From 60bde9fbe2707b013fc03bd41c09fb04d0c6815e Mon Sep 17 00:00:00 2001
From: m1093782566 <dujun5@huawei.com>
Date: Sun, 7 Jan 2018 15:07:59 +0800
Subject: [PATCH 1/2] fix nodeport localhost martian source error

---
 pkg/proxy/iptables/proxier.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go
index 1710d989f97..468fefe0c4c 100644
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@@ -1172,6 +1172,7 @@ func (proxier *Proxier) syncProxyRules() {
 	// Build rules for each service.
 	var svcNameString string
 	for svcName, svcInfo := range proxier.serviceMap {
+		isIPv6 := utilproxy.IsIPv6(svcInfo.clusterIP)
 		protocol := strings.ToLower(string(svcInfo.protocol))
 		svcNameString = svcInfo.serviceNameString
 
@@ -1384,7 +1385,6 @@ func (proxier *Proxier) syncProxyRules() {
 					// This is very low impact. The NodePort range is intentionally obscure, and unlikely to actually collide with real Services.
 					// This only affects UDP connections, which are not common.
 					// See issue: https://github.com/kubernetes/kubernetes/issues/49881
-					isIPv6 := utilproxy.IsIPv6(svcInfo.clusterIP)
 					err := utilproxy.ClearUDPConntrackForPort(proxier.exec, lp.Port, isIPv6)
 					if err != nil {
 						glog.Errorf("Failed to clear udp conntrack for port %d, error: %v", lp.Port, err)
@@ -1407,6 +1407,13 @@ func (proxier *Proxier) syncProxyRules() {
 			} else {
 				// TODO: Make all nodePorts jump to the firewall chain.
 				// Currently we only create it for loadbalancers (#33586).
+
+				// Fix localhost martian source error
+				loopback := "127.0.0.0/8"
+				if isIPv6 {
+					loopback = "::1/128"
+				}
+				writeLine(proxier.natRules, append(args, "-s", loopback, "-j", string(KubeMarkMasqChain))...)
 				writeLine(proxier.natRules, append(args, "-j", string(svcXlbChain))...)
 			}
 

From b015f1f567caabfb88893163730131beb0d2e9c2 Mon Sep 17 00:00:00 2001
From: m1093782566 <dujun5@huawei.com>
Date: Mon, 8 Jan 2018 10:44:47 +0800
Subject: [PATCH 2/2] add ut for localhost nodeport

---
 pkg/proxy/iptables/proxier_test.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/proxy/iptables/proxier_test.go b/pkg/proxy/iptables/proxier_test.go
index e9cb5b634de..6308d4cc0f6 100644
--- a/pkg/proxy/iptables/proxier_test.go
+++ b/pkg/proxy/iptables/proxier_test.go
@@ -1017,6 +1017,10 @@ func onlyLocalNodePorts(t *testing.T, fp *Proxier, ipt *iptablestest.FakeIPTable
 		errorf(fmt.Sprintf("Failed to find jump to lb chain %v", lbChain), kubeNodePortRules, t)
 	}
 
+	if !hasJump(kubeNodePortRules, string(KubeMarkMasqChain), "", svcNodePort) {
+		errorf(fmt.Sprintf("Failed to find jump to %s chain for destination IP %d", KubeMarkMasqChain, svcNodePort), kubeNodePortRules, t)
+	}
+
 	svcChain := string(servicePortChainName(svcPortName.String(), proto))
 	lbRules := ipt.GetRules(lbChain)
 	if hasJump(lbRules, nonLocalEpChain, "", 0) {