diff --git a/config/iptables-mode-monitor.json b/config/iptables-mode-monitor.json new file mode 100644 index 000000000..0f7becc4c --- /dev/null +++ b/config/iptables-mode-monitor.json @@ -0,0 +1,20 @@ +{ + "plugin": "custom", + "pluginConfig": { + "invoke_interval": "86400s", + "timeout": "5s", + "max_output_length": 80, + "concurrency": 1 + }, + "source": "iptables-mode-monitor", + "metricsReporting": true, + "conditions": [], + "rules": [ + { + "type": "temporary", + "reason": "IPTablesVersionsMismatch", + "path": "./config/plugin/iptables_mode.sh", + "timeout": "5s" + } + ] +} diff --git a/config/plugin/iptables_mode.sh b/config/plugin/iptables_mode.sh new file mode 100755 index 000000000..2edc3e67b --- /dev/null +++ b/config/plugin/iptables_mode.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# As of iptables 1.8, the iptables command line clients come in two different versions/modes: "legacy", +# which uses the kernel iptables API just like iptables 1.6 and earlier did, and "nft", which translates +# the iptables command-line API into the kernel nftables API. +# Because they connect to two different subsystems in the kernel, you cannot mix rules from different versions. +# Ref: https://github.com/kubernetes-sigs/iptables-wrappers + +readonly OK=0 +readonly NONOK=1 +readonly UNKNOWN=2 + +# based on: https://github.com/kubernetes-sigs/iptables-wrappers/blob/97b01f43a8e8db07840fc4b95e833a37c0d36b12/iptables-wrapper-installer.sh +readonly num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep -c '^-' || true) +readonly num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep -c '^-' || true) + + +if [ "$num_legacy_lines" -gt 0 ] && [ "$num_nft_lines" -gt 0 ]; then + echo "Found rules from both versions, iptables-legacy: ${num_legacy_lines} iptables-nft: ${num_nft_lines}" + echo $NONOK +elif [ "$num_legacy_lines" -gt 0 ] && [ "$num_nft_lines" -eq 0 ]; then + echo "Using iptables-legacy: ${num_legacy_lines} rules" + echo $OK +elif [ "$num_legacy_lines" -eq 0 ] && [ "$num_nft_lines" -gt 0 ]; then + echo "Using iptables-nft: ${num_nft_lines} rules" + echo $OK +else + echo "No iptables rules found" + echo $UNKNOWN +fi