From 62672d06e6362acdf8699c9970319ffbd8bdbb68 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Tue, 9 Nov 2021 09:25:23 -0500 Subject: [PATCH] proxy/iptables: fix a bug in node address error handling If GetNodeAddresses() fails (eg, because you passed the wrong CIDR to `--nodeport-addresses`), then any NodePort services would end up with only half a set of iptables rules. Fix it to just not output the NodePort-specific parts in that case (in addition to logging an error about the GetNodeAddresses() failure). --- pkg/proxy/iptables/proxier.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index d83d0464ca5..89d110915f1 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -1302,13 +1302,9 @@ func (proxier *Proxier) syncProxyRules() { // Capture nodeports. If we had more than 2 rules it might be // worthwhile to make a new per-service chain for nodeport rules, but // with just 2 rules it ends up being a waste and a cognitive burden. - if svcInfo.NodePort() != 0 { + if svcInfo.NodePort() != 0 && len(nodeAddresses) != 0 { // Hold the local port open so no other process can open it // (because the socket might open but it would never work). - if len(nodeAddresses) == 0 { - continue - } - lps := make([]netutils.LocalPort, 0) for address := range nodeAddresses { lp := netutils.LocalPort{