From 1f2076ce64ab048431c74f040a6958be8f7ef4fc Mon Sep 17 00:00:00 2001
From: BenTheElder <ben.the.elder@gmail.com>
Date: Thu, 20 Aug 2015 14:39:01 -0400
Subject: [PATCH] Add flag to masquerade all in kube-proxy when using iptables
 proxier

---
 cmd/kube-proxy/app/server.go      |  4 +++-
 hack/verify-flags/known-flags.txt |  1 +
 pkg/proxy/iptables/proxier.go     | 20 ++++++++++++++------
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go
index e253465ea77..47f5933d10e 100644
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@@ -61,6 +61,7 @@ type ProxyServer struct {
 	ForceUserspaceProxy bool
 	SyncPeriod          time.Duration
 	nodeRef             *api.ObjectReference // Reference to this node.
+	MasqueradeAll       bool
 }
 
 // NewProxyServer creates a new ProxyServer object with default parameters
@@ -88,6 +89,7 @@ func (s *ProxyServer) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.HostnameOverride, "hostname-override", s.HostnameOverride, "If non-empty, will use this string as identification instead of the actual hostname.")
 	fs.BoolVar(&s.ForceUserspaceProxy, "legacy-userspace-proxy", true, "Use the legacy userspace proxy (instead of the pure iptables proxy).")
 	fs.DurationVar(&s.SyncPeriod, "iptables-sync-period", 5*time.Second, "How often iptables rules are refreshed (e.g. '5s', '1m', '2h22m').  Must be greater than 0.")
+	fs.BoolVar(&s.MasqueradeAll, "masquerade-all", false, "If using the pure iptables proxy, SNAT everything")
 }
 
 // Run runs the specified ProxyServer.  This should never exit.
@@ -160,7 +162,7 @@ func (s *ProxyServer) Run(_ []string) error {
 		glog.V(2).Info("Using iptables Proxier.")
 
 		execer := exec.New()
-		proxierIptables, err := iptables.NewProxier(utiliptables.New(execer, protocol), execer, s.SyncPeriod)
+		proxierIptables, err := iptables.NewProxier(utiliptables.New(execer, protocol), execer, s.SyncPeriod, s.MasqueradeAll)
 		if err != nil {
 			glog.Fatalf("Unable to create proxier: %v", err)
 		}
diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt
index ac111cd4bb0..e932aa1f312 100644
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@@ -130,6 +130,7 @@ long-running-request-regexp
 low-diskspace-threshold-mb
 manifest-url
 manifest-url-header
+masquerade-all
 master-service-namespace
 max-concurrency
 max-connection-bytes-per-sec
diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go
index d3d800b8d42..b75fec52779 100644
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@@ -150,6 +150,7 @@ type Proxier struct {
 	iptables                    utiliptables.Interface
 	haveReceivedServiceUpdate   bool // true once we've seen an OnServiceUpdate event
 	haveReceivedEndpointsUpdate bool // true once we've seen an OnEndpointsUpdate event
+	MasqueradeAll               bool
 }
 
 // Proxier implements ProxyProvider
@@ -160,7 +161,7 @@ var _ proxy.ProxyProvider = &Proxier{}
 // An error will be returned if iptables fails to update or acquire the initial lock.
 // Once a proxier is created, it will keep iptables up to date in the background and
 // will not terminate if a particular iptables call fails.
-func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration) (*Proxier, error) {
+func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration, MasqueradeAll bool) (*Proxier, error) {
 
 	// Set the route_localnet sysctl we need for
 	if err := setSysctl(sysctlRouteLocalnet, 1); err != nil {
@@ -180,9 +181,10 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod
 	tearDownUserspaceIptables(ipt)
 
 	return &Proxier{
-		serviceMap: make(map[proxy.ServicePortName]*serviceInfo),
-		syncPeriod: syncPeriod,
-		iptables:   ipt,
+		serviceMap:    make(map[proxy.ServicePortName]*serviceInfo),
+		syncPeriod:    syncPeriod,
+		iptables:      ipt,
+		MasqueradeAll: MasqueradeAll,
 	}, nil
 }
 
@@ -547,13 +549,19 @@ func (proxier *Proxier) syncProxyRules() error {
 		activeChains[svcChain] = true
 
 		// Capture the clusterIP.
-		writeLine(rulesLines,
+		args := []string{
 			"-A", string(iptablesServicesChain),
 			"-m", "comment", "--comment", fmt.Sprintf("\"%s cluster IP\"", name.String()),
 			"-m", protocol, "-p", protocol,
 			"-d", fmt.Sprintf("%s/32", info.clusterIP.String()),
 			"--dport", fmt.Sprintf("%d", info.port),
-			"-j", string(svcChain))
+		}
+		if proxier.MasqueradeAll {
+			writeLine(rulesLines, append(args,
+				"-j", "MARK", "--set-xmark", fmt.Sprintf("%s/0xffffffff", iptablesMasqueradeMark))...)
+		}
+		writeLine(rulesLines, append(args,
+			"-j", string(svcChain))...)
 
 		// Capture externalIPs.
 		for _, externalIP := range info.deprecatedPublicIPs {