kube-proxy: filter INPUT as well as OUTPUT

We need to apply filter rules on the way in (nodeports) and out (cluster IPs). Testing here is insufficient to have caught this - will come back for that.
2025-07-31 07:20:13 +00:00 · 2017-04-02 23:37:19 -07:00 · 2017-04-02 23:37:19 -07:00 · 9a423b6c6b
commit 9a423b6c6b
parent 81545c2922
1 changed files with 2 additions and 0 deletions
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -357,6 +357,7 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
 		table utiliptables.Table
 		chain utiliptables.Chain
 	}{
+		{utiliptables.TableFilter, utiliptables.ChainInput},
 		{utiliptables.TableFilter, utiliptables.ChainOutput},
 		{utiliptables.TableNAT, utiliptables.ChainOutput},
 		{utiliptables.TableNAT, utiliptables.ChainPrerouting},
@ -790,6 +791,7 @@ func (proxier *Proxier) syncProxyRules() {
 			table utiliptables.Table
 			chain utiliptables.Chain
 		}{
+			{utiliptables.TableFilter, utiliptables.ChainInput},
 			{utiliptables.TableFilter, utiliptables.ChainOutput},
 			{utiliptables.TableNAT, utiliptables.ChainOutput},
 			{utiliptables.TableNAT, utiliptables.ChainPrerouting},