The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3602
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
This implementation uses the update-alternatives command to set nftables to be running in legacy mode when iptables commands need to be run. Then unsets the symbolic link after finishing the ensure there's no unintended behavior afterwards.
From ed53286daf4dec3668fa23410d2aeaff2e5498a8 Mon Sep 17 00:00:00 2001
From: Kyle Colburn <kylecolbur...@utexas.edu>
Date: Mon, 14 Dec 2020 19:24:30 -0600
Subject: [PATCH] Used symbolic links to run nftables in legacy mode to support
iptables commands when nftables is present.
Signed-off-by: Kyle Colburn <kylecolbur...@utexas.edu>
---
config/init/common/lxc-net.in | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
index a7dfa6f199..ea4732669a 100644
--- a/config/init/common/lxc-net.in
+++ b/config/init/common/lxc-net.in
@@ -91,6 +91,11 @@ start() {
_ifup
+ nftables_ver_output=$(nft --version)
+ if [$nftables_ver_output != *"not found"*]; then
+ update-alternatives --set iptables /usr/sbin/iptables-legacy
+ fi
+
LXC_IPV6_ARG=""
if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n
"$LXC_IPV6_NETWORK" ]; then
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
@@ -110,6 +115,10 @@ start() {
iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d
${LXC_NETWORK} -j MASQUERADE
iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p
udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+ if [$nftables_ver_output != *"not found"*]; then
+ update-alternatives --remove iptables /usr/sbin/iptables-legacy
+ fi
+
LXC_DOMAIN_ARG=""
if [ -n "$LXC_DOMAIN" ]; then
LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
@@ -152,6 +161,12 @@ stop() {
if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
_ifdown
+
+ nftables_ver_output=$(nft --version)
+ if [$nftables_ver_output != *"not found"*]; then
+ update-alternatives --set iptables /usr/sbin/iptables-legacy
+ fi
+
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport
67 -j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport
67 -j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport
53 -j ACCEPT
@@ -165,6 +180,10 @@ stop() {
ip6tables $use_iptables_lock -t nat -D POSTROUTING -s
${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
fi
+ if [$nftables_ver_output != *"not found"*]; then
+ update-alternatives --remove iptables /usr/sbin/iptables-legacy
+ fi
+
pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid
rm -f "${varrun}"/dnsmasq.pid
# if $LXC_BRIDGE has attached interfaces, don't destroy the bridge
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
