Merge pull request #71 from aojea/wait

iptables IsNotExist robustness
coreos · Dec 13, 2019 · c0ec0e7 · c0ec0e7
2 parents af017ce + ec15d21
commit c0ec0e7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/iptables/iptables.go b/iptables/iptables.go
@@ -49,8 +49,8 @@ func (e *Error) Error() string {
 // IsNotExist returns true if the error is due to the chain or rule not existing
 func (e *Error) IsNotExist() bool {
 	return e.ExitStatus() == 1 &&
-		(e.msg == fmt.Sprintf("%s: Bad rule (does a matching rule exist in that chain?).\n", getIptablesCommand(e.proto)) ||
-			e.msg == fmt.Sprintf("%s: No chain/target/match by that name.\n", getIptablesCommand(e.proto)))
+		strings.Contains(e.msg, fmt.Sprintf("%s: Bad rule (does a matching rule exist in that chain?).\n", getIptablesCommand(e.proto))) ||
+		strings.Contains(e.msg, fmt.Sprintf("%s: No chain/target/match by that name.\n", getIptablesCommand(e.proto)))
 }
 
 // Protocol to differentiate between IPv4 and IPv6

diff --git a/iptables/iptables_test.go b/iptables/iptables_test.go
@@ -452,6 +452,13 @@ func TestIsNotExist(t *testing.T) {
 	if !e.IsNotExist() {
 		t.Fatal("IsNotExist returned false, expected true")
 	}
+
+	// iptables may add more logs to the errors msgs
+	e.msg = "Another app is currently holding the xtables lock; waiting (1s) for it to exit..." + e.msg
+	if !e.IsNotExist() {
+		t.Fatal("IsNotExist returned false, expected true")
+	}
+
 }
 
 func TestIsNotExistForIPv6(t *testing.T) {
@@ -514,6 +521,12 @@ func TestIsNotExistForIPv6(t *testing.T) {
 	if !e.IsNotExist() {
 		t.Fatal("IsNotExist returned false, expected true")
 	}
+
+	// iptables may add more logs to the errors msgs
+	e.msg = "Another app is currently holding the xtables lock; waiting (1s) for it to exit..." + e.msg
+	if !e.IsNotExist() {
+		t.Fatal("IsNotExist returned false, expected true")
+	}
 }
 
 func TestFilterRuleOutput(t *testing.T) {