github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

kube-proxy: Drop packets in INVALID state

Browse Source 
Fixes: #74839
This commit is contained in:
Yongkun Gui 2019-03-01 17:48:48 -08:00
parent 098075c458
commit a07169bcad
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/proxy/iptables/proxier.go
View File

@ -34,7 +34,7 @@ import (
"k8s.io/klog" "k8s.io/klog"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
utilversion "k8s.io/apimachinery/pkg/util/version" utilversion "k8s.io/apimachinery/pkg/util/version"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
@ -1298,6 +1298,16 @@ func (proxier *Proxier) syncProxyRules() {
} }
} }
// Drop the packets in INVALID state, which would potentially cause
// unexpected connection reset.
// https://github.com/kubernetes/kubernetes/issues/74839
writeLine(proxier.filterRules,
"-A", string(kubeForwardChain),
"-m", "conntrack",
"--ctstate", "INVALID",
"-j", "DROP",
)
// If the masqueradeMark has been added then we want to forward that same // If the masqueradeMark has been added then we want to forward that same
// traffic, this allows NodePort traffic to be forwarded even if the default // traffic, this allows NodePort traffic to be forwarded even if the default
// FORWARD policy is not accept. // FORWARD policy is not accept.