From 9bf96b84c416b05d2349f2c08c417f6870afd26a Mon Sep 17 00:00:00 2001 From: Quan Tian Date: Tue, 24 Nov 2020 14:03:41 +0800 Subject: [PATCH] Fix duplicate chains in iptables-restore input When running in ipvs mode, kube-proxy generated wrong iptables-restore input because the chain names are hardcoded. It also fixed a typo in method name. --- pkg/proxy/ipvs/proxier.go | 12 ++++++------ pkg/proxy/ipvs/proxier_test.go | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index 7d67008332c..ef22699311d 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -1087,7 +1087,7 @@ func (proxier *Proxier) syncProxyRules() { writeLine(proxier.filterChains, "*filter") writeLine(proxier.natChains, "*nat") - proxier.createAndLinkeKubeChain() + proxier.createAndLinkKubeChain() // make sure dummy interface exists in the system where ipvs Proxier will bind service address on it _, err = proxier.netlinkHandle.EnsureDummyDevice(DefaultDummyDevice) @@ -1882,8 +1882,8 @@ func (proxier *Proxier) acceptIPVSTraffic() { } } -// createAndLinkeKubeChain create all kube chains that ipvs proxier need and write basic link. -func (proxier *Proxier) createAndLinkeKubeChain() { +// createAndLinkKubeChain create all kube chains that ipvs proxier need and write basic link. +func (proxier *Proxier) createAndLinkKubeChain() { existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter) existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT) @@ -1905,13 +1905,13 @@ func (proxier *Proxier) createAndLinkeKubeChain() { if chain, ok := existingNATChains[ch.chain]; ok { writeBytesLine(proxier.natChains, chain) } else { - writeLine(proxier.natChains, utiliptables.MakeChainLine(kubePostroutingChain)) + writeLine(proxier.natChains, utiliptables.MakeChainLine(ch.chain)) } } else { - if chain, ok := existingFilterChains[KubeForwardChain]; ok { + if chain, ok := existingFilterChains[ch.chain]; ok { writeBytesLine(proxier.filterChains, chain) } else { - writeLine(proxier.filterChains, utiliptables.MakeChainLine(KubeForwardChain)) + writeLine(proxier.filterChains, utiliptables.MakeChainLine(ch.chain)) } } } diff --git a/pkg/proxy/ipvs/proxier_test.go b/pkg/proxy/ipvs/proxier_test.go index 39e87f407d0..7a11c424845 100644 --- a/pkg/proxy/ipvs/proxier_test.go +++ b/pkg/proxy/ipvs/proxier_test.go @@ -4320,3 +4320,22 @@ func TestFilterCIDRs(t *testing.T) { t.Errorf("cidrs %v is not expected %v", cidrs, expected) } } + +func TestCreateAndLinkKubeChain(t *testing.T) { + ipt := iptablestest.NewFake() + ipvs := ipvstest.NewFake() + ipset := ipsettest.NewFake(testIPSetVersion) + fp := NewFakeProxier(ipt, ipvs, ipset, nil, nil, true, v1.IPv4Protocol) + fp.createAndLinkKubeChain() + expectedNATChains := `:KUBE-SERVICES - [0:0] +:KUBE-POSTROUTING - [0:0] +:KUBE-FIREWALL - [0:0] +:KUBE-NODE-PORT - [0:0] +:KUBE-LOAD-BALANCER - [0:0] +:KUBE-MARK-MASQ - [0:0] +` + expectedFilterChains := `:KUBE-FORWARD - [0:0] +` + assert.Equal(t, expectedNATChains, fp.natChains.String()) + assert.Equal(t, expectedFilterChains, fp.filterChains.String()) +}