cni: update MCS-blocking code to do both IPv4 and IPv6

openshift · Apr 22, 2020 · 32c7e4b · 32c7e4b
1 parent e1098d4
commit 32c7e4b
Showing 1 changed file with 29 additions and 4 deletions.
diff --git a/go-controller/pkg/cni/helper_linux.go b/go-controller/pkg/cni/helper_linux.go
@@ -20,6 +20,7 @@ import (
 	"github.com/vishvananda/netlink"
 
 	"k8s.io/apimachinery/pkg/util/wait"
+	utilnet "k8s.io/utils/net"
 )
 
 func renameLink(curName, newName string) error {
@@ -308,15 +309,39 @@ func (pr *PodRequest) ConfigureInterface(namespace string, podName string, ifInf
 		}
 	}
 
+	// Block access to certain things
 	err = netns.Do(func(hostNS ns.NetNS) error {
-		// Block access to certain things
+		var hasIPv4, hasIPv6 bool
+		for _, ip := range ifInfo.IPs {
+			if utilnet.IsIPv6CIDR(ip) {
+				hasIPv6 = true
+			} else {
+				hasIPv4 = true
+			}
+		}
+
 		for _, args := range iptablesCommands {
-			out, err := exec.Command("iptables", args...).CombinedOutput()
-			if err != nil {
-				return fmt.Errorf("could not set up pod iptables rules: %s", string(out))
+			if hasIPv4 {
+				out, err := exec.Command("iptables", args...).CombinedOutput()
+				if err != nil {
+					return fmt.Errorf("could not set up pod iptables rules: %s", string(out))
+				}
+			}
+			if hasIPv6 {
+				out, err := exec.Command("ip6tables", args...).CombinedOutput()
+				if err != nil {
+					return fmt.Errorf("could not set up pod iptables rules: %s", string(out))
+				}
 			}
 		}
 
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	err = netns.Do(func(hostNS ns.NetNS) error {
 		if _, err := os.Stat("/proc/sys/net/ipv6/conf/all/dad_transmits"); !os.IsNotExist(err) {
 			err = setSysctl("/proc/sys/net/ipv6/conf/all/dad_transmits", 0)
 			if err != nil {