diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 74fab2f12d1..c2b19497f73 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -1596,6 +1596,11 @@ func (proxier *Proxier) syncProxyRules() { "-j", "ACCEPT", ) + numberFilterIptablesRules := utilproxy.CountBytesLines(proxier.filterRules.Bytes()) + metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableFilter)).Set(float64(numberFilterIptablesRules)) + numberNatIptablesRules := utilproxy.CountBytesLines(proxier.natRules.Bytes()) + metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT)).Set(float64(numberNatIptablesRules)) + // Write the end-of-table markers. utilproxy.WriteLine(proxier.filterRules, "COMMIT") utilproxy.WriteLine(proxier.natRules, "COMMIT") @@ -1608,11 +1613,6 @@ func (proxier *Proxier) syncProxyRules() { proxier.iptablesData.Write(proxier.natChains.Bytes()) proxier.iptablesData.Write(proxier.natRules.Bytes()) - numberFilterIptablesRules := utilproxy.CountBytesLines(proxier.filterRules.Bytes()) - metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableFilter)).Set(float64(numberFilterIptablesRules)) - numberNatIptablesRules := utilproxy.CountBytesLines(proxier.natRules.Bytes()) - metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT)).Set(float64(numberNatIptablesRules)) - klog.V(5).InfoS("Restoring iptables", "rules", proxier.iptablesData.Bytes()) err = proxier.iptables.RestoreAll(proxier.iptablesData.Bytes(), utiliptables.NoFlushTables, utiliptables.RestoreCounters) if err != nil { diff --git a/pkg/proxy/iptables/proxier_test.go b/pkg/proxy/iptables/proxier_test.go index f818b930b7f..9c881139754 100644 --- a/pkg/proxy/iptables/proxier_test.go +++ b/pkg/proxy/iptables/proxier_test.go @@ -913,9 +913,9 @@ COMMIT if err != nil { t.Errorf("failed to get %s value, err: %v", metrics.IptablesRulesTotal.Name, err) } - // 43 here is test specific and corresponds to one more than the number of -A lines after `*nat` in `expected`. - if nNatRules != 43.0 { - t.Fatalf("Wrong number of nat rules: expected 43 received %f", nNatRules) + // 42 here is test specific and corresponds to one more than the number of -A lines after `*nat` in `expected`. + if nNatRules != 42.0 { + t.Fatalf("Wrong number of nat rules: expected 42 received %f", nNatRules) } } @@ -3308,10 +3308,9 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) { // -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT // -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT // -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - // COMMIT - if nFilterRules != 7.0 { - t.Fatalf("Wrong number of filter rule: expected 7 received %f", nFilterRules) + if nFilterRules != 6.0 { + t.Fatalf("Wrong number of filter rule: expected 6 received %f", nFilterRules) } nNatRules, err := testutil.GetGaugeMetricValue(metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT))) @@ -3319,14 +3318,13 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) { t.Errorf("failed to get %s value, err: %v", metrics.IptablesRulesTotal.Name, err) } - // rules -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN + // -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN // -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 // -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE // -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 // -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS - // COMMIT - if nNatRules != 6.0 { - t.Fatalf("Wrong number of nat rules: expected 6 received %f", nNatRules) + if nNatRules != 5.0 { + t.Fatalf("Wrong number of nat rules: expected 5 received %f", nNatRules) } populateEndpointSlices(fp, @@ -3355,9 +3353,8 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) { // -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT // -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT // -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - // COMMIT - if nFilterRules != 5.0 { - t.Fatalf("Wrong number of filter rule: expected 5 received %f", nFilterRules) + if nFilterRules != 4.0 { + t.Fatalf("Wrong number of filter rule: expected 4 received %f", nFilterRules) } nNatRules, err = testutil.GetGaugeMetricValue(metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT))) if err != nil { @@ -3378,9 +3375,8 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) { // -A KUBE-SEP-OUFLBLJVR33W4FIZ -m comment --comment ns1/svc1:p80 -s 10.0.0.5/32 -j KUBE-MARK-MASQ // -A KUBE-SEP-OUFLBLJVR33W4FIZ -m comment --comment ns1/svc1:p80 -m udp -p udp -j DNAT --to-destination 10.0.0.5:80 // -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS - // COMMIT - if nNatRules != 16.0 { - t.Fatalf("Wrong number of nat rules: expected 16 received %f", nNatRules) + if nNatRules != 15.0 { + t.Fatalf("Wrong number of nat rules: expected 15 received %f", nNatRules) } }