mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #94591 from Lion-Wei/lb-fw
Fix failing test "Services should only allow access from service loadbalancer source ranges"
This commit is contained in:
commit
5fc80692c5
@ -399,6 +399,13 @@ var iptablesJumpChains = []iptablesJumpChain{
|
||||
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
|
||||
}
|
||||
|
||||
var iptablesEnsureChains = []struct {
|
||||
table utiliptables.Table
|
||||
chain utiliptables.Chain
|
||||
}{
|
||||
{utiliptables.TableNAT, KubeMarkDropChain},
|
||||
}
|
||||
|
||||
var iptablesCleanupOnlyChains = []iptablesJumpChain{}
|
||||
|
||||
// CleanupLeftovers removes all iptables rules and chains created by the Proxier
|
||||
@ -868,6 +875,14 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
}
|
||||
}
|
||||
|
||||
// ensure KUBE-MARK-DROP chain exist but do not change any rules
|
||||
for _, ch := range iptablesEnsureChains {
|
||||
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
|
||||
klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Below this point we will not return until we try to write the iptables rules.
|
||||
//
|
||||
|
@ -117,10 +117,16 @@ var iptablesChains = []struct {
|
||||
{utiliptables.TableNAT, KubeNodePortChain},
|
||||
{utiliptables.TableNAT, KubeLoadBalancerChain},
|
||||
{utiliptables.TableNAT, KubeMarkMasqChain},
|
||||
{utiliptables.TableNAT, KubeMarkDropChain},
|
||||
{utiliptables.TableFilter, KubeForwardChain},
|
||||
}
|
||||
|
||||
var iptablesEnsureChains = []struct {
|
||||
table utiliptables.Table
|
||||
chain utiliptables.Chain
|
||||
}{
|
||||
{utiliptables.TableNAT, KubeMarkDropChain},
|
||||
}
|
||||
|
||||
var iptablesCleanupChains = []struct {
|
||||
table utiliptables.Table
|
||||
chain utiliptables.Chain
|
||||
@ -1858,6 +1864,14 @@ func (proxier *Proxier) createAndLinkeKubeChain() {
|
||||
existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter)
|
||||
existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT)
|
||||
|
||||
// ensure KUBE-MARK-DROP chain exist but do not change any rules
|
||||
for _, ch := range iptablesEnsureChains {
|
||||
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
|
||||
klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// Make sure we keep stats for the top-level chains
|
||||
for _, ch := range iptablesChains {
|
||||
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
|
||||
|
Loading…
Reference in New Issue
Block a user