bug: return errors when iptables and ip6tables are unusable

Signed-off-by: Joe Julian <[email protected]>
containernetworking · Mar 4, 2022 · 3f6ae79 · 3f6ae79
1 parent b8a10bb
commit 3f6ae79
Showing 1 changed file with 31 additions and 10 deletions.
diff --git a/plugins/meta/portmap/portmap.go b/plugins/meta/portmap/portmap.go
@@ -120,10 +120,21 @@ func checkPorts(config *PortMapConf, containerNet net.IPNet) error {
 	dnatChain := genDnatChain(config.Name, config.ContainerID)
 	fillDnatRules(&dnatChain, config, containerNet)
 
-	ip4t := maybeGetIptables(false)
-	ip6t := maybeGetIptables(true)
+	ip4t, err4 := maybeGetIptables(false)
+	ip6t, err6 := maybeGetIptables(true)
 	if ip4t == nil && ip6t == nil {
-		return fmt.Errorf("neither iptables nor ip6tables usable")
+		err := fmt.Errorf("neither iptables nor ip6tables is usable")
+		if err4 != nil {
+			err = fmt.Errorf("%v, (iptables) %v", err, err4)
+		} else {
+			err = fmt.Errorf("%v, (iptables) ip4t is nil", err)
+		}
+		if err6 != nil {
+			err = fmt.Errorf("%v, (ip6tables) %v", err, err6)
+		} else {
+			err = fmt.Errorf("%v, (ip6tables) ip6t is nil", err)
+		}
+		return err
 	}
 
 	if ip4t != nil {
@@ -354,10 +365,20 @@ func unforwardPorts(config *PortMapConf) error {
 	// Might be lying around from old versions
 	oldSnatChain := genOldSnatChain(config.Name, config.ContainerID)
 
-	ip4t := maybeGetIptables(false)
-	ip6t := maybeGetIptables(true)
+	ip4t, err4 := maybeGetIptables(false)
+	ip6t, err6 := maybeGetIptables(true)
 	if ip4t == nil && ip6t == nil {
-		return fmt.Errorf("neither iptables nor ip6tables usable")
+		err := fmt.Errorf("neither iptables nor ip6tables is usable")
+		if err4 != nil {
+			err = fmt.Errorf("%v, (iptables) %v", err, err4)
+		} else {
+			err = fmt.Errorf("%v, (iptables) ip4t is nil", err)
+		}
+		if err6 != nil {
+			err = fmt.Errorf("%v, (ip6tables) %v", err, err6)
+		} else {
+			err = fmt.Errorf("%v, (ip6tables) ip6t is nil", err)
+		return err
 	}
 
 	if ip4t != nil {
@@ -378,23 +399,23 @@ func unforwardPorts(config *PortMapConf) error {
 
 // maybeGetIptables implements the soft error swallowing. If iptables is
 // usable for the given protocol, returns a handle, otherwise nil
-func maybeGetIptables(isV6 bool) *iptables.IPTables {
+func maybeGetIptables(isV6 bool) (*iptables.IPTables, error) {
 	proto := iptables.ProtocolIPv4
 	if isV6 {
 		proto = iptables.ProtocolIPv6
 	}
 
 	ipt, err := iptables.NewWithProtocol(proto)
 	if err != nil {
-		return nil
+		return nil, err
 	}
 
 	_, err = ipt.List("nat", "OUTPUT")
 	if err != nil {
-		return nil
+		return nil, err
 	}
 
-	return ipt
+	return ipt, nil
 }
 
 // deletePortmapStaleConnections delete the UDP conntrack entries on the specified IP family