Merge pull request #65803 from honkiko/ipvs-add-addrtype-match

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. ipvs: add addrtype match for nodeport **What this PR does / why we need it**: before this PR: ``` -A KUBE-SERVICES -m comment --comment "Kubernetes nodeport TCP port for masquerade purpose" -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-NODE-PORT -A KUBE-SERVICES -m comment --comment "Kubernetes service cluster ip + port for masquerade purpose" -m set --match-set KUBE-CLUSTER-IP dst,dst -j KUBE-MARK-MASQ -A KUBE-SERVICES -m set --match-set KUBE-CLUSTER-IP dst,dst -j ACCEPT -A KUBE-NODE-PORT -p tcp -m comment --comment "Kubernetes nodeport TCP port with externalTrafficPolicy=local" -m set --match-set KUBE-NODE-PORT-LOCAL-TCP dst -j RETURN -A KUBE-NODE-PORT -j KUBE-MARK-MASQ ``` after this PR: ``` -A KUBE-NODE-PORT -p tcp -m comment --comment "Kubernetes nodeport TCP port with externalTrafficPolicy=local" -m set --match-set KUBE-NODE-PORT-LOCAL-TCP dst -j RETURN -A KUBE-NODE-PORT -p tcp -m comment --comment "Kubernetes nodeport TCP port for masquerade purpose" -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-MARK-MASQ -A KUBE-SERVICES -m comment --comment "Kubernetes service cluster ip + port for masquerade purpose" -m set --match-set KUBE-CLUSTER-IP dst,dst -j KUBE-MARK-MASQ -A KUBE-SERVICES -m set --match-set KUBE-CLUSTER-IP dst,dst -j ACCEPT -A KUBE-SERVICES -m addrtype --dst-type LOCAL -j KUBE-NODE-PORT ``` **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #65459 **Special notes for your reviewer**: manually tested cases: - ClusterIP distributed to pod on same node - ClusterIP distributed to pod on other node - NodePort distributed to pod on same node - NodePort distributed to pod on other node **Release note**: ```release-note ```
2025-07-29 14:37:00 +00:00 · 2018-08-13 00:28:43 -07:00 · 2018-08-13 00:28:43 -07:00 · 4492337dbf
commit 4492337dbf
parent 6274590518 b2bf173aaf
2 changed files with 15 additions and 13 deletions
--- a/pkg/proxy/ipvs/proxier.go
+++ b/pkg/proxy/ipvs/proxier.go
@ -135,6 +135,7 @@ var ipsetInfo = []struct {
 // `iptables -t nat -A <from> -m set --match-set <name> <matchType> -j <to>`
 // example: iptables -t nat -A KUBE-SERVICES -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-NODE-PORT
 // ipsets with other match rules will be created Individually.
+// Note: kubeNodePortLocalSetTCP must be prior to kubeNodePortSetTCP, the same for UDP.
 var ipsetWithIptablesChain = []struct {
 	name          string
 	from          string
@ -148,10 +149,10 @@ var ipsetWithIptablesChain = []struct {
 	{kubeLoadBalancerSourceCIDRSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""},
 	{kubeLoadBalancerSourceIPSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""},
 	{kubeLoadBalancerLocalSet, string(KubeLoadBalancerChain), "RETURN", "dst,dst", ""},
-	{kubeNodePortSetTCP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "tcp"},
 	{kubeNodePortLocalSetTCP, string(KubeNodePortChain), "RETURN", "dst", "tcp"},
-	{kubeNodePortSetUDP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "udp"},
+	{kubeNodePortSetTCP, string(KubeNodePortChain), string(KubeMarkMasqChain), "dst", "tcp"},
 	{kubeNodePortLocalSetUDP, string(KubeNodePortChain), "RETURN", "dst", "udp"},
+	{kubeNodePortSetUDP, string(KubeNodePortChain), string(KubeMarkMasqChain), "dst", "udp"},
 }

 var ipvsModules = []string{
@ -1280,11 +1281,12 @@ func (proxier *Proxier) writeIptablesRules() {
 		writeLine(proxier.natRules, append(dstLocalOnlyArgs, "-j", "ACCEPT")...)
 	}

-	// mark masq for KUBE-NODE-PORT
-	writeLine(proxier.natRules, []string{
-		"-A", string(KubeNodePortChain),
-		"-j", string(KubeMarkMasqChain),
-	}...)
+	// -A KUBE-SERVICES  -m addrtype  --dst-type LOCAL -j KUBE-NODE-PORT
+	args = append(args[:0],
+		"-A", string(kubeServicesChain),
+		"-m", "addrtype", "--dst-type", "LOCAL",
+	)
+	writeLine(proxier.natRules, append(args, "-j", string(KubeNodePortChain))...)

 	// mark drop for KUBE-LOAD-BALANCER
 	writeLine(proxier.natRules, []string{
--- a/pkg/proxy/ipvs/proxier_test.go
+++ b/pkg/proxy/ipvs/proxier_test.go
@ -477,11 +477,11 @@ func TestNodePortUDP(t *testing.T) {

 	// Check iptables chain and rules
 	epIpt := netlinktest.ExpectedIptablesChain{
-		string(kubeServicesChain): {{
-			JumpChain: string(KubeNodePortChain), MatchSet: kubeNodePortSetUDP,
-		}},
 		string(KubeNodePortChain): {{
-			JumpChain: string(KubeMarkMasqChain), MatchSet: "",
+			JumpChain: string(KubeMarkMasqChain), MatchSet: kubeNodePortSetUDP,
+		}},
+		string(kubeServicesChain): {{
+			JumpChain: string(KubeNodePortChain), MatchSet: "",
 		}},
 	}
 	checkIptables(t, ipt, epIpt)
@ -1063,12 +1063,12 @@ func TestOnlyLocalNodePorts(t *testing.T) {
 	// Check iptables chain and rules
 	epIpt := netlinktest.ExpectedIptablesChain{
 		string(kubeServicesChain): {{
-			JumpChain: string(KubeNodePortChain), MatchSet: kubeNodePortSetTCP,
+			JumpChain: string(KubeNodePortChain), MatchSet: "",
 		}},
 		string(KubeNodePortChain): {{
 			JumpChain: "RETURN", MatchSet: kubeNodePortLocalSetTCP,
 		}, {
-			JumpChain: string(KubeMarkMasqChain), MatchSet: "",
+			JumpChain: string(KubeMarkMasqChain), MatchSet: kubeNodePortSetTCP,
 		}},
 	}
 	checkIptables(t, ipt, epIpt)