From 958e80ca3b0971bd2d16e9765f234702ab25b03e Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Fri, 19 May 2023 08:06:08 -0400 Subject: [PATCH] Clarify nftables/proxier.go by distinguishing nat/filter table KUBE-SERVICES chains (It is confusing, but allowed, to have distinct "KUBE-SERVICES" chains in "nat" and "filter" in iptables, but in nftables the "type nat" and "type filter" chains end up in the same table, so we'll need different names for the two.) --- pkg/proxy/nftables/proxier.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/pkg/proxy/nftables/proxier.go b/pkg/proxy/nftables/proxier.go index a827461106c..c9f2f802980 100644 --- a/pkg/proxy/nftables/proxier.go +++ b/pkg/proxy/nftables/proxier.go @@ -55,7 +55,10 @@ import ( ) const ( - // the services chain + // the services chain in the filter table + kubeServicesFilterChain = "KUBE-SERVICES" + + // the services chain in the NAT table kubeServicesChain = "KUBE-SERVICES" // the external services chain @@ -316,8 +319,8 @@ type iptablesJumpChain struct { var iptablesJumpChains = []iptablesJumpChain{ {utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainInput, "kubernetes externally-visible service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, {utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainForward, "kubernetes externally-visible service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, - {utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainForward, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, - {utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, + {utiliptables.TableFilter, kubeServicesFilterChain, utiliptables.ChainForward, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, + {utiliptables.TableFilter, kubeServicesFilterChain, utiliptables.ChainOutput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, {utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil}, {utiliptables.TableFilter, kubeProxyFirewallChain, utiliptables.ChainInput, "kubernetes load balancer firewall", []string{"-m", "conntrack", "--ctstate", "NEW"}}, {utiliptables.TableFilter, kubeProxyFirewallChain, utiliptables.ChainOutput, "kubernetes load balancer firewall", []string{"-m", "conntrack", "--ctstate", "NEW"}}, @@ -742,7 +745,7 @@ func (proxier *Proxier) syncProxyRules() { proxier.natRules.Reset() // Write chain lines for all the "top-level" chains we'll be filling in - for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeExternalServicesChain, kubeForwardChain, kubeProxyFirewallChain} { + for _, chainName := range []utiliptables.Chain{kubeServicesFilterChain, kubeExternalServicesChain, kubeForwardChain, kubeProxyFirewallChain} { proxier.filterChains.Write(utiliptables.MakeChainLine(chainName)) } for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeNodePortsChain, kubePostroutingChain, kubeMarkMasqChain} { @@ -927,7 +930,7 @@ func (proxier *Proxier) syncProxyRules() { } else { // No endpoints. proxier.filterRules.Write( - "-A", string(kubeServicesChain), + "-A", string(kubeServicesFilterChain), "-m", "comment", "--comment", internalTrafficFilterComment, "-m", protocol, "-p", protocol, "-d", svcInfo.ClusterIP().String(),