Make getIPChains more precise and less failure-prone

move fmt.Sprintf out of loop access stat.Options through rawStat[9] with hard-coded index remove break in the event there are multiple rules per containerID only parse for IPNet when we are working with the proper ignite CNI rules ^ avoids coreos/go-iptables#70
stealthybox · Sep 13, 2019 · 8708abf · 8708abf
1 parent 67ae546
commit 8708abf
Showing 1 changed file with 18 additions and 10 deletions.
diff --git a/pkg/network/cni/cni.go b/pkg/network/cni/cni.go
@@ -213,21 +213,29 @@ func getIPChains(containerID string) (result []*ipChain, err error) {
 		return
 	}
 
-	stats, err := ipt.StructuredStats("nat", "POSTROUTING")
+	rawStats, err := ipt.Stats("nat", "POSTROUTING")
 	if err != nil {
 		return
 	}
 
-	for _, stat := range stats {
-		/* name: "ignite-containerd-default" id: "ignite-9a10b07d7c0d4ce9" */
-		for _, field := range strings.Split(stat.Options, " ") {
-			if fmt.Sprintf("%q", containerID) == field {
-				result = append(result, &ipChain{
-					ip:    stat.Source,
-					chain: stat.Target,
-				})
-				break
+	quotedContainerID := fmt.Sprintf("id: %q", containerID)
+	const statOptionsIndex = 9
+	for _, rawStat := range rawStats {
+		// stat.Options has a comment that looks like:
+		//   /* name: "ignite-containerd-default" id: "ignite-9a10b07d7c0d4ce9" */
+		if strings.Contains(rawStat[statOptionsIndex], quotedContainerID) {
+			// only parse the IP's for the rules we need
+			// ( avoids https://github.com/coreos/go-iptables/issues/70 )
+			var stat iptables.Stat
+			stat, err = ipt.ParseStat(rawStat)
+			if err != nil {
+				return
 			}
+
+			result = append(result, &ipChain{
+				ip:    stat.Source,
+				chain: stat.Target,
+			})
 		}
 	}