From b62c0be2b5736095d1509469eb83c50f839977ac Mon Sep 17 00:00:00 2001 From: perezjasonr Date: Mon, 14 Dec 2020 11:04:22 -0500 Subject: [PATCH 1/3] changes that account for ubi instead of debian as base image --- Dockerfile | 94 ++++++++++++++++++-------- download.yaml | 67 ++++++++++++++++-- signatures/RPM-GPG-KEY-CentOS-Official | 30 ++++++++ 3 files changed, 156 insertions(+), 35 deletions(-) create mode 100644 signatures/RPM-GPG-KEY-CentOS-Official diff --git a/Dockerfile b/Dockerfile index cacd6b3..f8ee519 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 -ARG BASE_TAG=8.2 +ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS builder @@ -16,6 +16,65 @@ RUN dnf upgrade -y && \ cd $GOPATH/src/k8s.io/kubernetes/ && \ make WHAT=cmd/kube-proxy +COPY texinfo.tar.gz bison.tar.gz flex.tar.gz signatures/RPM-GPG-KEY-CentOS-Official \ + libtirpc-devel.rpm libmnl.tar.bz2 libnetfilter_conntrack.tar.bz2 \ + libnetfilter_cthelper.tar.bz2 libnetfilter_cttimeout.tar.bz2 \ + libnetfilter_queue.tar.bz2 texinfo.tar.gz libnfnetlink.tar.bz2 conntrack-tools.tar.bz2 / + +ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +# Install necessary container packages for conntrack +# TODO: use WORKDIR? + +RUN dnf upgrade -y && \ + dnf install -y automake autoconf make gcc iptables ipset kmod bzip2 m4 \ + diffutils pkgconf pkgconf-m4 pkgconf-pkg-config man-db && \ + mkdir -p /usr/src/texinfo && \ + tar -zxf /texinfo.tar.gz --strip-components=1 -C /usr/src/texinfo && \ + cd /usr/src/texinfo && \ + ./configure && make && make install && \ + mkdir -p /usr/src/bison && \ + tar -zxf /bison.tar.gz --strip-components=1 -C /usr/src/bison && \ + cd /usr/src/bison && \ + ./configure && make && make install && \ + mkdir -p /usr/src/flex && \ + tar -zxf /flex.tar.gz --strip-components=1 -C /usr/src/flex && \ + cd /usr/src/flex && \ + ./configure && make && make install && \ + rpm --import /RPM-GPG-KEY-CentOS-Official && \ + rpm -iv /libtirpc-devel.rpm && \ + mkdir -p /usr/src/libnfnetlink && \ + tar -jxf /libnfnetlink.tar.bz2 --strip-components=1 -C /usr/src/libnfnetlink && \ + cd /usr/src/libnfnetlink && \ + ./configure && make && make install && \ + mkdir -p /usr/src/libmnl && \ + tar -jxf /libmnl.tar.bz2 --strip-components=1 -C /usr/src/libmnl && \ + cd /usr/src/libmnl && \ + ./configure && make && make install + +ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig + +RUN mkdir -p /usr/src/libnetfilter_conntrack && \ + tar -jxf /libnetfilter_conntrack.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_conntrack && \ + cd /usr/src/libnetfilter_conntrack && \ + ./configure && make && make install && \ + mkdir -p /usr/src/libnetfilter_cttimeout && \ + tar -jxf /libnetfilter_cttimeout.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cttimeout && \ + cd /usr/src/libnetfilter_cttimeout && \ + ./configure && make && make install && \ + mkdir -p /usr/src/libnetfilter_cthelper && \ + tar -jxf /libnetfilter_cthelper.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cthelper && \ + cd /usr/src/libnetfilter_cthelper && \ + ./configure && make && make install && \ + mkdir -p /usr/src/libnetfilter_queue && \ + tar -jxf /libnetfilter_queue.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_queue && \ + cd /usr/src/libnetfilter_queue && \ + ./configure && make && make install && \ + mkdir -p /usr/src/conntrack-tools && \ + tar -jxf /conntrack-tools.tar.bz2 --strip-components=1 -C /usr/src/conntrack-tools && \ + cd /usr/src/conntrack-tools && \ + ./configure && make && make install + FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} LABEL org.opencontainers.image.title="kube-proxy" \ @@ -26,38 +85,13 @@ LABEL org.opencontainers.image.title="kube-proxy" \ maintainer="cht@dsop.io" COPY --from=builder /src/k8s.io/kubernetes/_output/bin/kube-proxy /usr/local/bin/ -COPY scripts/iptables-wrapper ebtables-2.0.11.tar.gz / +COPY --from=builder /usr/local/sbin/conntrack /usr/local/sbin/conntrack + ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -# Install necessary container packages and etables + RUN dnf upgrade -y && \ - dnf install -y make gcc iptables ipset kmod && \ - tar xzf ebtables-2.0.11.tar.gz && \ - rm -f ebtables-2.0.11.tar.gz && \ - cd ebtables-2.0.11 && \ - ./configure && \ - make && \ - make install && \ - cd .. && \ - mv iptables-wrapper /usr/sbin/iptables-wrapper && \ - chmod +x /usr/sbin/iptables-wrapper && \ - dnf remove -y make && \ - dnf remove -y gcc && \ - dnf remove -y unbound-libs && \ - dnf remove -y python3-unbound && \ + dnf install -y iptables ipset kmod && \ dnf clean all && \ rm -rf /var/cache/dnf -# Run script commands for iptables-wrapper -RUN update-alternatives \ - --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \ - --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper - -RUN update-alternatives \ - --install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \ - --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper - -RUN chmod 0755 /usr/sbin/iptables-wrapper - CMD ["/bin/sh"] diff --git a/download.yaml b/download.yaml index 5dbae17..6917fd8 100644 --- a/download.yaml +++ b/download.yaml @@ -6,11 +6,68 @@ resources: type: sha256 value: 20f79e559cfec625ea15102bf7eab53abf6f796db38f0345bfd18c1bb4c41f6c - - url: http://ftp.netfilter.org/pub/ebtables/ebtables-2.0.11.tar.gz - filename: ebtables-2.0.11.tar.gz + - filename: texinfo.tar.gz + url: "https://ftp.gnu.org/gnu/texinfo/texinfo-6.7.tar.gz" validation: type: sha256 - value: b71f654784a726329f88b412ef7b96b4e5d786ed2bd28193ed7b4c0d677dfd2a - + value: a52d05076b90032cb2523673c50e53185938746482cf3ca0213e9b4b50ac2d3e - + - filename: bison.tar.gz + url: "http://ftp.gnu.org/gnu/bison/bison-3.5.4.tar.gz" + validation: + type: sha256 + value: c0dd154dfaba63553a892d41dc400c7baa88cc06a1e2e27813fdd503715e4c28 + + - filename: flex.tar.gz + url: "https://github.com/westes/flex/releases/download/v2.6.4/flex-2.6.4.tar.gz" + validation: + type: sha256 + value: e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995 + + - filename: libtirpc-devel.rpm + url: "http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libtirpc-devel-1.1.4-4.el8.x86_64.rpm" + validation: + type: sha256 + value: 4d3a43db83a983b7a375f18c87a9cc0298867e875b11571496ce42eaa3653d75 + + - filename: libnfnetlink.tar.bz2 + url: "http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2" + validation: + type: sha256 + value: f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a + + - filename: libmnl.tar.bz2 + url: "https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2" + validation: + type: sha256 + value: 171f89699f286a5854b72b91d06e8f8e3683064c5901fb09d954a9ab6f551f81 + + - filename: libnetfilter_conntrack.tar.bz2 + url: "https://netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.8.tar.bz2" + validation: + type: sha256 + value: 0cd13be008923528687af6c6b860f35392d49251c04ee0648282d36b1faec1cf + + - filename: libnetfilter_cttimeout.tar.bz2 + url: "https://netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-1.0.0.tar.bz2" + validation: + type: sha256 + value: aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba + + - filename: libnetfilter_cthelper.tar.bz2 + url: "https://netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-1.0.0.tar.bz2" + validation: + type: sha256 + value: 07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d + + - filename: libnetfilter_queue.tar.bz2 + url: "https://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-1.0.5.tar.bz2" + validation: + type: sha256 + value: f9ff3c11305d6e03d81405957bdc11aea18e0d315c3e3f48da53a24ba251b9f5 + + - filename: conntrack-tools.tar.bz2 + url: "http://ftp.netfilter.org/pub/conntrack-tools/conntrack-tools-1.4.6.tar.bz2" + validation: + type: sha256 + value: 590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f diff --git a/signatures/RPM-GPG-KEY-CentOS-Official b/signatures/RPM-GPG-KEY-CentOS-Official new file mode 100644 index 0000000..30235a8 --- /dev/null +++ b/signatures/RPM-GPG-KEY-CentOS-Official @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.22 (GNU/Linux) + +mQINBFzMWxkBEADHrskpBgN9OphmhRkc7P/YrsAGSvvl7kfu+e9KAaU6f5MeAVyn +rIoM43syyGkgFyWgjZM8/rur7EMPY2yt+2q/1ZfLVCRn9856JqTIq0XRpDUe4nKQ +8BlA7wDVZoSDxUZkSuTIyExbDf0cpw89Tcf62Mxmi8jh74vRlPy1PgjWL5494b3X +5fxDidH4bqPZyxTBqPrUFuo+EfUVEqiGF94Ppq6ZUvrBGOVo1V1+Ifm9CGEK597c +aevcGc1RFlgxIgN84UpuDjPR9/zSndwJ7XsXYvZ6HXcKGagRKsfYDWGPkA5cOL/e +f+yObOnC43yPUvpggQ4KaNJ6+SMTZOKikM8yciyBwLqwrjo8FlJgkv8Vfag/2UR7 +JINbyqHHoLUhQ2m6HXSwK4YjtwidF9EUkaBZWrrskYR3IRZLXlWqeOi/+ezYOW0m +vufrkcvsh+TKlVVnuwmEPjJ8mwUSpsLdfPJo1DHsd8FS03SCKPaXFdD7ePfEjiYk +nHpQaKE01aWVSLUiygn7F7rYemGqV9Vt7tBw5pz0vqSC72a5E3zFzIIuHx6aANry +Gat3aqU3qtBXOrA/dPkX9cWE+UR5wo/A2UdKJZLlGhM2WRJ3ltmGT48V9CeS6N9Y +m4CKdzvg7EWjlTlFrd/8WJ2KoqOE9leDPeXRPncubJfJ6LLIHyG09h9kKQARAQAB +tDpDZW50T1MgKENlbnRPUyBPZmZpY2lhbCBTaWduaW5nIEtleSkgPHNlY3VyaXR5 +QGNlbnRvcy5vcmc+iQI3BBMBAgAhBQJczFsZAhsDBgsJCAcDAgYVCAIJCgsDFgIB +Ah4BAheAAAoJEAW1VbOEg8ZdjOsP/2ygSxH9jqffOU9SKyJDlraL2gIutqZ3B8pl +Gy/Qnb9QD1EJVb4ZxOEhcY2W9VJfIpnf3yBuAto7zvKe/G1nxH4Bt6WTJQCkUjcs +N3qPWsx1VslsAEz7bXGiHym6Ay4xF28bQ9XYIokIQXd0T2rD3/lNGxNtORZ2bKjD +vOzYzvh2idUIY1DgGWJ11gtHFIA9CvHcW+SMPEhkcKZJAO51ayFBqTSSpiorVwTq +a0cB+cgmCQOI4/MY+kIvzoexfG7xhkUqe0wxmph9RQQxlTbNQDCdaxSgwbF2T+gw +byaDvkS4xtR6Soj7BKjKAmcnf5fn4C5Or0KLUqMzBtDMbfQQihn62iZJN6ZZ/4dg +q4HTqyVpyuzMXsFpJ9L/FqH2DJ4exGGpBv00ba/Zauy7GsqOc5PnNBsYaHCply0X +407DRx51t9YwYI/ttValuehq9+gRJpOTTKp6AjZn/a5Yt3h6jDgpNfM/EyLFIY9z +V6CXqQQ/8JRvaik/JsGCf+eeLZOw4koIjZGEAg04iuyNTjhx0e/QHEVcYAqNLhXG +rCTTbCn3NSUO9qxEXC+K/1m1kaXoCGA0UWlVGZ1JSifbbMx0yxq/brpEZPUYm+32 +o8XfbocBWljFUJ+6aljTvZ3LQLKTSPW7TFO+GXycAOmCGhlXh2tlc6iTc41PACqy +yy+mHmSv +=kkH7 +-----END PGP PUBLIC KEY BLOCK----- -- GitLab From 68268e9bc05b19b5117ab9584279c548c8b8abd0 Mon Sep 17 00:00:00 2001 From: perezjasonr Date: Mon, 14 Dec 2020 11:48:20 -0500 Subject: [PATCH 2/3] fixing indentation issue with hardening manifest --- hardening_manifest.yaml | 80 ++++++++++++++++++++--------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 745474d..8912f7c 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -48,55 +48,55 @@ resources: type: sha256 value: a52d05076b90032cb2523673c50e53185938746482cf3ca0213e9b4b50ac2d3e - filename: bison.tar.gz - url: "http://ftp.gnu.org/gnu/bison/bison-3.5.4.tar.gz" - validation: - type: sha256 - value: c0dd154dfaba63553a892d41dc400c7baa88cc06a1e2e27813fdd503715e4c28 + url: "http://ftp.gnu.org/gnu/bison/bison-3.5.4.tar.gz" + validation: + type: sha256 + value: c0dd154dfaba63553a892d41dc400c7baa88cc06a1e2e27813fdd503715e4c28 - filename: flex.tar.gz - url: "https://github.com/westes/flex/releases/download/v2.6.4/flex-2.6.4.tar.gz" - validation: - type: sha256 - value: e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995 + url: "https://github.com/westes/flex/releases/download/v2.6.4/flex-2.6.4.tar.gz" + validation: + type: sha256 + value: e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995 - filename: libtirpc-devel.rpm - url: "http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libtirpc-devel-1.1.4-4.el8.x86_64.rpm" - validation: - type: sha256 - value: 4d3a43db83a983b7a375f18c87a9cc0298867e875b11571496ce42eaa3653d75 + url: "http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libtirpc-devel-1.1.4-4.el8.x86_64.rpm" + validation: + type: sha256 + value: 4d3a43db83a983b7a375f18c87a9cc0298867e875b11571496ce42eaa3653d75 - filename: libnfnetlink.tar.bz2 - url: "http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2" - validation: - type: sha256 - value: f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a + url: "http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2" + validation: + type: sha256 + value: f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a - filename: libmnl.tar.bz2 - url: "https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2" - validation: - type: sha256 - value: 171f89699f286a5854b72b91d06e8f8e3683064c5901fb09d954a9ab6f551f81 + url: "https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2" + validation: + type: sha256 + value: 171f89699f286a5854b72b91d06e8f8e3683064c5901fb09d954a9ab6f551f81 - filename: libnetfilter_conntrack.tar.bz2 - url: "https://netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.8.tar.bz2" - validation: - type: sha256 - value: 0cd13be008923528687af6c6b860f35392d49251c04ee0648282d36b1faec1cf + url: "https://netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.8.tar.bz2" + validation: + type: sha256 + value: 0cd13be008923528687af6c6b860f35392d49251c04ee0648282d36b1faec1cf - filename: libnetfilter_cttimeout.tar.bz2 - url: "https://netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-1.0.0.tar.bz2" - validation: - type: sha256 - value: aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba + url: "https://netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-1.0.0.tar.bz2" + validation: + type: sha256 + value: aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba - filename: libnetfilter_cthelper.tar.bz2 - url: "https://netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-1.0.0.tar.bz2" - validation: - type: sha256 - value: 07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d + url: "https://netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-1.0.0.tar.bz2" + validation: + type: sha256 + value: 07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d - filename: libnetfilter_queue.tar.bz2 - url: "https://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-1.0.5.tar.bz2" - validation: - type: sha256 - value: f9ff3c11305d6e03d81405957bdc11aea18e0d315c3e3f48da53a24ba251b9f5 + url: "https://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-1.0.5.tar.bz2" + validation: + type: sha256 + value: f9ff3c11305d6e03d81405957bdc11aea18e0d315c3e3f48da53a24ba251b9f5 - filename: conntrack-tools.tar.bz2 - url: "http://ftp.netfilter.org/pub/conntrack-tools/conntrack-tools-1.4.6.tar.bz2" - validation: - type: sha256 - value: 590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f + url: "http://ftp.netfilter.org/pub/conntrack-tools/conntrack-tools-1.4.6.tar.bz2" + validation: + type: sha256 + value: 590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From afba9360bcf891f7501272edaa2285e8519dda03 Mon Sep 17 00:00:00 2001 From: perezjasonr Date: Mon, 14 Dec 2020 14:04:15 -0500 Subject: [PATCH 3/3] last updates to hardening manifest and cleaning up dockerfile also iptables-wrapper is removed since it wont work with our ubi base --- Dockerfile | 1 - hardening_manifest.yaml | 8 ++++---- scripts/iptables-wrapper | 44 ---------------------------------------- 3 files changed, 4 insertions(+), 49 deletions(-) delete mode 100755 scripts/iptables-wrapper diff --git a/Dockerfile b/Dockerfile index 295953b..4fea996 100644 --- a/Dockerfile +++ b/Dockerfile @@ -77,7 +77,6 @@ RUN mkdir -p /usr/src/libnetfilter_conntrack && \ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - COPY --from=builder /src/k8s.io/kubernetes/_output/bin/kube-proxy /usr/local/bin/ COPY --from=builder /usr/local/sbin/conntrack /usr/local/sbin/conntrack diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 8912f7c..8184e72 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -102,9 +102,9 @@ resources: # FIXME: Fill in the following details for the current container owner in the whitelist # FIXME: Include any other vendor information if applicable maintainers: -- email: "gavin.scallon@parsons.com" +- email: "jperez2@novetta.com" # # The name of the current container owner - name: "Gavin Scallon" + name: "Jason Perez" # # The gitlab username of the current container owner - username: "gavin.scallon" - cht_member: true + username: "jperez2" + cht_member: false diff --git a/scripts/iptables-wrapper b/scripts/iptables-wrapper deleted file mode 100755 index 75f0c36..0000000 --- a/scripts/iptables-wrapper +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh - -# Copyright 2019 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e - -# Detect whether the base system is using iptables-legacy or -# iptables-nft. This assumes that some non-containerized process (eg -# kubelet) has already created some iptables rules. - -# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in -# some circumstances, so we have to run the nft check in a timeout. To -# avoid hitting that timeout, we only bother to even check nft if -# legacy iptables was empty / mostly empty. - -num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l) -if [ "${num_legacy_lines}" -ge 10 ]; then - mode=legacy -else - num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l) - if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then - mode=legacy - else - mode=nft - fi -fi - -update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null -update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null - -# Now re-exec the original command with the newly-selected alternative -exec "$0" "$@ \ No newline at end of file -- GitLab