chain FORWARD (policy DROP)") {
-		cmd := getSSHCommand("&&",
-			"(iptables -C FORWARD -w -p TCP -j ACCEPT || iptables -A FORWARD -w -p TCP -j ACCEPT)",
-			"(iptables -C FORWARD -w -p UDP -j ACCEPT || iptables -A FORWARD -w -p UDP -j ACCEPT)",
-			"(iptables -C FORWARD -w -p ICMP -j ACCEPT || iptables -A FORWARD -w -p ICMP -j ACCEPT)")
-		output, err = SSH(host, "sh", "-c", cmd)
-		if err != nil {
-			return fmt.Errorf("failed to configured firewall on %q: %v output: %v", host, err, output)
-		}
+		return fmt.Errorf("failed to configured firewall on %q: %v output: %v", host, err, output)
 	}
 	return nil
 }
