From fbf8dd9217ff61a8bc5a22ee720602aa053b52cd Mon Sep 17 00:00:00 2001 From: ssup2 Date: Sat, 19 Dec 2020 14:36:09 +0000 Subject: [PATCH] Remove not track DNS rule --- README.md | 30 ---- controllers/service_controller.go | 63 -------- issues/DNS_packet_dropped_issue.md | 72 --------- pkg/configs/configs.go | 31 +--- pkg/rules/rule_not_track_dns.go | 225 ----------------------------- pkg/rules/rules.go | 50 +------ 6 files changed, 4 insertions(+), 467 deletions(-) delete mode 100644 issues/DNS_packet_dropped_issue.md delete mode 100644 pkg/rules/rule_not_track_dns.go diff --git a/README.md b/README.md index 5ab2c1e..47b7c30 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,6 @@ network-node-manager is a kubernetes controller that controls the network config * [Connection reset issue between pod and out of cluster](issues/connection_reset_issue_pod_out_cluster.md) * [External-IP access issue with IPVS proxy mode](issues/external_IP_access_issue_IPVS_proxy_mode.md) -* [DNS packet dropped issue](issues/DNS_packet_dropped_issue.md) ## Deploy @@ -73,35 +72,6 @@ Off $ kubectl -n kube-system set env daemonset/network-node-manager RULE_EXTERNAL_CLUSTER_ENABLE=false ``` -### Enable Not Track DNS Packet Rule - -* Related issue : [DNS packet dropped issue](issues/DNS_packet_dropped_issue.md) -* Default : false -* iptables proxy mode manifest : false -* IPVS proxy mode manifest : false - -``` -On -$ kubectl -n kube-system set env daemonset/network-node-manager RULE_NOT_TRACK_DNS_ENABLE=true - -Off -$ kubectl -n kube-system set env daemonset/network-node-manager RULE_NOT_TRACK_DNS_ENABLE=false -``` - -### Set Kubernetes DNS Service Names for Not Track DNS Packet Rule - -* Related issue : [DNS packet dropped issue](issues/DNS_packet_dropped_issue.md) -* Default : "kube-dns" -* Support multiple : "kube-dns,kube-dns-second" - -``` -Set kube-dns service -$ kubectl -n kube-system set env daemonset/network-node-manager RULE_NOT_TRACK_DNS_SERVICES="kube-dns" - -Set multiple services -$ kubectl -n kube-system set env daemonset/network-node-manager RULE_NOT_TRACK_DNS_SERVICES="kube-dns,kube-dns-second" -``` - ## How it works? ![kpexec Architecture](img/network-node-manager_Architecture.PNG) diff --git a/controllers/service_controller.go b/controllers/service_controller.go index a171f85..216daad 100644 --- a/controllers/service_controller.go +++ b/controllers/service_controller.go @@ -22,7 +22,6 @@ import ( corev1 "k8s.io/api/core/v1" apierror "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" @@ -45,8 +44,6 @@ var ( configRuleDropInvalidInputEnabled bool configRuleExternalClusterEnabled bool - configRuleNotTrackDNSEnabled bool - configRuleNotTrackDNSServices []string initFlag = false podCIDRIPv4 string @@ -92,22 +89,8 @@ func (r *ServiceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { logger.Error(err, "config error") os.Exit(1) } - configRuleNotTrackDNSEnabled, err = configs.GetConfigRuleNotTrackDNSEnabled() - if err != nil { - logger.Error(err, "config error") - os.Exit(1) - } - configRuleNotTrackDNSServices, err = configs.GetConfigRuleNotTrackDNSServices() - if err != nil { - logger.Error(err, "config error") - os.Exit(1) - } logger.WithValues("enabled", configRuleDropInvalidInputEnabled).Info("config rule drop invalid packet in INPUT chain") logger.WithValues("enabled", configRuleExternalClusterEnabled).Info("config rule externalIP to clusterIP") - logger.WithValues("enabled", configRuleNotTrackDNSEnabled).Info("config rule not tracking DNS packet") - if configRuleNotTrackDNSEnabled { - logger.WithValues("services", configRuleNotTrackDNSServices).Info("config rule not tracking DNS packet") - } // Init packages rules.Init(configPodCIDRIPv4, configPodCIDRIPv6) @@ -125,33 +108,6 @@ func (r *ServiceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { } } - if configRuleNotTrackDNSEnabled { - if err := rules.InitRulesNotTrackDNS(logger); err != nil { - logger.Error(err, "failed to init rule not tracking DNS packet") - os.Exit(1) - } - - // Set rules for DNS services - for _, dnsSvcName := range configRuleNotTrackDNSServices { - dnsSvc := &corev1.Service{} - if err := r.Client.Get(ctx, types.NamespacedName{Namespace: "kube-system", Name: dnsSvcName}, dnsSvc); err != nil { - logger.Error(err, "failed to get DNS service info") - os.Exit(1) - } - logger.WithValues("DNS Service", dnsSvc.Name).WithValues("clusterIP", dnsSvc.Spec.ClusterIP).Info("DNS service info") - - if err := rules.CreateRulesNotTrackDNS(logger, dnsSvc.Spec.ClusterIP); err != nil { - logger.Error(err, "failed to create rule not tracking DNS packet for a DNS services") - os.Exit(1) - } - } - } else { - if err := rules.CleanupRulesNotTrackDNS(logger); err != nil { - logger.Error(err, "failed to cleanup rule not trackring DNS packet") - os.Exit(1) - } - } - if configRuleExternalClusterEnabled { // Init externalIP to clusterIP rules if err := rules.InitRulesExternalCluster(logger); err != nil { @@ -190,25 +146,6 @@ func (r *ServiceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { logger.Error(err, "failed to init rule drop invalid packet in INPUT chain") } } - if configRuleNotTrackDNSEnabled { - if err := rules.InitRulesNotTrackDNS(logger); err != nil { - logger.Error(err, "failed to init rule not tracking DNS packet") - } - - // Set rules for DNS services - for _, dnsSvcName := range configRuleNotTrackDNSServices { - dnsSvc := &corev1.Service{} - if err := r.Client.Get(ctx, types.NamespacedName{Namespace: "kube-system", Name: dnsSvcName}, dnsSvc); err != nil { - logger.Error(err, "failed to get DNS service info") - os.Exit(1) - } - - if err := rules.CreateRulesNotTrackDNS(logger, dnsSvc.Spec.ClusterIP); err != nil { - logger.Error(err, "failed to create rule not tracking DNS packet") - os.Exit(1) - } - } - } } }() } diff --git a/issues/DNS_packet_dropped_issue.md b/issues/DNS_packet_dropped_issue.md deleted file mode 100644 index bb77857..0000000 --- a/issues/DNS_packet_dropped_issue.md +++ /dev/null @@ -1,72 +0,0 @@ -# DNS packet dropped issue - -There is an issue in which some DNS packets are dropped due to the race condition of linux kernel conntrack. Because of this issue, a phenomenon in which Record Resolve of Service or Pod within Kubernetes Cluster often fails occurs. - -## Caution and Preparation - -This solution only works with **IPVS proxy** mode. And to apply this solution, the **hostPort for the CoreDNS Pods** must be disabled. If you do not need to use the hostPort for the CoreDNS pods, please disable it. Below is a example. - -``` -$ kubectl -n kube-system edit deployments.apps coredns -... - ports: - - containerPort: 53 - hostPort: 53 <- remove - name: dns - protocol: UDP - - containerPort: 53 - hostPort: 53 <- remove - name: dns-tcp - protocol: TCP - - containerPort: 9153 - hostPort: 9153 <- remove - name: metrics - protocol: TCP -``` - -## How to solve it - -network-node-manager adds the not tracking rules for DNS packet to avoid the race condition of linux kernel conntrack. The reason why notrack rule can be set for DNS packet is because Linux IPVS performs load balancing even for notrack packet. Since Linux iptables does not DNAT notrack packets, this solution cannot be applied when using iptables proxy mode. Unlike the [NodeLocal DNSCache](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/) solution, this solution has the advantage that it can be applied without restarting the kubelet or pod. Below are example rules that set by network-node-manager. - -``` -$ kubectl -n kube-system get service kube-dns -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -kube-dns ClusterIP 10.96.0.10 53/UDP,53/TCP,9153/TCP 29m - -$ iptables -t raw -nvL -... -Chain PREROUTING (policy ACCEPT 9 packets, 643 bytes) - pkts bytes target prot opt in out source destination - 215 18752 NMANAGER_PREROUTING all * * ::/0 ::/0 - -Chain OUTPUT (policy ACCEPT 9 packets, 662 bytes) - pkts bytes target prot opt in out source destination - 179 13607 NMANAGER_OUTPUT all * * ::/0 ::/0 -... -Chain NMANAGER_OUTPUT (1 references) - pkts bytes target prot opt in out source destination -21109 2081K NMANAGER_NOT_DNS_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 - -Chain NMANAGER_PREROUTING (1 references) - pkts bytes target prot opt in out source destination -24587 26M NMANAGER_NOT_DNS_PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 -... -Chain NMANAGER_NOT_DNS_OUTPUT (1 references) - pkts bytes target prot opt in out source destination - 0 0 CT udp -- * * 0.0.0.0/0 10.96.0.10 udp dpt:53 CT notrack - 0 0 CT udp -- * * 0.0.0.0/0 192.167.0.0/16 udp dpt:53 CT notrack - 0 0 CT udp -- * * 192.167.0.0/16 0.0.0.0/0 udp spt:53 CT notrack - -Chain NMANAGER_NOT_DNS_PREROUTING (1 references) - pkts bytes target prot opt in out source destination - 0 0 CT udp -- * * 0.0.0.0/0 10.96.0.10 udp dpt:53 CT notrack - 0 0 CT udp -- * * 0.0.0.0/0 192.167.0.0/16 udp dpt:53 CT notrack - 0 0 CT udp -- * * 192.167.0.0/16 0.0.0.0/0 udp spt:53 CT notrack -``` - -## Reference - -* https://www.weave.works/blog/racy-conntrack-and-dns-lookup-timeouts -* https://github.com/weaveworks/weave/issues/3287 -* https://github.com/kubernetes/kubernetes/issues/62628 -* https://github.com/kubernetes/kubernetes/issues/56903 diff --git a/pkg/configs/configs.go b/pkg/configs/configs.go index 4c210f0..aca6031 100644 --- a/pkg/configs/configs.go +++ b/pkg/configs/configs.go @@ -15,10 +15,8 @@ const ( EnvPodCIDRIPv4 = "POD_CIDR_IPV4" EnvPodCIDRIPv6 = "POD_CIDR_IPV6" - EnvRuleDropInvalidInputEnable = "RULE_DROP_INVALID_INPUT_ENABLE" - EnvRuleExternalClusterEnable = "RULE_EXTERNAL_CLUSTER_ENABLE" - EnvRuleDropNotTrackDNSEnable = "RULE_NOT_TRACK_DNS_ENABLE" - EnvRuleDropNotTrackDNSServices = "RULE_NOT_TRACK_DNS_SERVICES" + EnvRuleDropInvalidInputEnable = "RULE_DROP_INVALID_INPUT_ENABLE" + EnvRuleExternalClusterEnable = "RULE_EXTERNAL_CLUSTER_ENABLE" ) func GetConfigPodCIDRIPv4() (string, error) { @@ -72,28 +70,3 @@ func GetConfigRuleExternalClusterEnabled() (bool, error) { } return false, fmt.Errorf("wrong config for externalIP to clusterIP DNAT : %s", config) } - -func GetConfigRuleNotTrackDNSEnabled() (bool, error) { - config := os.Getenv(EnvRuleDropNotTrackDNSEnable) - config = strings.ToLower(config) - - if config == "" { - return false, nil - } else if config == EnvConfigFalse { - return false, nil - } else if config == EnvConfigTrue { - return true, nil - } - return false, fmt.Errorf("wrong config for externalIP to clusterIP DNAT : %s", config) -} - -func GetConfigRuleNotTrackDNSServices() ([]string, error) { - configs := os.Getenv(EnvRuleDropNotTrackDNSServices) - configs = strings.Replace(configs, " ", "", -1) - configs = strings.ToLower(configs) - - if configs == "" { - return []string{"kube-dns"}, nil - } - return strings.Split(configs, ","), nil -} diff --git a/pkg/rules/rule_not_track_dns.go b/pkg/rules/rule_not_track_dns.go deleted file mode 100644 index b971747..0000000 --- a/pkg/rules/rule_not_track_dns.go +++ /dev/null @@ -1,225 +0,0 @@ -package rules - -import ( - "github.com/go-logr/logr" - - "github.com/kakao/network-node-manager/pkg/ip" - "github.com/kakao/network-node-manager/pkg/iptables" -) - -func InitRulesNotTrackDNS(logger logr.Logger) error { - // Init base chains - if err := initBaseChains(logger); err != nil { - logger.Error(err, "failed to init base chain for externalIP to clusterIP Rules") - return err - } - - // IPv4 - if ip.IsIPv4CIDR(podCIDRIPv4) { - // Create chains - out, err := iptables.CreateChainIPv4(iptables.TableRaw, ChainRawNotTrackDNSPrerouting) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateChainIPv4(iptables.TableRaw, ChainRawNotTrackDNSOutput) - if err != nil { - logger.Error(err, out) - return err - } - - // Set not track rules - ruleNotTrackSrcPodCidr := []string{"-p", "UDP", "-m", "udp", "-s", podCIDRIPv4, "--sport", "53", "-j", "CT", "--notrack"} - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainRawNotTrackDNSPrerouting, "", ruleNotTrackSrcPodCidr...) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainRawNotTrackDNSOutput, "", ruleNotTrackSrcPodCidr...) - if err != nil { - logger.Error(err, out) - return err - } - ruleNotTrackDestPodCidr := []string{"-p", "UDP", "-m", "udp", "-d", podCIDRIPv4, "--dport", "53", "-j", "CT", "--notrack"} - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainRawNotTrackDNSPrerouting, "", ruleNotTrackDestPodCidr...) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainRawNotTrackDNSOutput, "", ruleNotTrackDestPodCidr...) - if err != nil { - logger.Error(err, out) - return err - } - - // Set jump rule - ruleJumpPre := []string{"-j", ChainRawNotTrackDNSPrerouting} - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainBasePrerouting, "", ruleJumpPre...) - if err != nil { - logger.Error(err, out) - return err - } - ruleJumpOut := []string{"-j", ChainRawNotTrackDNSOutput} - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainBaseOutput, "", ruleJumpOut...) - if err != nil { - logger.Error(err, out) - return err - } - } - // IPv6 - if ip.IsIPv6CIDR(podCIDRIPv6) { - // Create chains - out, err := iptables.CreateChainIPv6(iptables.TableRaw, ChainRawNotTrackDNSPrerouting) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateChainIPv6(iptables.TableRaw, ChainRawNotTrackDNSOutput) - if err != nil { - logger.Error(err, out) - return err - } - - // Set not track rules - ruleNotTrackSrcPodCidr := []string{"-p", "UDP", "-m", "udp", "-s", podCIDRIPv6, "--sport", "53", "-j", "CT", "--notrack"} - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainRawNotTrackDNSPrerouting, "", ruleNotTrackSrcPodCidr...) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainRawNotTrackDNSOutput, "", ruleNotTrackSrcPodCidr...) - if err != nil { - logger.Error(err, out) - return err - } - ruleNotTrackDestPodCidr := []string{"-p", "UDP", "-m", "udp", "-d", podCIDRIPv6, "--dport", "53", "-j", "CT", "--notrack"} - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainRawNotTrackDNSPrerouting, "", ruleNotTrackDestPodCidr...) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainRawNotTrackDNSOutput, "", ruleNotTrackDestPodCidr...) - if err != nil { - logger.Error(err, out) - return err - } - - // Set jump rule - ruleJumpPre := []string{"-j", ChainRawNotTrackDNSPrerouting} - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainBasePrerouting, "", ruleJumpPre...) - if err != nil { - logger.Error(err, out) - return err - } - ruleJumpOut := []string{"-j", ChainRawNotTrackDNSOutput} - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainBaseOutput, "", ruleJumpOut...) - if err != nil { - logger.Error(err, out) - return err - } - } - - return nil -} - -func CleanupRulesNotTrackDNS(logger logr.Logger) error { - // IPv4 - if ip.IsIPv4CIDR(podCIDRIPv4) { - // Delete jump rule - ruleJumpPre := []string{"-j", ChainRawNotTrackDNSPrerouting} - out, err := iptables.DeleteRuleIPv4(iptables.TableRaw, ChainBasePrerouting, "", ruleJumpPre...) - if err != nil { - logger.Error(err, out) - return err - } - ruleJumpOut := []string{"-j", ChainRawNotTrackDNSOutput} - out, err = iptables.DeleteRuleIPv4(iptables.TableRaw, ChainBaseOutput, "", ruleJumpOut...) - if err != nil { - logger.Error(err, out) - return err - } - - // Delete chain - out, err = iptables.DeleteChainIPv4(iptables.TableRaw, ChainRawNotTrackDNSPrerouting) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.DeleteChainIPv4(iptables.TableRaw, ChainRawNotTrackDNSOutput) - if err != nil { - logger.Error(err, out) - return err - } - } - // IPv6 - if ip.IsIPv6CIDR(podCIDRIPv6) { - // Delete jump rule - ruleJumpPre := []string{"-j", ChainRawNotTrackDNSPrerouting} - out, err := iptables.DeleteRuleIPv6(iptables.TableRaw, ChainBasePrerouting, "", ruleJumpPre...) - if err != nil { - logger.Error(err, out) - return err - } - ruleJumpOut := []string{"-j", ChainRawNotTrackDNSOutput} - out, err = iptables.DeleteRuleIPv6(iptables.TableRaw, ChainBaseOutput, "", ruleJumpOut...) - if err != nil { - logger.Error(err, out) - return err - } - - // Delete chain - out, err = iptables.DeleteChainIPv6(iptables.TableRaw, ChainRawNotTrackDNSPrerouting) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.DeleteChainIPv6(iptables.TableRaw, ChainRawNotTrackDNSOutput) - if err != nil { - logger.Error(err, out) - return err - } - } - - return nil -} - -func CreateRulesNotTrackDNS(logger logr.Logger, dnsClusterIP string) error { - // Init base chains - if err := initBaseChains(logger); err != nil { - logger.Error(err, "failed to init base chain for externalIP to clusterIP Rules") - return err - } - - // IPv4 - if ip.IsIPv4CIDR(podCIDRIPv4) && ip.IsIPv4Addr(dnsClusterIP) { - // Set not track rules - ruleNotTrackDport := []string{"-p", "UDP", "-m", "udp", "-d", dnsClusterIP, "--dport", "53", "-j", "CT", "--notrack"} - out, err := iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainRawNotTrackDNSPrerouting, "", ruleNotTrackDport...) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainRawNotTrackDNSOutput, "", ruleNotTrackDport...) - if err != nil { - logger.Error(err, out) - return err - } - } - // IPv6 - if ip.IsIPv6CIDR(podCIDRIPv6) && ip.IsIPv6Addr(dnsClusterIP) { - // Set not track rules - ruleNotTrackDport := []string{"-p", "UDP", "-m", "udp", "-d", dnsClusterIP, "--dport", "53", "-j", "CT", "--notrack"} - out, err := iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainRawNotTrackDNSPrerouting, "", ruleNotTrackDport...) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainRawNotTrackDNSOutput, "", ruleNotTrackDport...) - if err != nil { - logger.Error(err, out) - return err - } - } - - return nil -} diff --git a/pkg/rules/rules.go b/pkg/rules/rules.go index 3a68ab9..b2b33be 100644 --- a/pkg/rules/rules.go +++ b/pkg/rules/rules.go @@ -20,8 +20,6 @@ const ( ChainFilterDropInvalidInput = "NMANAGER_DROP_INVALID_INPUT" ChainNATExternalClusterPrerouting = "NMANAGER_EX_CLUS_PREROUTING" ChainNATExternalClusterOutput = "NMANAGER_EX_CLUS_OUTPUT" - ChainRawNotTrackDNSPrerouting = "NMANAGER_NOT_DNS_PREROUTING" - ChainRawNotTrackDNSOutput = "NMANAGER_NOT_DNS_OUTPUT" ChainNATKubeMarkMasq = "KUBE-MARK-MASQ" ) @@ -41,17 +39,7 @@ func initBaseChains(logger logr.Logger) error { // IPv4 if ip.IsIPv4CIDR(podCIDRIPv4) { // Create base chain in tables - out, err := iptables.CreateChainIPv4(iptables.TableRaw, ChainBasePrerouting) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateChainIPv4(iptables.TableRaw, ChainBaseOutput) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateChainIPv4(iptables.TableFilter, ChainBaseInput) + out, err := iptables.CreateChainIPv4(iptables.TableFilter, ChainBaseInput) if err != nil { logger.Error(err, out) return err @@ -68,18 +56,6 @@ func initBaseChains(logger logr.Logger) error { } // Create jump rule to each chain in tables - ruleJumpRawPre := []string{"-j", ChainBasePrerouting} - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainPrerouting, "", ruleJumpRawPre...) - if err != nil { - logger.Error(err, out) - return err - } - ruleJumpRawOut := []string{"-j", ChainBaseOutput} - out, err = iptables.CreateRuleFirstIPv4(iptables.TableRaw, ChainOutput, "", ruleJumpRawOut...) - if err != nil { - logger.Error(err, out) - return err - } ruleJumpFilterInput := []string{"-j", ChainBaseInput} out, err = iptables.CreateRuleFirstIPv4(iptables.TableFilter, ChainInput, "", ruleJumpFilterInput...) if err != nil { @@ -103,17 +79,7 @@ func initBaseChains(logger logr.Logger) error { // IPv6 if ip.IsIPv6CIDR(podCIDRIPv6) { // Create base chain in nat table - out, err := iptables.CreateChainIPv6(iptables.TableRaw, ChainBasePrerouting) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateChainIPv6(iptables.TableRaw, ChainBaseOutput) - if err != nil { - logger.Error(err, out) - return err - } - out, err = iptables.CreateChainIPv6(iptables.TableFilter, ChainBaseInput) + out, err := iptables.CreateChainIPv6(iptables.TableFilter, ChainBaseInput) if err != nil { logger.Error(err, out) return err @@ -130,18 +96,6 @@ func initBaseChains(logger logr.Logger) error { } // Create jump rule to each chain in tables - ruleJumpRawPre := []string{"-j", ChainBasePrerouting} - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainPrerouting, "", ruleJumpRawPre...) - if err != nil { - logger.Error(err, out) - return err - } - ruleJumpRawOut := []string{"-j", ChainBaseOutput} - out, err = iptables.CreateRuleFirstIPv6(iptables.TableRaw, ChainOutput, "", ruleJumpRawOut...) - if err != nil { - logger.Error(err, out) - return err - } ruleJumpFilterInput := []string{"-j", ChainBaseInput} out, err = iptables.CreateRuleFirstIPv6(iptables.TableFilter, ChainInput, "", ruleJumpFilterInput...) if err != nil {