From 2030591ce7b2b4e71b01274fb8a83af4cad366a6 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Wed, 6 Apr 2022 10:10:12 -0400 Subject: [PATCH] proxy/iptables: move internal traffic setup code Part of reorganizing the syncProxyRules loop to do: 1. figure out what chains are needed, mark them in activeNATChains 2. write servicePort jump rules to KUBE-SERVICES/KUBE-NODEPORTS 3. write servicePort-specific chains (SVC, SVL, EXT, FW, SEP) This fixes the jump rules for internal traffic. Previously we were handling "jumping from kubeServices to internalTrafficChain" and "adding masquerade rules to internalTrafficChain" in the same place. --- pkg/proxy/iptables/proxier.go | 50 ++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 54d3dea14be..416ab5cab2f 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -1088,31 +1088,12 @@ func (proxier *Proxier) syncProxyRules() { // Capture the clusterIP. if hasInternalEndpoints { - args = append(args[:0], + proxier.natRules.Write( + "-A", string(kubeServicesChain), "-m", "comment", "--comment", fmt.Sprintf(`"%s cluster IP"`, svcPortNameString), "-m", protocol, "-p", protocol, "-d", svcInfo.ClusterIP().String(), "--dport", strconv.Itoa(svcInfo.Port()), - ) - if proxier.masqueradeAll { - proxier.natRules.Write( - "-A", string(internalTrafficChain), - args, - "-j", string(kubeMarkMasqChain)) - } else if proxier.localDetector.IsImplemented() { - // This masquerades off-cluster traffic to a service VIP. The idea - // is that you can establish a static route for your Service range, - // routing to any node, and that node will bridge into the Service - // for you. Since that might bounce off-node, we masquerade here. - proxier.natRules.Write( - "-A", string(internalTrafficChain), - args, - proxier.localDetector.IfNotLocal(), - "-j", string(kubeMarkMasqChain)) - } - proxier.natRules.Write( - "-A", string(kubeServicesChain), - args, "-j", string(internalTrafficChain)) } else { // No endpoints. @@ -1281,6 +1262,33 @@ func (proxier *Proxier) syncProxyRules() { ) } + // Set up internal traffic handling. + if hasInternalEndpoints { + args = append(args[:0], + "-m", "comment", "--comment", fmt.Sprintf(`"%s cluster IP"`, svcPortNameString), + "-m", protocol, "-p", protocol, + "-d", svcInfo.ClusterIP().String(), + "--dport", strconv.Itoa(svcInfo.Port()), + ) + if proxier.masqueradeAll { + proxier.natRules.Write( + "-A", string(internalTrafficChain), + args, + "-j", string(kubeMarkMasqChain)) + } else if proxier.localDetector.IsImplemented() { + // This masquerades off-cluster traffic to a service VIP. The + // idea is that you can establish a static route for your + // Service range, routing to any node, and that node will + // bridge into the Service for you. Since that might bounce + // off-node, we masquerade here. + proxier.natRules.Write( + "-A", string(internalTrafficChain), + args, + proxier.localDetector.IfNotLocal(), + "-j", string(kubeMarkMasqChain)) + } + } + // Set up external traffic handling (if any "external" destinations are // enabled). All captured traffic for all external destinations should // jump to externalTrafficChain, which will handle some special cases and