proxy/iptables: move internal traffic setup code

Part of reorganizing the syncProxyRules loop to do: 1. figure out what chains are needed, mark them in activeNATChains 2. write servicePort jump rules to KUBE-SERVICES/KUBE-NODEPORTS 3. write servicePort-specific chains (SVC, SVL, EXT, FW, SEP) This fixes the jump rules for internal traffic. Previously we were handling "jumping from kubeServices to internalTrafficChain" and "adding masquerade rules to internalTrafficChain" in the same place.
2025-07-23 11:50:44 +00:00 · 2022-04-06 10:10:12 -04:00 · 2022-04-06 10:10:12 -04:00 · 2030591ce7
commit 2030591ce7
parent 00f789cd8d
1 changed files with 29 additions and 21 deletions
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -1088,31 +1088,12 @@ func (proxier *Proxier) syncProxyRules() {

 		// Capture the clusterIP.
 		if hasInternalEndpoints {
-			args = append(args[:0],
+			proxier.natRules.Write(
+				"-A", string(kubeServicesChain),
 				"-m", "comment", "--comment", fmt.Sprintf(`"%s cluster IP"`, svcPortNameString),
 				"-m", protocol, "-p", protocol,
 				"-d", svcInfo.ClusterIP().String(),
 				"--dport", strconv.Itoa(svcInfo.Port()),
-			)
-			if proxier.masqueradeAll {
-				proxier.natRules.Write(
-					"-A", string(internalTrafficChain),
-					args,
-					"-j", string(kubeMarkMasqChain))
-			} else if proxier.localDetector.IsImplemented() {
-				// This masquerades off-cluster traffic to a service VIP.  The idea
-				// is that you can establish a static route for your Service range,
-				// routing to any node, and that node will bridge into the Service
-				// for you.  Since that might bounce off-node, we masquerade here.
-				proxier.natRules.Write(
-					"-A", string(internalTrafficChain),
-					args,
-					proxier.localDetector.IfNotLocal(),
-					"-j", string(kubeMarkMasqChain))
-			}
-			proxier.natRules.Write(
-				"-A", string(kubeServicesChain),
-				args,
 				"-j", string(internalTrafficChain))
 		} else {
 			// No endpoints.
@ -1281,6 +1262,33 @@ func (proxier *Proxier) syncProxyRules() {
 			)
 		}

+		// Set up internal traffic handling.
+		if hasInternalEndpoints {
+			args = append(args[:0],
+				"-m", "comment", "--comment", fmt.Sprintf(`"%s cluster IP"`, svcPortNameString),
+				"-m", protocol, "-p", protocol,
+				"-d", svcInfo.ClusterIP().String(),
+				"--dport", strconv.Itoa(svcInfo.Port()),
+			)
+			if proxier.masqueradeAll {
+				proxier.natRules.Write(
+					"-A", string(internalTrafficChain),
+					args,
+					"-j", string(kubeMarkMasqChain))
+			} else if proxier.localDetector.IsImplemented() {
+				// This masquerades off-cluster traffic to a service VIP. The
+				// idea is that you can establish a static route for your
+				// Service range, routing to any node, and that node will
+				// bridge into the Service for you. Since that might bounce
+				// off-node, we masquerade here.
+				proxier.natRules.Write(
+					"-A", string(internalTrafficChain),
+					args,
+					proxier.localDetector.IfNotLocal(),
+					"-j", string(kubeMarkMasqChain))
+			}
+		}
+
 		// Set up external traffic handling (if any "external" destinations are
 		// enabled). All captured traffic for all external destinations should
 		// jump to externalTrafficChain, which will handle some special cases and