Tail-call nodeports rules in iptables proxy

2025-07-23 11:50:44 +00:00 · 2015-08-18 22:12:42 -07:00 · 2015-08-18 22:12:42 -07:00 · 16102c41df
commit 16102c41df
parent 8800450c5f
1 changed files with 9 additions and 12 deletions
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -477,23 +477,12 @@ func (proxier *Proxier) syncProxyRules() error {
 		if _, err := proxier.iptables.EnsureChain(utiliptables.TableNAT, iptablesServicesChain); err != nil {
 			return err
 		}
-		comment := "kubernetes service portals; must be before nodeports"
+		comment := "kubernetes service portals"
 		args := []string{"-m", "comment", "--comment", comment, "-j", string(iptablesServicesChain)}
 		if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, utiliptables.TableNAT, chain, args...); err != nil {
 			return err
 		}
 	}
-	// Link the nodeports chain.
-	for _, chain := range inputChains {
-		if _, err := proxier.iptables.EnsureChain(utiliptables.TableNAT, iptablesNodePortsChain); err != nil {
-			return err
-		}
-		comment := "kubernetes service nodeports; must be after portals"
-		args := []string{"-m", "comment", "--comment", comment, "-m", "addrtype", "--dst-type", "LOCAL", "-j", string(iptablesNodePortsChain)}
-		if _, err := proxier.iptables.EnsureRule(utiliptables.Append, utiliptables.TableNAT, chain, args...); err != nil {
-			return err
-		}
-	}
 	// Link the output rules.
 	{
 		comment := "kubernetes service traffic requiring SNAT"
@ -721,6 +710,14 @@ func (proxier *Proxier) syncProxyRules() error {
 		}
 	}

+	// Finally, tail-call to the nodeports chain.  This needs to be after all
+	// other service portal rules.
+	writeLine(rulesLines,
+		"-A", string(iptablesServicesChain),
+		"-m", "comment", "--comment", "\"kubernetes service nodeports; NOTE: this must be the last rule in this chain\"",
+		"-m", "addrtype", "--dst-type", "LOCAL",
+		"-j", string(iptablesNodePortsChain))
+
 	// Write the end-of-table marker.
 	writeLine(rulesLines, "COMMIT")