From e6add2072b2cc5abe4c73a489a15a6c17727c224 Mon Sep 17 00:00:00 2001
From: Minhan Xia <mixia@google.com>
Date: Thu, 15 Jun 2017 12:06:46 -0700
Subject: [PATCH] append KUBE-HOSTPORTS to system chains instead of prepend

---
 pkg/kubelet/network/hostport/hostport.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkg/kubelet/network/hostport/hostport.go b/pkg/kubelet/network/hostport/hostport.go
index f62da6fa186..c14c750ba6f 100644
--- a/pkg/kubelet/network/hostport/hostport.go
+++ b/pkg/kubelet/network/hostport/hostport.go
@@ -184,7 +184,10 @@ func ensureKubeHostportChains(iptables utiliptables.Interface, natInterfaceName
 		"-m", "addrtype", "--dst-type", "LOCAL",
 		"-j", string(kubeHostportsChain)}
 	for _, tc := range tableChainsNeedJumpServices {
-		if _, err := iptables.EnsureRule(utiliptables.Prepend, tc.table, tc.chain, args...); err != nil {
+		// KUBE-HOSTPORTS chain needs to be appended to the system chains.
+		// This ensures KUBE-SERVICES chain gets processed first.
+		// Since rules in KUBE-HOSTPORTS chain matches broader cases, allow the more specific rules to be processed first.
+		if _, err := iptables.EnsureRule(utiliptables.Append, tc.table, tc.chain, args...); err != nil {
 			return fmt.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", tc.table, tc.chain, kubeHostportsChain, err)
 		}
 	}