Skip to content

libnetwork/iptables: ProgramChain: don't fail if interface not found#46245

Merged
thaJeztah merged 1 commit intomoby:masterfrom
thaJeztah:firewalld_dont_fail_on_removal
Aug 23, 2023
Merged

libnetwork/iptables: ProgramChain: don't fail if interface not found#46245
thaJeztah merged 1 commit intomoby:masterfrom
thaJeztah:firewalld_dont_fail_on_removal

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Aug 16, 2023

DelInterfaceFirewalld returns an error if the interface to delete was not found. Let's ignore cases where we were successfully able to get the list of interfaces in the zone, but the interface was not part of the zone.

This patch changes the error for these cases to an errdefs.ErrNotFound, and updates IPTable.ProgramChain to ignore those errors.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah
libnetwork/iptables: ProgramChain: don't fail if interface not found
513063b 
DelInterfaceFirewalld returns an error if the interface to delete was
not found. Let's ignore cases where we were successfully able to get
the list of interfaces in the zone, but the interface was not part of
the zone.

This patch changes the error for these cases to an errdefs.ErrNotFound,
and updates IPTable.ProgramChain to ignore those errors.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah mentioned this pull request Aug 16, 2023
Open
4 tasks
@neersighted
Copy link
Member

neersighted commented Aug 23, 2023

Out of curiosity, when does this happen? Is there a situation where this is likely to happen, or are we just trying to be more defensive against an obscure scenario where all we can do is shrug and move on?

@thaJeztah
Copy link
Member Author

thaJeztah commented Aug 23, 2023

It's mostly defensive here; there's a lot of code in libnetwork that either ignores failures (which could be "failed to ADD the interface to the zone"), or "if the machine is not in state X" (e.g. firewalld not running), then we skip; here's how this is currently used;

	if firewalldRunning {
		if enable {
			if err := AddInterfaceFirewalld(bridgeName); err != nil {
				return err
			}
		} else {
			if err := DelInterfaceFirewalld(bridgeName); err != nil {
				return err
			}
		}
	}

But firewalldRunning is something that can be updated on various locations, which means that the state of the world may actually change.

For a cleanup operation, I'd consider "removing what isn't there" to be something we can safely ignore.

@thaJeztah thaJeztah added this to the 25.0.0 milestone Aug 23, 2023
@thaJeztah thaJeztah merged commit 0e3b2ec into moby:master Aug 23, 2023
@thaJeztah thaJeztah deleted the firewalld_dont_fail_on_removal branch August 23, 2023 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neersighted neersighted neersighted approved these changes

Assignees

No one assigned

Labels

area/networking/firewalld Networking area/networking Networking status/2-code-review

Projects

None yet

Milestone

25.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@thaJeztah @neersighted