From 56a717ef3d99710b66a97d0d41a14c944345e563 Mon Sep 17 00:00:00 2001 From: Hong Zhiguo Date: Sun, 1 Jul 2018 12:17:55 +0800 Subject: [PATCH] fix missing protocol match in ipvs mode --- pkg/proxy/ipvs/proxier.go | 55 ++++++++++++++------------------------- 1 file changed, 20 insertions(+), 35 deletions(-) diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index 35ba52d0864..6c68ecb3ded 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -136,19 +136,22 @@ var ipsetInfo = []struct { // example: iptables -t nat -A KUBE-SERVICES -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-NODE-PORT // ipsets with other match rules will be created Individually. var ipsetWithIptablesChain = []struct { - name string - from string - to string - matchType string + name string + from string + to string + matchType string + protocolMatch string }{ - {kubeLoopBackIPSet, string(kubePostroutingChain), "MASQUERADE", "dst,dst,src"}, - {kubeLoadBalancerSet, string(kubeServicesChain), string(KubeLoadBalancerChain), "dst,dst"}, - {kubeLoadbalancerFWSet, string(KubeLoadBalancerChain), string(KubeFireWallChain), "dst,dst"}, - {kubeLoadBalancerSourceCIDRSet, string(KubeFireWallChain), "RETURN", "dst,dst,src"}, - {kubeLoadBalancerSourceIPSet, string(KubeFireWallChain), "RETURN", "dst,dst,src"}, - {kubeLoadBalancerLocalSet, string(KubeLoadBalancerChain), "RETURN", "dst,dst"}, - {kubeNodePortSetTCP, string(kubeServicesChain), string(KubeNodePortChain), "dst"}, - {kubeNodePortLocalSetTCP, string(KubeNodePortChain), "RETURN", "dst"}, + {kubeLoopBackIPSet, string(kubePostroutingChain), "MASQUERADE", "dst,dst,src", ""}, + {kubeLoadBalancerSet, string(kubeServicesChain), string(KubeLoadBalancerChain), "dst,dst", ""}, + {kubeLoadbalancerFWSet, string(KubeLoadBalancerChain), string(KubeFireWallChain), "dst,dst", ""}, + {kubeLoadBalancerSourceCIDRSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""}, + {kubeLoadBalancerSourceIPSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""}, + {kubeLoadBalancerLocalSet, string(KubeLoadBalancerChain), "RETURN", "dst,dst", ""}, + {kubeNodePortSetTCP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "tcp"}, + {kubeNodePortLocalSetTCP, string(KubeNodePortChain), "RETURN", "dst", "tcp"}, + {kubeNodePortSetUDP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "udp"}, + {kubeNodePortLocalSetUDP, string(KubeNodePortChain), "RETURN", "dst", "udp"}, } var ipvsModules = []string{ @@ -1204,8 +1207,11 @@ func (proxier *Proxier) writeIptablesRules() { for _, set := range ipsetWithIptablesChain { if _, find := proxier.ipsetList[set.name]; find && !proxier.ipsetList[set.name].isEmpty() { - args = append(args[:0], - "-A", set.from, + args = append(args[:0], "-A", set.from) + if set.protocolMatch != "" { + args = append(args, "-p", set.protocolMatch) + } + args = append(args, "-m", "comment", "--comment", proxier.ipsetList[set.name].getComment(), "-m", "set", "--match-set", set.name, set.matchType, @@ -1264,27 +1270,6 @@ func (proxier *Proxier) writeIptablesRules() { writeLine(proxier.natRules, append(dstLocalOnlyArgs, "-j", "ACCEPT")...) } - if !proxier.ipsetList[kubeNodePortSetUDP].isEmpty() { - // accept for nodeports w/ externaltrafficpolicy=local - args = append(args[:0], - "-A", string(kubeServicesChain), - "-m", "udp", "-p", "udp", - "-m", "comment", "--comment", proxier.ipsetList[kubeNodePortSetUDP].getComment(), - "-m", "set", "--match-set", kubeNodePortSetUDP, - "dst", - ) - writeLine(proxier.natRules, append(args, "-j", string(KubeNodePortChain))...) - if !proxier.ipsetList[kubeNodePortLocalSetUDP].isEmpty() { - args = append(args[:0], - "-A", string(KubeNodePortChain), - "-m", "comment", "--comment", proxier.ipsetList[kubeNodePortLocalSetUDP].getComment(), - "-m", "set", "--match-set", kubeNodePortLocalSetUDP, - "dst", - ) - writeLine(proxier.natRules, append(args, "-j", "ACCEPT")...) - } - } - // mark masq for KUBE-NODE-PORT writeLine(proxier.natRules, []string{ "-A", string(KubeNodePortChain),