fix missing protocol match in ipvs mode

2025-08-02 08:17:26 +00:00 · 2018-07-01 12:17:55 +08:00 · 2018-07-01 12:17:55 +08:00 · 56a717ef3d
commit 56a717ef3d
parent e49e3baa83
1 changed files with 20 additions and 35 deletions
--- a/pkg/proxy/ipvs/proxier.go
+++ b/pkg/proxy/ipvs/proxier.go
@ -136,19 +136,22 @@ var ipsetInfo = []struct {
 // example: iptables -t nat -A KUBE-SERVICES -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-NODE-PORT
 // ipsets with other match rules will be created Individually.
 var ipsetWithIptablesChain = []struct {
-	name      string
+	name          string
-	from      string
+	from          string
-	to        string
+	to            string
-	matchType string
+	matchType     string
 	protocolMatch string
 }{
-	{kubeLoopBackIPSet, string(kubePostroutingChain), "MASQUERADE", "dst,dst,src"},
+	{kubeLoopBackIPSet, string(kubePostroutingChain), "MASQUERADE", "dst,dst,src", ""},
-	{kubeLoadBalancerSet, string(kubeServicesChain), string(KubeLoadBalancerChain), "dst,dst"},
+	{kubeLoadBalancerSet, string(kubeServicesChain), string(KubeLoadBalancerChain), "dst,dst", ""},
-	{kubeLoadbalancerFWSet, string(KubeLoadBalancerChain), string(KubeFireWallChain), "dst,dst"},
+	{kubeLoadbalancerFWSet, string(KubeLoadBalancerChain), string(KubeFireWallChain), "dst,dst", ""},
-	{kubeLoadBalancerSourceCIDRSet, string(KubeFireWallChain), "RETURN", "dst,dst,src"},
+	{kubeLoadBalancerSourceCIDRSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""},
-	{kubeLoadBalancerSourceIPSet, string(KubeFireWallChain), "RETURN", "dst,dst,src"},
+	{kubeLoadBalancerSourceIPSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""},
-	{kubeLoadBalancerLocalSet, string(KubeLoadBalancerChain), "RETURN", "dst,dst"},
+	{kubeLoadBalancerLocalSet, string(KubeLoadBalancerChain), "RETURN", "dst,dst", ""},
-	{kubeNodePortSetTCP, string(kubeServicesChain), string(KubeNodePortChain), "dst"},
+	{kubeNodePortSetTCP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "tcp"},
-	{kubeNodePortLocalSetTCP, string(KubeNodePortChain), "RETURN", "dst"},
+	{kubeNodePortLocalSetTCP, string(KubeNodePortChain), "RETURN", "dst", "tcp"},
 	{kubeNodePortSetUDP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "udp"},
 	{kubeNodePortLocalSetUDP, string(KubeNodePortChain), "RETURN", "dst", "udp"},
 }
 var ipvsModules = []string{
@ -1204,8 +1207,11 @@ func (proxier *Proxier) writeIptablesRules() {
 	for _, set := range ipsetWithIptablesChain {
 		if _, find := proxier.ipsetList[set.name]; find && !proxier.ipsetList[set.name].isEmpty() {
-			args = append(args[:0],
+			args = append(args[:0], "-A", set.from)
-				"-A", set.from,
+			if set.protocolMatch != "" {
 				args = append(args, "-p", set.protocolMatch)
 			}
 			args = append(args,
 				"-m", "comment", "--comment", proxier.ipsetList[set.name].getComment(),
 				"-m", "set", "--match-set", set.name,
 				set.matchType,
@ -1264,27 +1270,6 @@ func (proxier *Proxier) writeIptablesRules() {
 		writeLine(proxier.natRules, append(dstLocalOnlyArgs, "-j", "ACCEPT")...)
 	}
 	if !proxier.ipsetList[kubeNodePortSetUDP].isEmpty() {
 		// accept for nodeports w/ externaltrafficpolicy=local
 		args = append(args[:0],
 			"-A", string(kubeServicesChain),
 			"-m", "udp", "-p", "udp",
 			"-m", "comment", "--comment", proxier.ipsetList[kubeNodePortSetUDP].getComment(),
 			"-m", "set", "--match-set", kubeNodePortSetUDP,
 			"dst",
 		)
 		writeLine(proxier.natRules, append(args, "-j", string(KubeNodePortChain))...)
 		if !proxier.ipsetList[kubeNodePortLocalSetUDP].isEmpty() {
 			args = append(args[:0],
 				"-A", string(KubeNodePortChain),
 				"-m", "comment", "--comment", proxier.ipsetList[kubeNodePortLocalSetUDP].getComment(),
 				"-m", "set", "--match-set", kubeNodePortLocalSetUDP,
 				"dst",
 			)
 			writeLine(proxier.natRules, append(args, "-j", "ACCEPT")...)
 		}
 	}
 	// mark masq for KUBE-NODE-PORT
 	writeLine(proxier.natRules, []string{
 		"-A", string(KubeNodePortChain),