Refactored version testing for iptables

MikeSpreitzer · MikeSpreitzer · commit 7740a360f507 · 2019-06-28T20:27:13.000-04:00
Reduced the number of calls to ParseGeneric.
diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go
@@ -36,7 +36,6 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
-	utilversion "k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/kubernetes/pkg/proxy"
@@ -61,10 +60,6 @@ const (
 	// This is the "new" Proxier, so we require "new" versions of tools.
 	iptablesMinVersion = utiliptables.MinCheckVersion
 
-	// iptablesRandomFullyVersion is the minimum iptables version that supports
-	// the --random-fully flag on `-j MASQUERADE`.
-	iptablesRandomFullyVersion = "1.6.2"
-
 	// the services chain
 	kubeServicesChain utiliptables.Chain = "KUBE-SERVICES"
 
@@ -105,20 +100,9 @@ type KernelCompatTester interface {
 // an error if it fails to get the iptables version without error, in which
 // case it will also return false.
 func CanUseIPTablesProxier(iptver Versioner, kcompat KernelCompatTester) (bool, error) {
-	minVersion, err := utilversion.ParseGeneric(iptablesMinVersion)
-	if err != nil {
-		return false, err
-	}
-	versionString, err := iptver.GetVersion()
-	if err != nil {
-		return false, err
-	}
-	version, err := utilversion.ParseGeneric(versionString)
-	if err != nil {
-		return false, err
-	}
-	if version.LessThan(minVersion) {
-		return false, nil
+	outcome := utiliptables.VersionIsAtLeast(iptver, iptablesMinVersion)
+	if outcome.Err != nil || !outcome.Answer {
+		return false, outcome.Err
 	}
 
 	// Check that the kernel supports what we need.
@@ -313,19 +297,7 @@ func NewProxier(ipt utiliptables.Interface,
 		klog.Warning("missing br-netfilter module or unset sysctl br-nf-call-iptables; proxy may not work as intended")
 	}
 
-	masqueradeRandomFully := false
-	iptVersionString, err := ipt.GetVersion()
-	if err != nil {
-		klog.Warningf("Unable to get iptables version string: %v", err)
-	} else {
-		iptVersion, err := utilversion.ParseGeneric(iptVersionString)
-		if err != nil {
-			klog.Warningf("Unable to parse iptables version string %q: %v", iptVersionString, err)
-		} else {
-			needVersion, err := utilversion.ParseGeneric(iptablesRandomFullyVersion)
-			masqueradeRandomFully = err == nil && iptVersion.AtLeast(needVersion)
-		}
-	}
+	canRandomFully := utiliptables.VersionIsAtLeast(ipt, utiliptables.MinMasqueradeRandomFullyVersion)
 
 	// Generate the masquerade mark to use for SNAT rules.
 	masqueradeValue := 1 << uint(masqueradeBit)
@@ -352,7 +324,7 @@ func NewProxier(ipt utiliptables.Interface,
 		endpointsMap:             make(proxy.EndpointsMap),
 		endpointsChanges:         proxy.NewEndpointChangeTracker(hostname, newEndpointInfo, &isIPv6, recorder),
 		iptables:                 ipt,
-		masqueradeRandomFully:    masqueradeRandomFully,
+		masqueradeRandomFully:    canRandomFully.Answer,
 		masqueradeAll:            masqueradeAll,
 		masqueradeMark:           masqueradeMark,
 		exec:                     exec,
diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go
@@ -33,7 +33,6 @@ import (
 	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
-	utilversion "k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/kubernetes/pkg/proxy"
@@ -51,10 +50,6 @@ import (
 )
 
 const (
-	// iptablesRandomFullyVersion is the minimum iptables version that supports
-	// the --random-fully flag on `-j MASQUERADE`.
-	iptablesRandomFullyVersion = "1.6.2"
-
 	// kubeServicesChain is the services portal chain
 	kubeServicesChain utiliptables.Chain = "KUBE-SERVICES"
 
@@ -384,19 +379,7 @@ func NewProxier(ipt utiliptables.Interface,
 		}
 	}
 
-	masqueradeRandomFully := false
-	iptVersionString, err := ipt.GetVersion()
-	if err != nil {
-		klog.Warningf("Unable to get iptables version string: %v", err)
-	} else {
-		iptVersion, err := utilversion.ParseGeneric(iptVersionString)
-		if err != nil {
-			klog.Warningf("Unable to parse iptables version string %q: %v", iptVersionString, err)
-		} else {
-			needVersion, err := utilversion.ParseGeneric(iptablesRandomFullyVersion)
-			masqueradeRandomFully = err == nil && iptVersion.AtLeast(needVersion)
-		}
-	}
+	canRandomFully := utiliptables.VersionIsAtLeast(ipt, utiliptables.MinMasqueradeRandomFullyVersion)
 
 	// Generate the masquerade mark to use for SNAT rules.
 	masqueradeValue := 1 << uint(masqueradeBit)
@@ -434,7 +417,7 @@ func NewProxier(ipt utiliptables.Interface,
 		minSyncPeriod:         minSyncPeriod,
 		excludeCIDRs:          parseExcludedCIDRs(excludeCIDRs),
 		iptables:              ipt,
-		masqueradeRandomFully: masqueradeRandomFully,
+		masqueradeRandomFully: canRandomFully.Answer,
 		masqueradeAll:         masqueradeAll,
 		masqueradeMark:        masqueradeMark,
 		exec:                  exec,
diff --git a/pkg/util/iptables/iptables.go b/pkg/util/iptables/iptables.go
@@ -129,6 +129,39 @@ const WaitSecondsMinVersion = "1.4.22"
 const WaitString = "-w"
 const WaitSecondsValue = "5"
 
+// MinMasqueradeFullyVersion is the minimum iptables version that supports the `--random-fully` modifier on `-j MASQUERADE`
+const MinMasqueradeRandomFullyVersion = "1.6.2"
+
+type TestOutcome struct {
+	Answer bool
+	Err    error
+}
+
+// VersionStringIsAtLeast compares two alleged version strings
+func VersionStringIsAtLeast(versionStr, minVersionStr string) TestOutcome {
+	version, err := utilversion.ParseGeneric(versionStr)
+	if err != nil {
+		klog.Warningf("%q is not a valid version string: %v", versionStr, err)
+		return TestOutcome{false, err}
+	}
+	minVersion, err := utilversion.ParseGeneric(minVersionStr)
+	if err != nil {
+		klog.Warningf("%q is not a valid version string: %v", minVersionStr, err)
+		return TestOutcome{false, err}
+	}
+	return TestOutcome{version.AtLeast(minVersion), nil}
+}
+
+// VersionIsAtLeast tests whether the version of the given item is at least the given bound
+func VersionIsAtLeast(ifc interface{ GetVersion() (string, error) }, minVersionStr string) TestOutcome {
+	versionStr, err := ifc.GetVersion()
+	if err != nil {
+		klog.Warningf("Unable to determine version string: %v", err)
+		return TestOutcome{false, err}
+	}
+	return VersionStringIsAtLeast(versionStr, minVersionStr)
+}
+
 const LockfilePath16x = "/run/xtables.lock"
 
 // runner implements Interface in terms of exec("iptables").
@@ -541,42 +574,16 @@ func makeFullArgs(table Table, chain Chain, args ...string) []string {
 
 // Checks if iptables has the "-C" flag
 func getIPTablesHasCheckCommand(vstring string) bool {
-	minVersion, err := utilversion.ParseGeneric(MinCheckVersion)
-	if err != nil {
-		klog.Errorf("MinCheckVersion (%s) is not a valid version string: %v", MinCheckVersion, err)
-		return true
-	}
-	version, err := utilversion.ParseGeneric(vstring)
-	if err != nil {
-		klog.Errorf("vstring (%s) is not a valid version string: %v", vstring, err)
-		return true
-	}
-	return version.AtLeast(minVersion)
+	outcome := VersionStringIsAtLeast(vstring, MinCheckVersion)
+	return outcome.Answer && outcome.Err == nil
 }
 
 // Checks if iptables version has a "wait" flag
 func getIPTablesWaitFlag(vstring string) []string {
-	version, err := utilversion.ParseGeneric(vstring)
-	if err != nil {
-		klog.Errorf("vstring (%s) is not a valid version string: %v", vstring, err)
-		return nil
-	}
-
-	minVersion, err := utilversion.ParseGeneric(WaitMinVersion)
-	if err != nil {
-		klog.Errorf("WaitMinVersion (%s) is not a valid version string: %v", WaitMinVersion, err)
-		return nil
-	}
-	if version.LessThan(minVersion) {
-		return nil
-	}
-
-	minVersion, err = utilversion.ParseGeneric(WaitSecondsMinVersion)
-	if err != nil {
-		klog.Errorf("WaitSecondsMinVersion (%s) is not a valid version string: %v", WaitSecondsMinVersion, err)
+	if !VersionStringIsAtLeast(vstring, WaitMinVersion).Answer {
 		return nil
 	}
-	if version.LessThan(minVersion) {
+	if !VersionStringIsAtLeast(vstring, WaitSecondsMinVersion).Answer {
 		return []string{WaitString}
 	}
 	return []string{WaitString, WaitSecondsValue}
diff --git a/pkg/util/iptables/iptables_test.go b/pkg/util/iptables/iptables_test.go
@@ -57,13 +57,16 @@ func testIPTablesVersionCmds(t *testing.T, protocol Protocol) {
 			func() ([]byte, error) { return []byte(iptablesRestoreCmd + version), nil },
 			// iptables version  response (for call to runner.GetVersion())
 			func() ([]byte, error) { return []byte(iptablesCmd + version), nil },
+			// iptables version  response (for call to VersionIsAtLeast())
+			func() ([]byte, error) { return []byte(iptablesCmd + version), nil },
 		},
 	}
 	fexec := fakeexec.FakeExec{
 		CommandScript: []fakeexec.FakeCommandAction{
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
 	runner := New(&fexec, dbus.NewFake(nil, nil), protocol)
@@ -88,6 +91,16 @@ func testIPTablesVersionCmds(t *testing.T, protocol Protocol) {
 	if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll(iptablesCmd, "--version") {
 		t.Errorf("%s GetVersion: Expected cmd '%s --version', Got '%s'", protoStr, iptablesCmd, fcmd.CombinedOutputLog[2])
 	}
+
+	versionOutcome := VersionIsAtLeast(runner, MinMasqueradeRandomFullyVersion)
+	if versionOutcome.Err != nil || !versionOutcome.Answer {
+		t.Errorf("%s VersionIsAtLeast(%q) returned %v", protoStr, MinMasqueradeRandomFullyVersion, versionOutcome)
+	}
+
+	// Check that proper iptables version command was used for runner.GetVersion
+	if !sets.NewString(fcmd.CombinedOutputLog[3]...).HasAll(iptablesCmd, "--version") {
+		t.Errorf("%s GetVersion: Expected cmd '%s --version', Got '%s'", protoStr, iptablesCmd, fcmd.CombinedOutputLog[3])
+	}
 }
 
 func TestIPTablesVersionCmdsIPv4(t *testing.T) {
diff --git a/pkg/util/iptables/testing/fake.go b/pkg/util/iptables/testing/fake.go
@@ -41,14 +41,22 @@ type Rule map[string]string
 
 // no-op implementation of iptables Interface
 type FakeIPTables struct {
-	Lines []byte
+	Lines   []byte
+	Version string
 }
 
 func NewFake() *FakeIPTables {
 	return &FakeIPTables{}
 }
 
-func (*FakeIPTables) GetVersion() (string, error) {
+func NewVersionedFake(version string) *FakeIPTables {
+	return &FakeIPTables{Version: version}
+}
+
+func (f *FakeIPTables) GetVersion() (string, error) {
+	if f.Version != "" {
+		return f.Version, nil
+	}
 	return "0.0.0", nil
 }
 
