github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 18:54:06 +00:00
Code Issues Projects Releases Wiki Activity

kube-proxy: filter INPUT as well as OUTPUT

Browse Source 
We need to apply filter rules on the way in (nodeports) and out (cluster
IPs).  Testing here is insufficient to have caught this - will come back
for that.
This commit is contained in:
Tim Hockin 2017-04-02 23:37:19 -07:00
parent 81545c2922
commit 9a423b6c6b
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/proxy/iptables/proxier.go
View File

@ -357,6 +357,7 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
table utiliptables.Table table utiliptables.Table
chain utiliptables.Chain chain utiliptables.Chain
}{ }{
{utiliptables.TableFilter, utiliptables.ChainInput},
{utiliptables.TableFilter, utiliptables.ChainOutput}, {utiliptables.TableFilter, utiliptables.ChainOutput},
{utiliptables.TableNAT, utiliptables.ChainOutput}, {utiliptables.TableNAT, utiliptables.ChainOutput},
{utiliptables.TableNAT, utiliptables.ChainPrerouting}, {utiliptables.TableNAT, utiliptables.ChainPrerouting},
@ -790,6 +791,7 @@ func (proxier *Proxier) syncProxyRules() {
table utiliptables.Table table utiliptables.Table
chain utiliptables.Chain chain utiliptables.Chain
}{ }{
{utiliptables.TableFilter, utiliptables.ChainInput},
{utiliptables.TableFilter, utiliptables.ChainOutput}, {utiliptables.TableFilter, utiliptables.ChainOutput},
{utiliptables.TableNAT, utiliptables.ChainOutput}, {utiliptables.TableNAT, utiliptables.ChainOutput},
{utiliptables.TableNAT, utiliptables.ChainPrerouting}, {utiliptables.TableNAT, utiliptables.ChainPrerouting},