newsnowlabs / docker-ingress-routing-daemon

Docker swarm daemon that modifies ingress mesh routing to expose true client IPs to service containers
MIT License
190 stars 37 forks source link

Iptables - Illegal value #2

Closed Vaults closed 3 years ago

Vaults commented 3 years ago

Running version 3.0 gives me the following error log:

2021-02-17.13:01:10.933257|<machine>|24388| Docker Ingress Routing Daemon 3.0.0 starting ...
2021-02-17.13:01:11.066655|<machine>|24388| Detected ingress subnet: 10.255.0.0/16
2021-02-17.13:01:11.077040|<machine>|24388| This node's ingress network IP: 10.255.0.179
2021-02-17.13:01:11.165188|<machine>|24388| Running with --ingress-gateway-ips 10.255.0.49,10.255.0.179,10.255.28.151
2021-02-17.13:01:11.176829|<machine>|24388| This node's ID is: 179
2021-02-17.13:01:11.185147|<machine>|24388| Adding ingress_sbox iptables nat rule: iptables -t nat -I POSTROUTING -d 10.255.0.0/16 -p tcp -m multiport --dports 42069 -m ipvs --ipvs -j ACCEPT
2021-02-17.13:01:11.276506|<machine>|24388| Adding ingress_sbox iptables mangle rule: iptables -t mangle -A POSTROUTING -d 10.255.0.0/16 -p tcp -m multiport --dports 42069 -j TOS --set-tos 179/0xff
2021-02-17.13:01:11.310819|<machine>|24388| Adding ingress_sbox connection tracking disable rule: iptables -t raw -I PREROUTING -p tcp -m multiport --dports 42069 -j CT --notrack
2021-02-17.13:01:11.335573|<machine>|24388| Docker Ingress Routing Daemon launching docker event watcher in pgroup 24388 ...
2021-02-17.13:02:25.377798|<machine>|24388| Container SERVICE=dashboard, ID=bf11b58c8d4b05fb8a29a5b6a6358d9f88df0b3cc4c225922cb84987974e5b72, NID=24921 launched: ingress network interface eth0 found, so applying policy routes.
iptables v1.8.2 (nf_tables): Illegal value: "49,10/0xff"
Try `iptables -h' or 'iptables --help' for more information.
Error: argument "49,10" is wrong: fwmark value is invalid

Error: argument "49,10" is wrong: "table" value is invalid 

It seems it has to do with parsing the gateways variable. It was resolved locally by locally removing | tr ',' ' ' from line 87 and 105 in v3.0.0.

struanb commented 3 years ago

Sorry about this. I'll look into it asap.

struanb commented 3 years ago

I think line 87 is probably fine, and the bug is probably in line 105. Can you try locally removing | tr ',' ' ' only from line 105?

(Line 87 is just designed to allow --ingress-gateway-ips to be passed a comma-separated list of IPs, if one so desires).

Vaults commented 3 years ago

No worries :)

Yeah, I thought only l105 would be enough. I reset the file and only changed it on that line locally. That resolved the issue as well.

struanb commented 3 years ago

Thanks for checking. I'll push that fix as v3.0.1 shortly.

struanb commented 3 years ago

Ok, this bugfix is pushed to v3.0.1.