diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index a0012c73bc7..2efe6073281 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -135,6 +135,7 @@ var ipsetInfo = []struct { // `iptables -t nat -A -m set --match-set -j ` // example: iptables -t nat -A KUBE-SERVICES -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-NODE-PORT // ipsets with other match rules will be created Individually. +// Note: kubeNodePortLocalSetTCP must be prior to kubeNodePortSetTCP, the same for UDP. var ipsetWithIptablesChain = []struct { name string from string @@ -148,10 +149,10 @@ var ipsetWithIptablesChain = []struct { {kubeLoadBalancerSourceCIDRSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""}, {kubeLoadBalancerSourceIPSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""}, {kubeLoadBalancerLocalSet, string(KubeLoadBalancerChain), "RETURN", "dst,dst", ""}, - {kubeNodePortSetTCP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "tcp"}, {kubeNodePortLocalSetTCP, string(KubeNodePortChain), "RETURN", "dst", "tcp"}, - {kubeNodePortSetUDP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "udp"}, + {kubeNodePortSetTCP, string(KubeNodePortChain), string(KubeMarkMasqChain), "dst", "tcp"}, {kubeNodePortLocalSetUDP, string(KubeNodePortChain), "RETURN", "dst", "udp"}, + {kubeNodePortSetUDP, string(KubeNodePortChain), string(KubeMarkMasqChain), "dst", "udp"}, } var ipvsModules = []string{ @@ -1280,11 +1281,12 @@ func (proxier *Proxier) writeIptablesRules() { writeLine(proxier.natRules, append(dstLocalOnlyArgs, "-j", "ACCEPT")...) } - // mark masq for KUBE-NODE-PORT - writeLine(proxier.natRules, []string{ - "-A", string(KubeNodePortChain), - "-j", string(KubeMarkMasqChain), - }...) + // -A KUBE-SERVICES -m addrtype --dst-type LOCAL -j KUBE-NODE-PORT + args = append(args[:0], + "-A", string(kubeServicesChain), + "-m", "addrtype", "--dst-type", "LOCAL", + ) + writeLine(proxier.natRules, append(args, "-j", string(KubeNodePortChain))...) // mark drop for KUBE-LOAD-BALANCER writeLine(proxier.natRules, []string{ diff --git a/pkg/proxy/ipvs/proxier_test.go b/pkg/proxy/ipvs/proxier_test.go index 6041668ab36..4a54ca51d21 100644 --- a/pkg/proxy/ipvs/proxier_test.go +++ b/pkg/proxy/ipvs/proxier_test.go @@ -477,11 +477,11 @@ func TestNodePortUDP(t *testing.T) { // Check iptables chain and rules epIpt := netlinktest.ExpectedIptablesChain{ - string(kubeServicesChain): {{ - JumpChain: string(KubeNodePortChain), MatchSet: kubeNodePortSetUDP, - }}, string(KubeNodePortChain): {{ - JumpChain: string(KubeMarkMasqChain), MatchSet: "", + JumpChain: string(KubeMarkMasqChain), MatchSet: kubeNodePortSetUDP, + }}, + string(kubeServicesChain): {{ + JumpChain: string(KubeNodePortChain), MatchSet: "", }}, } checkIptables(t, ipt, epIpt) @@ -1063,12 +1063,12 @@ func TestOnlyLocalNodePorts(t *testing.T) { // Check iptables chain and rules epIpt := netlinktest.ExpectedIptablesChain{ string(kubeServicesChain): {{ - JumpChain: string(KubeNodePortChain), MatchSet: kubeNodePortSetTCP, + JumpChain: string(KubeNodePortChain), MatchSet: "", }}, string(KubeNodePortChain): {{ JumpChain: "RETURN", MatchSet: kubeNodePortLocalSetTCP, }, { - JumpChain: string(KubeMarkMasqChain), MatchSet: "", + JumpChain: string(KubeMarkMasqChain), MatchSet: kubeNodePortSetTCP, }}, } checkIptables(t, ipt, epIpt)