github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Review updates

Browse Source
This commit is contained in:
Erik Stidham 2017-10-30 13:44:43 -05:00
parent 7c108f595d
commit 535634f547
1 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
pkg/proxy/iptables/proxier.go
View File

@ -1604,14 +1604,22 @@ func (proxier *Proxier) syncProxyRules() {
"-m", "addrtype", "--dst-type", "LOCAL", "-m", "addrtype", "--dst-type", "LOCAL",
"-j", string(kubeNodePortsChain)) "-j", string(kubeNodePortsChain))
// If the masqueradeMark has been added then we want to forward that same
// traffic, this allows NodePort traffic to be forwarded even if the default
// FORWARD policy is not accept.
writeLine(proxier.filterRules,
"-A", string(kubeForwardChain),
"-m", "comment", "--comment", `"kubernetes forwarding rules"`,
"-m", "mark", "--mark", proxier.masqueradeMark,
"-j", "ACCEPT",
)
// The following rules can only be set if clusterCIDR has been defined.
if len(proxier.clusterCIDR) != 0 { if len(proxier.clusterCIDR) != 0 {
glog.Error("Should be adding the rules now") // The following two rules ensure the traffic after the initial packet
writeLine(proxier.filterRules, // accepted by the "kubernetes forwarding rules" rule above will be
"-A", string(kubeForwardChain), // accepted, to be as specific as possible the traffic must be sourced
"-m", "comment", "--comment", `"kubernetes forwarding rules"`, // or destined to the clusterCIDR (to/from a pod).
"-m", "mark", "--mark", proxier.masqueradeMark,
"-j", "ACCEPT",
)
writeLine(proxier.filterRules, writeLine(proxier.filterRules,
"-A", string(kubeForwardChain), "-A", string(kubeForwardChain),
"-s", proxier.clusterCIDR, "-s", proxier.clusterCIDR,