| 123456789101112131415161718192021222324252627282930313233343536373839404142434445 |
- #!/bin/sh
- # Copyright 2019 The Kubernetes Authors.
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- set -e
- # Detect whether the base system is using iptables-legacy or
- # iptables-nft. This assumes that some non-containerized process (eg
- # kubelet) has already created some iptables rules.
- # Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in
- # some circumstances, so we have to run the nft check in a timeout. To
- # avoid hitting that timeout, we only bother to even check nft if
- # legacy iptables was empty / mostly empty.
- num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
- if [ "${num_legacy_lines}" -ge 10 ]; then
- mode=legacy
- else
- num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l)
- if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
- mode=legacy
- else
- mode=nft
- fi
- fi
- update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null
- update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null
- # Now re-exec the original command with the newly-selected alternative
- exec "$0" "$@"
|
