mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #57051 from dnardo/gke-deb
Automatic merge from submit-queue (batch tested with PRs 56858, 57040, 56979, 57051, 57052). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Update debian setup script to match GCI. Even though this file is deprecated in 1.8 and 1.9, add this for consistency and this will also be cherry picked back to 1.7
This commit is contained in:
commit
1ad37c50ae
@ -86,9 +86,41 @@ ensure-local-disks() {
|
||||
function config-ip-firewall {
|
||||
echo "Configuring IP firewall rules"
|
||||
|
||||
# Do not consider loopback addresses as martian source or destination while
|
||||
# routing. This enables the use of 127/8 for local routing purposes.
|
||||
sysctl -w net.ipv4.conf.all.route_localnet=1
|
||||
|
||||
# We need to add rules to accept all TCP/UDP/ICMP packets.
|
||||
if iptables -L INPUT | grep "Chain INPUT (policy DROP)" > /dev/null; then
|
||||
echo "Add rules to accept all inbound TCP/UDP/ICMP packets"
|
||||
iptables -A INPUT -p TCP -j ACCEPT
|
||||
iptables -A INPUT -p UDP -j ACCEPT
|
||||
iptables -A INPUT -p ICMP -j ACCEPT
|
||||
fi
|
||||
if iptables -L FORWARD | grep "Chain FORWARD (policy DROP)" > /dev/null; then
|
||||
echo "Add rules to accept all forwarded TCP/UDP/ICMP packets"
|
||||
iptables -A FORWARD -p TCP -j ACCEPT
|
||||
iptables -A FORWARD -p UDP -j ACCEPT
|
||||
iptables -A FORWARD -p ICMP -j ACCEPT
|
||||
fi
|
||||
|
||||
# Flush iptables nat table
|
||||
iptables -t nat -F || true
|
||||
|
||||
if [[ "${NON_MASQUERADE_CIDR:-}" == "0.0.0.0/0" ]]; then
|
||||
echo "Add rules for ip masquerade"
|
||||
iptables -t nat -N IP-MASQ
|
||||
iptables -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
|
||||
iptables -t nat -A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||
iptables -t nat -A IP-MASQ -d 10.0.0.0/8 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||
iptables -t nat -A IP-MASQ -d 172.16.0.0/12 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||
iptables -t nat -A IP-MASQ -d 192.168.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||
iptables -t nat -A IP-MASQ -m comment --comment "ip-masq: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE
|
||||
fi
|
||||
|
||||
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
|
||||
echo "Add rule for metadata concealment"
|
||||
iptables -w -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
|
||||
iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
|
||||
fi
|
||||
}
|
||||
|
||||
@ -171,7 +203,6 @@ function remove-docker-artifacts() {
|
||||
apt-get-install bridge-utils
|
||||
|
||||
# Remove docker artifacts on minion nodes, if present
|
||||
iptables -t nat -F || true
|
||||
ifconfig docker0 down || true
|
||||
brctl delbr docker0 || true
|
||||
echo "== Finished deleting docker0 =="
|
||||
|
Loading…
Reference in New Issue
Block a user