From dc54a8d46ef2ab3bb3badb3feb223b73d9278eef Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Tue, 13 Sep 2016 10:49:23 +0200 Subject: [PATCH] Bug fix. Incoming UDP packets not reach newly deployed services --- pkg/proxy/iptables/proxier.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index a64659904c7..4c1d1205ff9 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -1105,6 +1105,9 @@ func (proxier *Proxier) syncProxyRules() { glog.Errorf("can't open %s, skipping this nodePort: %v", lp.String(), err) continue } + if lp.protocol == "udp" { + proxier.clearUdpConntrackForPort(lp.port) + } replacementPortsMap[lp] = socket } // We're holding the port, so it's OK to install iptables rules. @@ -1323,6 +1326,24 @@ func (proxier *Proxier) syncProxyRules() { proxier.portsMap = replacementPortsMap } +// Clear UDP conntrack for port or all conntrack entries when port equal zero. +// When a packet arrives, it will not go through NAT table again, because it is not "the first" packet. +// The solution is clearing the conntrack. Known issus: +// https://github.com/docker/docker/issues/8795 +// https://github.com/kubernetes/kubernetes/issues/31983 +func (proxier *Proxier) clearUdpConntrackForPort(port int) { + var err error = nil + glog.V(2).Infof("Deleting conntrack entries for udp connections") + if port > 0 { + err = proxier.execConntrackTool("-D", "-p", "udp", "--dport", strconv.Itoa(port)) + if err != nil && !strings.Contains(err.Error(), noConnectionToDelete) { + glog.Errorf("conntrack return with error: %v", err) + } + } else { + glog.Errorf("Wrong port number. The port number must be greater than zero") + } +} + // Join all words with spaces, terminate with newline and write to buf. func writeLine(buf *bytes.Buffer, words ...string) { buf.WriteString(strings.Join(words, " ") + "\n")