Fix check for existing ip table chain names

gememma · gememma · commit c27a1fee95e0 · 2025-04-08T16:14:57.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/mirrord/agent/Cargo.toml b/mirrord/agent/Cargo.toml
@@ -49,7 +49,6 @@ hickory-resolver.workspace = true
 bollard = "0.18"
 tokio-util.workspace = true
 streammap-ext.workspace = true
-sysinfo = "0.29"
 libc.workspace = true
 faccess = "0.2"
 bytes.workspace = true
diff --git a/mirrord/agent/iptables/src/error.rs b/mirrord/agent/iptables/src/error.rs
@@ -15,6 +15,12 @@ impl From<io::Error> for IPTablesError {
     }
 }
 
+impl From<String> for IPTablesError {
+    fn from(value: String) -> Self {
+        Self(value.into())
+    }
+}
+
 impl From<IPTablesError> for Arc<dyn Error + Send + Sync + 'static> {
     fn from(value: IPTablesError) -> Self {
         value.0.into()
diff --git a/mirrord/agent/iptables/src/lib.rs b/mirrord/agent/iptables/src/lib.rs
@@ -186,15 +186,26 @@ where
         let ipt = Arc::new(ipt);
 
         tracing::trace!("checking for leftover or existing iptable chains...");
-        // FIXME: change from .ok().len(), need a map over inner, could probably collect into a vec
-        // then .len() if ipt.list_rules(IPTABLE_PREROUTING).ok().len() > 0 ||
-        //     ipt.list_rules(IPTABLE_MESH).ok().len() > 0 ||
-        //     ipt.list_rules(IPTABLE_STANDARD).ok().len() > 0 {
-        //     // either another agent is running or it failed to properly clean up
-        //     return Err("Dirty IP table detected in target. Either another mirrord agent is already running, or a previous agent failed to properly clean up after itself.".into())
-        // }
-        // panic here? inspect the stacktrace
-        panic!();
+        // FIXME: this is so ugly
+        for name in [IPTABLE_PREROUTING, IPTABLE_MESH, IPTABLE_STANDARD] {
+            if ipt
+                .list_rules(name)
+                .ok()
+                .iter()
+                .flatten()
+                .collect::<Vec<_>>()
+                .len()
+                > 0
+            {
+                // either another agent is running or it failed to properly clean up
+                return Err(
+                    "Dirty IP table detected in target. Either another mirrord agent is already \
+                running, or a previous agent failed to properly clean up after itself."
+                        .to_string()
+                        .into(),
+                );
+            }
+        }
 
         let mut redirect = if let Some(vendor) = MeshVendor::detect(ipt.as_ref())? {
             match &vendor {
diff --git a/mirrord/agent/iptables/src/mesh.rs b/mirrord/agent/iptables/src/mesh.rs
@@ -238,27 +238,27 @@ mod tests {
         create_mesh_list_values(&mut mock);
 
         mock.expect_create_chain()
-            .with(eq(IPTABLE_PREROUTING.as_str()))
+            .with(eq(IPTABLE_PREROUTING))
             .times(1)
             .returning(|_| Ok(()));
 
         mock.expect_insert_rule()
             .with(
-                eq(IPTABLE_PREROUTING.as_str()),
+                eq(IPTABLE_PREROUTING),
                 eq("-m tcp -p tcp --dport 69 -j REDIRECT --to-ports 420"),
                 eq(1),
             )
             .times(1)
             .returning(|_, _, _| Ok(()));
 
         mock.expect_create_chain()
-            .with(eq(IPTABLE_MESH.as_str()))
+            .with(eq(IPTABLE_MESH))
             .times(1)
             .returning(|_| Ok(()));
 
         mock.expect_insert_rule()
             .with(
-                eq(IPTABLE_MESH.as_str()),
+                eq(IPTABLE_MESH),
                 eq(format!("-m owner --gid-owner {gid} -p tcp  -j RETURN")),
                 eq(1),
             )
@@ -267,20 +267,20 @@ mod tests {
 
         mock.expect_insert_rule()
             .with(
-                eq(IPTABLE_MESH.as_str()),
+                eq(IPTABLE_MESH),
                 eq("-o lo -m tcp -p tcp --dport 69 -j REDIRECT --to-ports 420"),
                 eq(2),
             )
             .times(1)
             .returning(|_, _, _| Ok(()));
 
         mock.expect_remove_chain()
-            .with(eq(IPTABLE_PREROUTING.as_str()))
+            .with(eq(IPTABLE_PREROUTING))
             .times(1)
             .returning(|_| Ok(()));
 
         mock.expect_remove_chain()
-            .with(eq(IPTABLE_MESH.as_str()))
+            .with(eq(IPTABLE_MESH))
             .times(1)
             .returning(|_| Ok(()));
 
diff --git a/mirrord/agent/iptables/src/prerouting.rs b/mirrord/agent/iptables/src/prerouting.rs
@@ -95,21 +95,21 @@ mod tests {
         let mut mock = MockIPTables::new();
 
         mock.expect_create_chain()
-            .with(eq(IPTABLE_PREROUTING.as_str()))
+            .with(eq(IPTABLE_PREROUTING))
             .times(1)
             .returning(|_| Ok(()));
 
         mock.expect_insert_rule()
             .with(
-                eq(IPTABLE_PREROUTING.as_str()),
+                eq(IPTABLE_PREROUTING),
                 eq("-m tcp -p tcp --dport 69 -j REDIRECT --to-ports 420"),
                 eq(1),
             )
             .times(1)
             .returning(|_, _, _| Ok(()));
 
         mock.expect_remove_chain()
-            .with(eq(IPTABLE_PREROUTING.as_str()))
+            .with(eq(IPTABLE_PREROUTING))
             .times(1)
             .returning(|_| Ok(()));
 
@@ -123,13 +123,13 @@ mod tests {
         let mut mock = MockIPTables::new();
 
         mock.expect_create_chain()
-            .with(eq(IPTABLE_PREROUTING.as_str()))
+            .with(eq(IPTABLE_PREROUTING))
             .times(1)
             .returning(|_| Ok(()));
 
         mock.expect_insert_rule()
             .with(
-                eq(IPTABLE_PREROUTING.as_str()),
+                eq(IPTABLE_PREROUTING),
                 eq("-m tcp -p tcp --dport 69 -j REDIRECT --to-ports 420"),
                 eq(1),
             )
@@ -138,15 +138,15 @@ mod tests {
 
         mock.expect_insert_rule()
             .with(
-                eq(IPTABLE_PREROUTING.as_str()),
+                eq(IPTABLE_PREROUTING),
                 eq("-m tcp -p tcp --dport 169 -j REDIRECT --to-ports 1420"),
                 eq(2),
             )
             .times(1)
             .returning(|_, _, _| Ok(()));
 
         mock.expect_remove_chain()
-            .with(eq(IPTABLE_PREROUTING.as_str()))
+            .with(eq(IPTABLE_PREROUTING))
             .times(1)
             .returning(|_| Ok(()));
 
@@ -161,20 +161,20 @@ mod tests {
         let mut mock = MockIPTables::new();
 
         mock.expect_create_chain()
-            .with(eq(IPTABLE_PREROUTING.as_str()))
+            .with(eq(IPTABLE_PREROUTING))
             .times(1)
             .returning(|_| Ok(()));
 
         mock.expect_remove_rule()
             .with(
-                eq(IPTABLE_PREROUTING.as_str()),
+                eq(IPTABLE_PREROUTING),
                 eq("-m tcp -p tcp --dport 69 -j REDIRECT --to-ports 420"),
             )
             .times(1)
             .returning(|_, _| Ok(()));
 
         mock.expect_remove_chain()
-            .with(eq(IPTABLE_PREROUTING.as_str()))
+            .with(eq(IPTABLE_PREROUTING))
             .times(1)
             .returning(|_| Ok(()));
 

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,12 @@ impl From<io::Error> for IPTablesError {`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`
	`18`	`+impl From<String> for IPTablesError {`
	`19`	`+ fn from(value: String) -> Self {`
	`20`	`+ Self(value.into())`
	`21`	`+ }`
	`22`	`+}`
	`23`	`+`
`18`	`24`	`impl From<IPTablesError> for Arc<dyn Error + Send + Sync + 'static> {`
`19`	`25`	`fn from(value: IPTablesError) -> Self {`
`20`	`26`	`value.0.into()`