proxy/iptables: fix a bug in node address error handling

If GetNodeAddresses() fails (eg, because you passed the wrong CIDR to `--nodeport-addresses`), then any NodePort services would end up with only half a set of iptables rules. Fix it to just not output the NodePort-specific parts in that case (in addition to logging an error about the GetNodeAddresses() failure).
2025-07-23 11:50:44 +00:00 · 2021-11-09 09:25:23 -05:00 · 2021-11-09 09:25:23 -05:00 · 62672d06e6
commit 62672d06e6
parent ab67a942ca
1 changed files with 1 additions and 5 deletions
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -1302,13 +1302,9 @@ func (proxier *Proxier) syncProxyRules() {
 		// Capture nodeports.  If we had more than 2 rules it might be
 		// worthwhile to make a new per-service chain for nodeport rules, but
 		// with just 2 rules it ends up being a waste and a cognitive burden.
-		if svcInfo.NodePort() != 0 {
+		if svcInfo.NodePort() != 0 && len(nodeAddresses) != 0 {
 			// Hold the local port open so no other process can open it
 			// (because the socket might open but it would never work).
-			if len(nodeAddresses) == 0 {
-				continue
-			}
-
 			lps := make([]netutils.LocalPort, 0)
 			for address := range nodeAddresses {
 				lp := netutils.LocalPort{