#!/bin/sh

# Copyright 2020 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# NOTE: This can only use POSIX /bin/sh features; the container image
# might not contain bash.

# This is a Cilium variant of the original Kubernetes iptablejs-wrapper
# the change is to follow Kube-proxy instead of Kubelet. This fixes
# issues where kube-proxy and kubelet iptables versions are not in
# sync and we observed kube-proxy incorrectly using different ipt/nft
# configuration from kubelet.

set -eu

# In kubernetes 1.17 and later, kubelet will have created at least
# one chain in the "mangle" table (either "KUBE-IPTABLES-HINT" or
# "KUBE-KUBELET-CANARY"), we expect kubeproxy will follow similar
# pattern so we check that first, against iptables-nft, because we
# can check that more efficiently and it's more common these days.
nft_kubeproxy_rules=$( (iptables-nft-save -t mangle || true; ip6tables-nft-save -t mangle || true) 2>/dev/null | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)' | wc -l)
if [ "${nft_kubeproxy_rules}" -ne 0 ]; then
    mode=nft
else
    # Next lets check for a kubeproxy canary in iptables indicating
    # kube-proxy is using ipt.
    legacy_kubeproxy_rules=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)' | wc -l)
    if [ "${legacy_kubeproxy_rules}" -ne 0 ]; then
        mode=legacy
    else
	# If we did not find a kube proxy canary either we started before
	# kube-proxy or it doesn't exist so lets use ipwrapper standard
	# logic to follow kubelet.
        nft_kubelet_rules=$( (iptables-nft-save -t mangle || true; ip6tables-nft-save -t mangle || true) 2>/dev/null | grep -E '^:KUBE-KUBELET-CANARY' | wc -l)
        if [ "${nft_kubeproxy_rules}" -ne 0 ]; then
		mode = nft
	else
    	    # Check for kubernetes 1.17-or-later with iptables-legacy. We
    	    # can't pass "-t mangle" to iptables-legacy-save because it would
    	    # cause the kernel to create that table if it didn't already
    	    # exist, which we don't want. So we have to grab all the rules
    	    legacy_kubelet_rules=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep -E '^:KUBE-KUBELET-CANARY' | wc -l)
    	    if [ "${legacy_kubelet_rules}" -ne 0 ]; then
    	        mode=legacy
    	    else
    	        # With older kubernetes releases there may not be any _specific_
    	        # rules we can look for, but we assume that some non-containerized process
    	        # (possibly kubelet) will have created _some_ iptables rules.
    	        num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
	        num_nft_lines=$( (iptables-nft-save || true; ip6tables-nft-save || true) 2>/dev/null | grep '^-' | wc -l)
                if [ "${num_legacy_lines}" -gt "${num_nft_lines}" ]; then
            	    mode=legacy
                else
            	    mode=nft
	        fi
            fi
	fi
    fi
fi

# Update links to point to the selected binaries
for cmd in iptables iptables-save iptables-restore ip6tables ip6tables-save ip6tables-restore; do
    rm -f "/usr/sbin/${cmd}"
    ln -s "/usr/sbin/xtables-${mode}-multi" "/usr/sbin/${cmd}"
done 2>/dev/null || failed=1
if [ "${failed:-0}" = 1 ]; then
    echo "Unable to redirect iptables binaries. (Are you running in an unprivileged pod?)" 1>&2
    # fake it, though this will probably also fail if they aren't root
    exec "/usr/sbin/xtables-${mode}-multi" "$0" "$@"
fi

# Now re-exec the original command with the newly-selected alternative
exec "$0" "$@"
