From 8906ab390eaed6c0ec46855ef379954e55b4084d Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Wed, 6 Apr 2022 10:52:22 -0400 Subject: [PATCH] proxy/iptables: reorganize cluster/local chain creation Part of reorganizing the syncProxyRules loop to do: 1. figure out what chains are needed, mark them in activeNATChains 2. write servicePort jump rules to KUBE-SERVICES/KUBE-NODEPORTS 3. write servicePort-specific chains (SVC, SVL, EXT, FW, SEP) This fixes the handling of the SVC and SVL chains. We were already filling them in at the end of the loop; this fixes it to create them at the bottom of the loop as well. --- pkg/proxy/iptables/proxier.go | 38 +++++++++++++++++------------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index b619ec7ea18..b7dcb50f6bc 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -998,10 +998,19 @@ func (proxier *Proxier) syncProxyRules() { } } - // These chains represent the sets of endpoints to use when internal or - // external traffic policy is "Cluster" vs "Local". + // clusterPolicyChain contains the endpoints used with "Cluster" traffic policy clusterPolicyChain := svcInfo.clusterPolicyChainName + usesClusterPolicyChain := len(clusterEndpoints) > 0 && svcInfo.UsesClusterEndpoints() + if usesClusterPolicyChain { + activeNATChains[clusterPolicyChain] = true + } + + // localPolicyChain contains the endpoints used with "Local" traffic policy localPolicyChain := svcInfo.localPolicyChainName + usesLocalPolicyChain := len(localEndpoints) > 0 && svcInfo.UsesLocalEndpoints() + if usesLocalPolicyChain { + activeNATChains[localPolicyChain] = true + } // internalPolicyChain is the chain containing the endpoints for // "internal" (ClusterIP) traffic. internalTrafficChain is the chain that @@ -1069,19 +1078,6 @@ func (proxier *Proxier) syncProxyRules() { } } - // Declare the clusterPolicyChain if needed. - if len(clusterEndpoints) > 0 && svcInfo.UsesClusterEndpoints() { - // Create the Cluster traffic policy chain - proxier.natChains.Write(utiliptables.MakeChainLine(clusterPolicyChain)) - activeNATChains[clusterPolicyChain] = true - } - - // Declare the localPolicyChain if needed. - if len(localEndpoints) > 0 && svcInfo.UsesLocalEndpoints() { - proxier.natChains.Write(utiliptables.MakeChainLine(localPolicyChain)) - activeNATChains[localPolicyChain] = true - } - // If any "external" destinations are enabled, set up external traffic // handling. All captured traffic for all external destinations should // jump to externalTrafficChain, which will handle some special-cases @@ -1337,13 +1333,17 @@ func (proxier *Proxier) syncProxyRules() { ) } - if svcInfo.UsesClusterEndpoints() { - // Write rules jumping from clusterPolicyChain to clusterEndpoints + // If Cluster policy is in use, create the chain and create rules jumping + // from clusterPolicyChain to the clusterEndpoints + if usesClusterPolicyChain { + proxier.natChains.Write(utiliptables.MakeChainLine(clusterPolicyChain)) proxier.writeServiceToEndpointRules(svcPortNameString, svcInfo, clusterPolicyChain, clusterEndpoints, args) } - if svcInfo.UsesLocalEndpoints() { - // Write rules jumping from localPolicyChain to localEndpointChains + // If Local policy is in use, create the chain and create rules jumping + // from localPolicyChain to the localEndpoints + if usesLocalPolicyChain { + proxier.natChains.Write(utiliptables.MakeChainLine(localPolicyChain)) proxier.writeServiceToEndpointRules(svcPortNameString, svcInfo, localPolicyChain, localEndpoints, args) }