Skip to content

Commit 4d0ce2e

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #92584 from aojea/ipvsfix
IPVS: kubelet, kube-proxy: unmark packets before masquerading …
2 parents 6c917e6 + c40081b commit 4d0ce2e

File tree

1 file changed

+33
-32
lines changed

1 file changed

+33
-32
lines changed

pkg/proxy/ipvs/proxier.go

Lines changed: 33 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1787,6 +1787,39 @@ func (proxier *Proxier) writeIptablesRules() {
17871787
"-j", "ACCEPT",
17881788
)
17891789

1790+
// Install the kubernetes-specific postrouting rules. We use a whole chain for
1791+
// this so that it is easier to flush and change, for example if the mark
1792+
// value should ever change.
1793+
// NB: THIS MUST MATCH the corresponding code in the kubelet
1794+
writeLine(proxier.natRules, []string{
1795+
"-A", string(kubePostroutingChain),
1796+
"-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark),
1797+
"-j", "RETURN",
1798+
}...)
1799+
// Clear the mark to avoid re-masquerading if the packet re-traverses the network stack.
1800+
writeLine(proxier.natRules, []string{
1801+
"-A", string(kubePostroutingChain),
1802+
// XOR proxier.masqueradeMark to unset it
1803+
"-j", "MARK", "--xor-mark", proxier.masqueradeMark,
1804+
}...)
1805+
masqRule := []string{
1806+
"-A", string(kubePostroutingChain),
1807+
"-m", "comment", "--comment", `"kubernetes service traffic requiring SNAT"`,
1808+
"-j", "MASQUERADE",
1809+
}
1810+
if proxier.iptables.HasRandomFully() {
1811+
masqRule = append(masqRule, "--random-fully")
1812+
}
1813+
writeLine(proxier.natRules, masqRule...)
1814+
1815+
// Install the kubernetes-specific masquerade mark rule. We use a whole chain for
1816+
// this so that it is easier to flush and change, for example if the mark
1817+
// value should ever change.
1818+
writeLine(proxier.natRules, []string{
1819+
"-A", string(KubeMarkMasqChain),
1820+
"-j", "MARK", "--or-mark", proxier.masqueradeMark,
1821+
}...)
1822+
17901823
// Write the end-of-table markers.
17911824
writeLine(proxier.filterRules, "COMMIT")
17921825
writeLine(proxier.natRules, "COMMIT")
@@ -1845,38 +1878,6 @@ func (proxier *Proxier) createAndLinkeKubeChain() {
18451878
}
18461879
}
18471880

1848-
// Install the kubernetes-specific postrouting rules. We use a whole chain for
1849-
// this so that it is easier to flush and change, for example if the mark
1850-
// value should ever change.
1851-
// NB: THIS MUST MATCH the corresponding code in the kubelet
1852-
writeLine(proxier.natRules, []string{
1853-
"-A", string(kubePostroutingChain),
1854-
"-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark),
1855-
"-j", "RETURN",
1856-
}...)
1857-
// Clear the mark to avoid re-masquerading if the packet re-traverses the network stack.
1858-
writeLine(proxier.natRules, []string{
1859-
"-A", string(kubePostroutingChain),
1860-
// XOR proxier.masqueradeMark to unset it
1861-
"-j", "MARK", "--xor-mark", proxier.masqueradeMark,
1862-
}...)
1863-
masqRule := []string{
1864-
"-A", string(kubePostroutingChain),
1865-
"-m", "comment", "--comment", `"kubernetes service traffic requiring SNAT"`,
1866-
"-j", "MASQUERADE",
1867-
}
1868-
if proxier.iptables.HasRandomFully() {
1869-
masqRule = append(masqRule, "--random-fully")
1870-
}
1871-
writeLine(proxier.natRules, masqRule...)
1872-
1873-
// Install the kubernetes-specific masquerade mark rule. We use a whole chain for
1874-
// this so that it is easier to flush and change, for example if the mark
1875-
// value should ever change.
1876-
writeLine(proxier.natRules, []string{
1877-
"-A", string(KubeMarkMasqChain),
1878-
"-j", "MARK", "--or-mark", proxier.masqueradeMark,
1879-
}...)
18801881
}
18811882

18821883
// getExistingChains get iptables-save output so we can check for existing chains and rules.

0 commit comments

Comments
 (0)