github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 21:47:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #94591 from Lion-Wei/lb-fw

Browse Source 
Fix failing test "Services should only allow access from service loadbalancer source ranges"
This commit is contained in:
Kubernetes Prow Robot 2020-10-16 09:01:26 -07:00 committed by GitHub
commit 5fc80692c5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/proxy/iptables/proxier.go
View File

@ -399,6 +399,13 @@ var iptablesJumpChains = []iptablesJumpChain{
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil}, {utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
} }
var iptablesEnsureChains = []struct {
table utiliptables.Table
chain utiliptables.Chain
}{
{utiliptables.TableNAT, KubeMarkDropChain},
}
var iptablesCleanupOnlyChains = []iptablesJumpChain{} var iptablesCleanupOnlyChains = []iptablesJumpChain{}
// CleanupLeftovers removes all iptables rules and chains created by the Proxier // CleanupLeftovers removes all iptables rules and chains created by the Proxier
@ -868,6 +875,14 @@ func (proxier *Proxier) syncProxyRules() {
} }
} }
// ensure KUBE-MARK-DROP chain exist but do not change any rules
for _, ch := range iptablesEnsureChains {
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err)
return
}
}
// //
// Below this point we will not return until we try to write the iptables rules. // Below this point we will not return until we try to write the iptables rules.
// //

16
pkg/proxy/ipvs/proxier.go
View File

@ -117,10 +117,16 @@ var iptablesChains = []struct {
{utiliptables.TableNAT, KubeNodePortChain}, {utiliptables.TableNAT, KubeNodePortChain},
{utiliptables.TableNAT, KubeLoadBalancerChain}, {utiliptables.TableNAT, KubeLoadBalancerChain},
{utiliptables.TableNAT, KubeMarkMasqChain}, {utiliptables.TableNAT, KubeMarkMasqChain},
{utiliptables.TableNAT, KubeMarkDropChain},
{utiliptables.TableFilter, KubeForwardChain}, {utiliptables.TableFilter, KubeForwardChain},
} }
var iptablesEnsureChains = []struct {
table utiliptables.Table
chain utiliptables.Chain
}{
{utiliptables.TableNAT, KubeMarkDropChain},
}
var iptablesCleanupChains = []struct { var iptablesCleanupChains = []struct {
table utiliptables.Table table utiliptables.Table
chain utiliptables.Chain chain utiliptables.Chain
@ -1858,6 +1864,14 @@ func (proxier *Proxier) createAndLinkeKubeChain() {
existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter) existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter)
existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT) existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT)
// ensure KUBE-MARK-DROP chain exist but do not change any rules
for _, ch := range iptablesEnsureChains {
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err)
return
}
}
// Make sure we keep stats for the top-level chains // Make sure we keep stats for the top-level chains
for _, ch := range iptablesChains { for _, ch := range iptablesChains {
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil { if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {