Simplify nftables/proxier.go by removing localhost nodeport support

and related route_localnet setting / anti-martian-packet rule

cmd/kube-proxy/app/server_others.go

@@ -305,7 +305,6 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
 				config.NFTables.SyncPeriod.Duration,
 				config.NFTables.MinSyncPeriod.Duration,
 				config.NFTables.MasqueradeAll,
-				*config.NFTables.LocalhostNodePorts,
 				int(*config.NFTables.MasqueradeBit),
 				localDetectors,
 				s.Hostname,
@@ -332,7 +331,6 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
 				config.NFTables.SyncPeriod.Duration,
 				config.NFTables.MinSyncPeriod.Duration,
 				config.NFTables.MasqueradeAll,
-				*config.NFTables.LocalhostNodePorts,
 				int(*config.NFTables.MasqueradeBit),
 				localDetector,
 				s.Hostname,

cmd/kube-proxy/app/server_test.go

@@ -79,7 +79,6 @@ nftables:
   masqueradeBit: 18
   minSyncPeriod: 10s
   syncPeriod: 60s
-  localhostNodePorts: false
 kind: KubeProxyConfiguration
 metricsBindAddress: "%s"
 mode: "%s"
@@ -225,11 +224,10 @@ nodePortAddresses:
 				ExcludeCIDRs:  []string{"10.20.30.40/16", "fd00:1::0/64"},
 			},
 			NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{
-				MasqueradeAll:      true,
+				MasqueradeAll: true,
-				MasqueradeBit:      ptr.To[int32](18),
+				MasqueradeBit: ptr.To[int32](18),
-				LocalhostNodePorts: ptr.To(false),
+				MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
-				MinSyncPeriod:      metav1.Duration{Duration: 10 * time.Second},
+				SyncPeriod:    metav1.Duration{Duration: 60 * time.Second},
-				SyncPeriod:         metav1.Duration{Duration: 60 * time.Second},
 			},
 			MetricsBindAddress: tc.metricsBindAddress,
 			Mode:               kubeproxyconfig.ProxyMode(tc.mode),

pkg/generated/openapi/zz_generated.openapi.go

@@ -54716,13 +54716,6 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref
 							Format:      "",
 						},
 					},
-					"localhostNodePorts": {
-						SchemaProps: spec.SchemaProps{
-							Description: "localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior of allowing NodePort services to be accessed via localhost. FIXME: remove.",
-							Type:        []string{"boolean"},
-							Format:      "",
-						},
-					},
 					"syncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.",
@@ -54736,7 +54729,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref
 						},
 					},
 				},
-				Required: []string{"masqueradeBit", "masqueradeAll", "localhostNodePorts", "syncPeriod", "minSyncPeriod"},
+				Required: []string{"masqueradeBit", "masqueradeAll", "syncPeriod", "minSyncPeriod"},
 			},
 		},
 		Dependencies: []string{

pkg/proxy/apis/config/fuzzer/fuzzer.go

@@ -44,7 +44,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 			obj.IPTables.MasqueradeBit = ptr.To(c.Int31())
 			obj.IPTables.LocalhostNodePorts = ptr.To(c.RandBool())
 			obj.NFTables.MasqueradeBit = ptr.To(c.Int31())
-			obj.NFTables.LocalhostNodePorts = ptr.To(c.RandBool())
 			obj.MetricsBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536))
 			obj.OOMScoreAdj = ptr.To(c.Int31())
 			obj.ClientConnection.ContentType = "bar"

pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml

@@ -50,7 +50,6 @@ logging:
 metricsBindAddress: 127.0.0.1:10249
 mode: ""
 nftables:
-  localhostNodePorts: true
   masqueradeAll: false
   masqueradeBit: 14
   minSyncPeriod: 1s

pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml

@@ -50,7 +50,6 @@ logging:
 metricsBindAddress: 127.0.0.1:10249
 mode: ""
 nftables:
-  localhostNodePorts: true
   masqueradeAll: false
   masqueradeBit: 14
   minSyncPeriod: 1s

pkg/proxy/apis/config/types.go

@@ -90,9 +90,6 @@ type KubeProxyNFTablesConfiguration struct {
 	// masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
 	// when using the nftables mode. This may be required with some CNI plugins.
 	MasqueradeAll bool
-	// localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior
-	// of allowing NodePort services to be accessed via localhost. FIXME: remove.
-	LocalhostNodePorts *bool
 	// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
 	// various re-synchronizing and cleanup operations are performed. Must be greater
 	// than 0.

pkg/proxy/apis/config/v1alpha1/defaults.go

@@ -77,9 +77,6 @@ func SetDefaults_KubeProxyConfiguration(obj *kubeproxyconfigv1alpha1.KubeProxyCo
 	if obj.NFTables.MinSyncPeriod.Duration == 0 {
 		obj.NFTables.MinSyncPeriod = metav1.Duration{Duration: 1 * time.Second}
 	}
-	if obj.NFTables.LocalhostNodePorts == nil {
-		obj.NFTables.LocalhostNodePorts = ptr.To(true)
-	}
 
 	if obj.Conntrack.MaxPerCore == nil {
 		obj.Conntrack.MaxPerCore = ptr.To[int32](32 * 1024)

pkg/proxy/apis/config/v1alpha1/defaults_test.go

@@ -63,11 +63,10 @@ func TestDefaultsKubeProxyConfiguration(t *testing.T) {
 					SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
 				},
 				NFTables: kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{
-					MasqueradeBit:      ptr.To[int32](14),
+					MasqueradeBit: ptr.To[int32](14),
-					MasqueradeAll:      false,
+					MasqueradeAll: false,
-					LocalhostNodePorts: ptr.To(true),
+					SyncPeriod:    metav1.Duration{Duration: 30 * time.Second},
-					SyncPeriod:         metav1.Duration{Duration: 30 * time.Second},
+					MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
-					MinSyncPeriod:      metav1.Duration{Duration: 1 * time.Second},
 				},
 				OOMScoreAdj: &oomScore,
 				Conntrack: kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{
@@ -110,11 +109,10 @@ func TestDefaultsKubeProxyConfiguration(t *testing.T) {
 					SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
 				},
 				NFTables: kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{
-					MasqueradeBit:      ptr.To[int32](14),
+					MasqueradeBit: ptr.To[int32](14),
-					MasqueradeAll:      false,
+					MasqueradeAll: false,
-					LocalhostNodePorts: ptr.To(true),
+					SyncPeriod:    metav1.Duration{Duration: 30 * time.Second},
-					SyncPeriod:         metav1.Duration{Duration: 30 * time.Second},
+					MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
-					MinSyncPeriod:      metav1.Duration{Duration: 1 * time.Second},
 				},
 				OOMScoreAdj: &oomScore,
 				Conntrack: kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{

pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go

@@ -323,7 +323,6 @@ func Convert_config_KubeProxyIPVSConfiguration_To_v1alpha1_KubeProxyIPVSConfigur
 func autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, s conversion.Scope) error {
 	out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
 	out.MasqueradeAll = in.MasqueradeAll
-	out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts))
 	out.SyncPeriod = in.SyncPeriod
 	out.MinSyncPeriod = in.MinSyncPeriod
 	return nil
@@ -337,7 +336,6 @@ func Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTables
 func autoConvert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(in *config.KubeProxyNFTablesConfiguration, out *v1alpha1.KubeProxyNFTablesConfiguration, s conversion.Scope) error {
 	out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
 	out.MasqueradeAll = in.MasqueradeAll
-	out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts))
 	out.SyncPeriod = in.SyncPeriod
 	out.MinSyncPeriod = in.MinSyncPeriod
 	return nil

pkg/proxy/apis/config/zz_generated.deepcopy.go

@@ -215,11 +215,6 @@ func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesCon
 		*out = new(int32)
 		**out = **in
 	}
-	if in.LocalhostNodePorts != nil {
-		in, out := &in.LocalhostNodePorts, &out.LocalhostNodePorts
-		*out = new(bool)
-		**out = **in
-	}
 	out.SyncPeriod = in.SyncPeriod
 	out.MinSyncPeriod = in.MinSyncPeriod
 	return

pkg/proxy/nftables/proxier.go

@@ -77,14 +77,8 @@ const (
 
 	// kube proxy canary chain is used for monitoring rule reload
 	kubeProxyCanaryChain utiliptables.Chain = "KUBE-PROXY-CANARY"
-
-	// kubeletFirewallChain is a duplicate of kubelet's firewall containing
-	// the anti-martian-packet rule. It should not be used for any other
-	// rules.
-	kubeletFirewallChain utiliptables.Chain = "KUBE-FIREWALL"
 )
 
-const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
 const sysctlNFConntrackTCPBeLiberal = "net/netfilter/nf_conntrack_tcp_be_liberal"
 
 // internal struct for string service information
@@ -183,10 +177,6 @@ type Proxier struct {
 	natChains                proxyutil.LineBuffer
 	natRules                 proxyutil.LineBuffer
 
-	// localhostNodePorts indicates whether we allow NodePort services to be accessed
-	// via localhost.
-	localhostNodePorts bool
-
 	// conntrackTCPLiberal indicates whether the system sets the kernel nf_conntrack_tcp_be_liberal
 	conntrackTCPLiberal bool
 
@@ -212,7 +202,6 @@ func NewProxier(ipFamily v1.IPFamily,
 	syncPeriod time.Duration,
 	minSyncPeriod time.Duration,
 	masqueradeAll bool,
-	localhostNodePorts bool,
 	masqueradeBit int,
 	localDetector proxyutiliptables.LocalTrafficDetector,
 	hostname string,
@@ -224,18 +213,6 @@ func NewProxier(ipFamily v1.IPFamily,
 ) (*Proxier, error) {
 	nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
 
-	if !nodePortAddresses.ContainsIPv4Loopback() {
-		localhostNodePorts = false
-	}
-	if localhostNodePorts {
-		// Set the route_localnet sysctl we need for exposing NodePorts on loopback addresses
-		// Refer to https://issues.k8s.io/90259
-		klog.InfoS("Setting route_localnet=1 to allow node-ports on localhost; to change this either disable iptables.localhostNodePorts (--iptables-localhost-nodeports) or set nodePortAddresses (--nodeport-addresses) to filter loopback addresses")
-		if err := proxyutil.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil {
-			return nil, err
-		}
-	}
-
 	// Be conservative in what you do, be liberal in what you accept from others.
 	// If it's non-zero, we mark only out of window RST segments as INVALID.
 	// Ref: https://docs.kernel.org/networking/nf_conntrack-sysctl.html
@@ -281,7 +258,6 @@ func NewProxier(ipFamily v1.IPFamily,
 		filterRules:              proxyutil.NewLineBuffer(),
 		natChains:                proxyutil.NewLineBuffer(),
 		natRules:                 proxyutil.NewLineBuffer(),
-		localhostNodePorts:       localhostNodePorts,
 		nodePortAddresses:        nodePortAddresses,
 		networkInterfacer:        proxyutil.RealNetwork{},
 		conntrackTCPLiberal:      conntrackTCPLiberal,
@@ -314,7 +290,6 @@ func NewDualStackProxier(
 	syncPeriod time.Duration,
 	minSyncPeriod time.Duration,
 	masqueradeAll bool,
-	localhostNodePorts bool,
 	masqueradeBit int,
 	localDetectors [2]proxyutiliptables.LocalTrafficDetector,
 	hostname string,
@@ -326,14 +301,14 @@ func NewDualStackProxier(
 ) (proxy.Provider, error) {
 	// Create an ipv4 instance of the single-stack proxier
 	ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl,
-		exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname,
+		exec, syncPeriod, minSyncPeriod, masqueradeAll, masqueradeBit, localDetectors[0], hostname,
 		nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
 	}
 
 	ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl,
-		exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname,
+		exec, syncPeriod, minSyncPeriod, masqueradeAll, masqueradeBit, localDetectors[1], hostname,
 		nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
@@ -367,13 +342,6 @@ var iptablesJumpChains = []iptablesJumpChain{
 	{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
 }
 
-// Duplicates of chains created in pkg/kubelet/kubelet_network_linux.go; we create these
-// on startup but do not delete them in CleanupLeftovers.
-var iptablesKubeletJumpChains = []iptablesJumpChain{
-	{utiliptables.TableFilter, kubeletFirewallChain, utiliptables.ChainInput, "", nil},
-	{utiliptables.TableFilter, kubeletFirewallChain, utiliptables.ChainOutput, "", nil},
-}
-
 // When chains get removed from iptablesJumpChains, add them here so they get cleaned up
 // on upgrade.
 var iptablesCleanupOnlyChains = []iptablesJumpChain{}
@@ -761,7 +729,7 @@ func (proxier *Proxier) syncProxyRules() {
 	// Ensure that our jump rules (eg from PREROUTING to KUBE-SERVICES) exist.
 	// We can't do this as part of the iptables-restore because we don't want
 	// to specify/replace *all* of the rules in PREROUTING, etc.
-	for _, jump := range append(iptablesJumpChains, iptablesKubeletJumpChains...) {
+	for _, jump := range iptablesJumpChains {
 		if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil {
 			klog.ErrorS(err, "Failed to ensure chain exists", "table", jump.table, "chain", jump.dstChain)
 			return
@@ -828,30 +796,6 @@ func (proxier *Proxier) syncProxyRules() {
 		"-j", "MARK", "--or-mark", proxier.masqueradeMark,
 	)
 
-	isIPv6 := proxier.iptables.IsIPv6()
-	if !isIPv6 && proxier.localhostNodePorts {
-		// Kube-proxy's use of `route_localnet` to enable NodePorts on localhost
-		// creates a security hole (https://issue.k8s.io/90259) which this
-		// iptables rule mitigates.
-
-		// NOTE: kubelet creates an identical copy of this rule. If you want to
-		// change this rule in the future, you MUST do so in a way that will
-		// interoperate correctly with skewed versions of the rule created by
-		// kubelet. (Actually, kubelet uses "--dst"/"--src" rather than "-d"/"-s"
-		// but that's just a command-line thing and results in the same rule being
-		// created in the kernel.)
-		proxier.filterChains.Write(utiliptables.MakeChainLine(kubeletFirewallChain))
-		proxier.filterRules.Write(
-			"-A", string(kubeletFirewallChain),
-			"-m", "comment", "--comment", `"block incoming localnet connections"`,
-			"-d", "127.0.0.0/8",
-			"!", "-s", "127.0.0.0/8",
-			"-m", "conntrack",
-			"!", "--ctstate", "RELATED,ESTABLISHED,DNAT",
-			"-j", "DROP",
-		)
-	}
-
 	// Accumulate NAT chains to keep.
 	activeNATChains := map[utiliptables.Chain]bool{} // use a map as a set
 
@@ -1330,12 +1274,13 @@ func (proxier *Proxier) syncProxyRules() {
 	// Finally, tail-call to the nodePorts chain.  This needs to be after all
 	// other service portal rules.
 	if proxier.nodePortAddresses.MatchAll() {
+		isIPv6 := proxier.iptables.IsIPv6()
+
 		destinations := []string{"-m", "addrtype", "--dst-type", "LOCAL"}
-		// Block localhost nodePorts if they are not supported. (For IPv6 they never
+		// Block localhost nodePorts
-		// work, and for IPv4 they only work if we previously set `route_localnet`.)
 		if isIPv6 {
 			destinations = append(destinations, "!", "-d", "::1/128")
-		} else if !proxier.localhostNodePorts {
+		} else {
 			destinations = append(destinations, "!", "-d", "127.0.0.0/8")
 		}
 
@@ -1351,13 +1296,8 @@ func (proxier *Proxier) syncProxyRules() {
 		}
 		for _, ip := range nodeIPs {
 			if ip.IsLoopback() {
-				if isIPv6 {
+				klog.ErrorS(nil, "--nodeport-addresses includes localhost but localhost NodePorts are not supported", "address", ip.String())
-					klog.ErrorS(nil, "--nodeport-addresses includes localhost but localhost NodePorts are not supported on IPv6", "address", ip.String())
+				continue
-					continue
-				} else if !proxier.localhostNodePorts {
-					klog.ErrorS(nil, "--nodeport-addresses includes localhost but --iptables-localhost-nodeports=false was passed", "address", ip.String())
-					continue
-				}
 			}
 
 			// create nodeport rules for each IP one by one

pkg/proxy/nftables/proxier_test.go

@@ -338,7 +338,6 @@ func NewFakeProxier(ipt utiliptables.Interface) *Proxier {
 		natChains:                proxyutil.NewLineBuffer(),
 		natRules:                 proxyutil.NewLineBuffer(),
 		nodeIP:                   netutils.ParseIPSloppy(testNodeIP),
-		localhostNodePorts:       true,
 		nodePortAddresses:        proxyutil.NewNodePortAddresses(ipfamily, nil),
 		networkInterfacer:        networkInterfacer,
 	}
@@ -694,7 +693,7 @@ func checkIPTablesRuleJumps(ruleData string) error {
 		// Find cases where we have ":BAR" but no "-A FOO ... -j BAR", meaning
 		// that we are creating an empty chain but not using it for anything.
 		extraChains := createdChains.Difference(jumpedChains)
-		extraChains.Delete(string(kubeServicesChain), string(kubeExternalServicesChain), string(kubeNodePortsChain), string(kubePostroutingChain), string(kubeForwardChain), string(kubeMarkMasqChain), string(kubeProxyFirewallChain), string(kubeletFirewallChain))
+		extraChains.Delete(string(kubeServicesChain), string(kubeExternalServicesChain), string(kubeNodePortsChain), string(kubePostroutingChain), string(kubeForwardChain), string(kubeMarkMasqChain), string(kubeProxyFirewallChain))
 		if len(extraChains) > 0 {
 			return fmt.Errorf("some chains in %s are created but not used: %v", tableName, extraChains.UnsortedList())
 		}
@@ -1913,7 +1912,6 @@ func TestOverallIPTablesRules(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
 		-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
@@ -1921,7 +1919,6 @@ func TestOverallIPTablesRules(t *testing.T) {
 		-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP
 		-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
 		-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j DROP
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -1960,7 +1957,7 @@ func TestOverallIPTablesRules(t *testing.T) {
 		-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 external IP" -m tcp -p tcp -d 192.168.99.33 --dport 80 -j KUBE-EXT-4SW47YFZTEDKD3PK
 		-A KUBE-SERVICES -m comment --comment "ns5/svc5:p80 cluster IP" -m tcp -p tcp -d 172.30.0.45 --dport 80 -j KUBE-SVC-NUKIZ6OKUXPJNT4C
 		-A KUBE-SERVICES -m comment --comment "ns5/svc5:p80 loadbalancer IP" -m tcp -p tcp -d 5.6.7.8 --dport 80 -j KUBE-FW-NUKIZ6OKUXPJNT4C
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-EXT-4SW47YFZTEDKD3PK -m comment --comment "masquerade traffic for ns4/svc4:p80 external destinations" -j KUBE-MARK-MASQ
 		-A KUBE-EXT-4SW47YFZTEDKD3PK -j KUBE-SVC-4SW47YFZTEDKD3PK
 		-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "pod traffic for ns2/svc2:p80 external destinations" -s 10.0.0.0/8 -j KUBE-SVC-GNZBNJ2PO5MGZ6GT
@@ -2431,9 +2428,8 @@ func TestNodePorts(t *testing.T) {
 	testCases := []struct {
 		name string
 
-		family             v1.IPFamily
+		family            v1.IPFamily
-		localhostNodePorts bool
+		nodePortAddresses []string
-		nodePortAddresses  []string
 
 		// allowAltNodeIP is true if we expect NodePort traffic on the alternate
 		// node IP to be accepted
@@ -2444,71 +2440,37 @@ func TestNodePorts(t *testing.T) {
 		expectFirewall bool
 	}{
 		{
-			name: "ipv4, localhost-nodeports enabled",
+			name: "ipv4",
 
-			family:             v1.IPv4Protocol,
+			family:            v1.IPv4Protocol,
-			localhostNodePorts: true,
+			nodePortAddresses: nil,
-			nodePortAddresses:  nil,
 
 			allowAltNodeIP: true,
 			expectFirewall: true,
 		},
 		{
-			name: "ipv4, localhost-nodeports disabled",
+			name: "ipv4, multiple nodeport-addresses",
 
-			family:             v1.IPv4Protocol,
+			family:            v1.IPv4Protocol,
-			localhostNodePorts: false,
+			nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"},
-			nodePortAddresses:  nil,
 
 			allowAltNodeIP: true,
 			expectFirewall: false,
 		},
 		{
-			name: "ipv4, localhost-nodeports disabled, localhost in nodeport-addresses",
+			name: "ipv6",
 
-			family:             v1.IPv4Protocol,
+			family:            v1.IPv6Protocol,
-			localhostNodePorts: false,
+			nodePortAddresses: nil,
-			nodePortAddresses:  []string{"192.168.0.0/24", "127.0.0.1/32"},
-
-			allowAltNodeIP: false,
-			expectFirewall: false,
-		},
-		{
-			name: "ipv4, localhost-nodeports enabled, multiple nodeport-addresses",
-
-			family:             v1.IPv4Protocol,
-			localhostNodePorts: false,
-			nodePortAddresses:  []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"},
 
 			allowAltNodeIP: true,
 			expectFirewall: false,
 		},
 		{
-			name: "ipv6, localhost-nodeports enabled",
+			name: "ipv6, multiple nodeport-addresses",
 
-			family:             v1.IPv6Protocol,
+			family:            v1.IPv6Protocol,
-			localhostNodePorts: true,
+			nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"},
-			nodePortAddresses:  nil,
-
-			allowAltNodeIP: true,
-			expectFirewall: false,
-		},
-		{
-			name: "ipv6, localhost-nodeports disabled",
-
-			family:             v1.IPv6Protocol,
-			localhostNodePorts: false,
-			nodePortAddresses:  nil,
-
-			allowAltNodeIP: true,
-			expectFirewall: false,
-		},
-		{
-			name: "ipv6, localhost-nodeports disabled, multiple nodeport-addresses",
-
-			family:             v1.IPv6Protocol,
-			localhostNodePorts: false,
-			nodePortAddresses:  []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"},
 
 			allowAltNodeIP: false,
 			expectFirewall: false,
@@ -2531,7 +2493,6 @@ func TestNodePorts(t *testing.T) {
 				epIP2 = "fd00:10:180::2:1"
 			}
 			fp := NewFakeProxier(ipt)
-			fp.localhostNodePorts = tc.localhostNodePorts
 			if tc.nodePortAddresses != nil {
 				fp.nodePortAddresses = proxyutil.NewNodePortAddresses(tc.family, tc.nodePortAddresses)
 			}
@@ -2573,19 +2534,17 @@ func TestNodePorts(t *testing.T) {
 
 			fp.syncProxyRules()
 
-			var podIP, externalClientIP, nodeIP, altNodeIP, localhostIP string
+			var podIP, externalClientIP, nodeIP, altNodeIP string
 			if tc.family == v1.IPv4Protocol {
 				podIP = "10.0.0.2"
 				externalClientIP = testExternalClient
 				nodeIP = testNodeIP
 				altNodeIP = testNodeIPAlt
-				localhostIP = "127.0.0.1"
 			} else {
 				podIP = "fd00:10::2"
 				externalClientIP = "2600:5200::1"
 				nodeIP = testNodeIPv6
 				altNodeIP = testNodeIPv6Alt
-				localhostIP = "::1"
 			}
 			output := net.JoinHostPort(epIP1, "80") + ", " + net.JoinHostPort(epIP2, "80")
 
@@ -2617,30 +2576,6 @@ func TestNodePorts(t *testing.T) {
 				},
 			})
 
-			// localhost to NodePort is only allowed in IPv4, and only if not disabled
-			if tc.family == v1.IPv4Protocol && tc.localhostNodePorts {
-				runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
-					{
-						name:     "localhost to nodePort gets masqueraded",
-						sourceIP: localhostIP,
-						destIP:   localhostIP,
-						destPort: 3001,
-						output:   output,
-						masq:     true,
-					},
-				})
-			} else {
-				runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
-					{
-						name:     "localhost to nodePort is ignored",
-						sourceIP: localhostIP,
-						destIP:   localhostIP,
-						destPort: 3001,
-						output:   "",
-					},
-				})
-			}
-
 			// NodePort on altNodeIP should be allowed, unless
 			// nodePortAddressess excludes altNodeIP
 			if tc.allowAltNodeIP {
@@ -2665,15 +2600,6 @@ func TestNodePorts(t *testing.T) {
 					},
 				})
 			}
-
-			// We have to check the firewall rule manually rather than via
-			// runPacketFlowTests(), because the packet tracer doesn't
-			// implement conntrack states.
-			var expected string
-			if tc.expectFirewall {
-				expected = "-A KUBE-FIREWALL -m comment --comment \"block incoming localnet connections\" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP\n"
-			}
-			assertIPTablesChainEqual(t, getLine(), utiliptables.TableFilter, kubeletFirewallChain, expected, fp.iptablesData.String())
 		})
 	}
 }
@@ -5526,14 +5452,6 @@ func TestInternalExternalMasquerade(t *testing.T) {
 			output:   "10.180.0.1:80, 10.180.1.1:80",
 			masq:     true,
 		},
-		{
-			name:     "localhost to NodePort",
-			sourceIP: "127.0.0.1",
-			destIP:   "127.0.0.1",
-			destPort: 3001,
-			output:   "10.180.0.1:80, 10.180.1.1:80",
-			masq:     true,
-		},
 		{
 			name:     "node to LB",
 			sourceIP: testNodeIP,
@@ -5630,17 +5548,6 @@ func TestInternalExternalMasquerade(t *testing.T) {
 			output: "10.180.0.1:80, 10.180.1.1:80",
 			masq:   true,
 		},
-		{
-			name:     "localhost to NodePort with eTP:Local",
-			sourceIP: "127.0.0.1",
-			destIP:   "127.0.0.1",
-			destPort: 3002,
-
-			// The traffic gets short-circuited, ignoring externalTrafficPolicy, so
-			// same as "localhost to NodePort" above.
-			output: "10.180.0.2:80, 10.180.1.2:80",
-			masq:   true,
-		},
 		{
 			name:     "node to LB with eTP:Local",
 			sourceIP: testNodeIP,
@@ -5741,17 +5648,6 @@ func TestInternalExternalMasquerade(t *testing.T) {
 			output: "10.180.0.3:80, 10.180.1.3:80",
 			masq:   true,
 		},
-		{
-			name:     "localhost to NodePort with iTP:Local",
-			sourceIP: "127.0.0.1",
-			destIP:   "127.0.0.1",
-			destPort: 3003,
-
-			// internalTrafficPolicy does not apply to NodePort traffic, so same as
-			// "localhost to NodePort" above.
-			output: "10.180.0.3:80, 10.180.1.3:80",
-			masq:   true,
-		},
 		{
 			name:     "node to LB with iTP:Local",
 			sourceIP: testNodeIP,
@@ -6005,10 +5901,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -6024,7 +5918,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-SVC-XPGD46QRK7WJZT7O - [0:0]
 		-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
 		-A KUBE-SERVICES -m comment --comment "ns2/svc2:p8080 cluster IP" -m tcp -p tcp -d 172.30.0.42 --dport 8080 -j KUBE-SVC-2VJB64SDSIJUP5T6
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
 		-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
 		-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
@@ -6081,10 +5975,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -6103,7 +5995,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
 		-A KUBE-SERVICES -m comment --comment "ns2/svc2:p8080 cluster IP" -m tcp -p tcp -d 172.30.0.42 --dport 8080 -j KUBE-SVC-2VJB64SDSIJUP5T6
 		-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
 		-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
 		-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
@@ -6141,10 +6033,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -6162,7 +6052,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-SVC-XPGD46QRK7WJZT7O - [0:0]
 		-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
 		-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
 		-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
 		-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
@@ -6207,11 +6097,9 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
 		-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j REJECT
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -6227,7 +6115,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-SVC-XPGD46QRK7WJZT7O - [0:0]
 		-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
 		-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
 		-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
 		-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
@@ -6270,10 +6158,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -6292,7 +6178,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
 		-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
 		-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
 		-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
 		-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
@@ -6332,10 +6218,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -6355,7 +6239,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
 		-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
 		-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
 		-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
 		-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
@@ -6394,10 +6278,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -6417,7 +6299,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
 		-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
 		-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
 		-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
 		-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
@@ -6458,10 +6340,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		:KUBE-NODEPORTS - [0:0]
 		:KUBE-SERVICES - [0:0]
 		:KUBE-EXTERNAL-SERVICES - [0:0]
-		:KUBE-FIREWALL - [0:0]
 		:KUBE-FORWARD - [0:0]
 		:KUBE-PROXY-FIREWALL - [0:0]
-		-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
 		-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 		-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -6481,7 +6361,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
 		-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
 		-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
 		-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK
-		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
+		-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
 		-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
 		-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
 		-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000

staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go

@@ -86,9 +86,6 @@ type KubeProxyNFTablesConfiguration struct {
 	// masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
 	// when using the nftables mode. This may be required with some CNI plugins.
 	MasqueradeAll bool `json:"masqueradeAll"`
-	// localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior
-	// of allowing NodePort services to be accessed via localhost. FIXME: remove.
-	LocalhostNodePorts *bool `json:"localhostNodePorts"`
 	// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
 	// various re-synchronizing and cleanup operations are performed. Must be greater
 	// than 0.

staging/src/k8s.io/kube-proxy/config/v1alpha1/zz_generated.deepcopy.go

@@ -193,11 +193,6 @@ func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesCon
 		*out = new(int32)
 		**out = **in
 	}
-	if in.LocalhostNodePorts != nil {
-		in, out := &in.LocalhostNodePorts, &out.LocalhostNodePorts
-		*out = new(bool)
-		**out = **in
-	}
 	out.SyncPeriod = in.SyncPeriod
 	out.MinSyncPeriod = in.MinSyncPeriod
 	return