From 16102c41df9461315fce8070584b6cc4effd0c43 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Tue, 18 Aug 2015 22:12:42 -0700 Subject: [PATCH] Tail-call nodeports rules in iptables proxy --- pkg/proxy/iptables/proxier.go | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 971e71e2035..e856f21389e 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -477,23 +477,12 @@ func (proxier *Proxier) syncProxyRules() error { if _, err := proxier.iptables.EnsureChain(utiliptables.TableNAT, iptablesServicesChain); err != nil { return err } - comment := "kubernetes service portals; must be before nodeports" + comment := "kubernetes service portals" args := []string{"-m", "comment", "--comment", comment, "-j", string(iptablesServicesChain)} if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, utiliptables.TableNAT, chain, args...); err != nil { return err } } - // Link the nodeports chain. - for _, chain := range inputChains { - if _, err := proxier.iptables.EnsureChain(utiliptables.TableNAT, iptablesNodePortsChain); err != nil { - return err - } - comment := "kubernetes service nodeports; must be after portals" - args := []string{"-m", "comment", "--comment", comment, "-m", "addrtype", "--dst-type", "LOCAL", "-j", string(iptablesNodePortsChain)} - if _, err := proxier.iptables.EnsureRule(utiliptables.Append, utiliptables.TableNAT, chain, args...); err != nil { - return err - } - } // Link the output rules. { comment := "kubernetes service traffic requiring SNAT" @@ -721,6 +710,14 @@ func (proxier *Proxier) syncProxyRules() error { } } + // Finally, tail-call to the nodeports chain. This needs to be after all + // other service portal rules. + writeLine(rulesLines, + "-A", string(iptablesServicesChain), + "-m", "comment", "--comment", "\"kubernetes service nodeports; NOTE: this must be the last rule in this chain\"", + "-m", "addrtype", "--dst-type", "LOCAL", + "-j", string(iptablesNodePortsChain)) + // Write the end-of-table marker. writeLine(rulesLines, "COMMIT")