github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 06:54:01 +00:00
Code Issues Projects Releases Wiki Activity

Corrects target in the KUBE-IPVS-FILTER chain

Browse Source 
The target was "ACCEPT" which disabled any other check like
loadBalancerSourceRanges in the KUBE-PROXY-FIREWALL chain.
The target is now "RETURN".
This commit is contained in:
Lars Ekman 2022-09-15 07:49:12 +02:00
parent 80ddaf23a8
commit 639b9bca5d
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/proxy/ipvs/proxier.go
View File

@ -1807,13 +1807,13 @@ func (proxier *Proxier) writeIptablesRules() {
// https://github.com/kubernetes/kubernetes/issues/72236
proxier.filterRules.Write(
"-A", string(kubeIPVSFilterChain),
"-m", "set", "--match-set", proxier.ipsetList[kubeLoadBalancerSet].Name, "dst,dst", "-j", "ACCEPT")
"-m", "set", "--match-set", proxier.ipsetList[kubeLoadBalancerSet].Name, "dst,dst", "-j", "RETURN")
proxier.filterRules.Write(
"-A", string(kubeIPVSFilterChain),
"-m", "set", "--match-set", proxier.ipsetList[kubeClusterIPSet].Name, "dst,dst", "-j", "ACCEPT")
"-m", "set", "--match-set", proxier.ipsetList[kubeClusterIPSet].Name, "dst,dst", "-j", "RETURN")
proxier.filterRules.Write(
"-A", string(kubeIPVSFilterChain),
"-m", "set", "--match-set", proxier.ipsetList[kubeExternalIPSet].Name, "dst,dst", "-j", "ACCEPT")
"-m", "set", "--match-set", proxier.ipsetList[kubeExternalIPSet].Name, "dst,dst", "-j", "RETURN")
proxier.filterRules.Write(
"-A", string(kubeIPVSFilterChain),
"-m", "conntrack", "--ctstate", "NEW",