diff --git a/pkg/proxy/ipvs/ipset.go b/pkg/proxy/ipvs/ipset.go index 64289a80f27..510d4c98fe8 100644 --- a/pkg/proxy/ipvs/ipset.go +++ b/pkg/proxy/ipvs/ipset.go @@ -49,8 +49,8 @@ const ( kubeLoadBalancerLocalSetComment = "Kubernetes service load balancer ip + port with externalTrafficPolicy=local" kubeLoadBalancerLocalSet = "KUBE-LOAD-BALANCER-LOCAL" - kubeLoadbalancerFWSetComment = "Kubernetes service load balancer ip + port for load balancer with sourceRange" - kubeLoadbalancerFWSet = "KUBE-LOAD-BALANCER-FW" + kubeLoadBalancerFWSetComment = "Kubernetes service load balancer ip + port for load balancer with sourceRange" + kubeLoadBalancerFWSet = "KUBE-LOAD-BALANCER-FW" kubeLoadBalancerSourceIPSetComment = "Kubernetes service load balancer ip + port + source IP for packet filter purpose" kubeLoadBalancerSourceIPSet = "KUBE-LOAD-BALANCER-SOURCE-IP" diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index 14fd678fc9c..f31faed9a8e 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -63,7 +63,7 @@ const ( // kubeServicesChain is the services portal chain kubeServicesChain utiliptables.Chain = "KUBE-SERVICES" - // KubeFireWallChain is the kubernetes firewall chain. + // kubeFirewallChain is the kubernetes firewall chain. kubeFirewallChain utiliptables.Chain = "KUBE-FIREWALL" // kubePostroutingChain is the kubernetes postrouting chain @@ -157,7 +157,7 @@ var ipsetInfo = []struct { {kubeExternalIPSet, utilipset.HashIPPort, kubeExternalIPSetComment}, {kubeExternalIPLocalSet, utilipset.HashIPPort, kubeExternalIPLocalSetComment}, {kubeLoadBalancerSet, utilipset.HashIPPort, kubeLoadBalancerSetComment}, - {kubeLoadbalancerFWSet, utilipset.HashIPPort, kubeLoadbalancerFWSetComment}, + {kubeLoadBalancerFWSet, utilipset.HashIPPort, kubeLoadBalancerFWSetComment}, {kubeLoadBalancerLocalSet, utilipset.HashIPPort, kubeLoadBalancerLocalSetComment}, {kubeLoadBalancerSourceIPSet, utilipset.HashIPPortIP, kubeLoadBalancerSourceIPSetComment}, {kubeLoadBalancerSourceCIDRSet, utilipset.HashIPPortNet, kubeLoadBalancerSourceCIDRSetComment}, @@ -184,7 +184,7 @@ var ipsetWithIptablesChain = []struct { }{ {kubeLoopBackIPSet, string(kubePostroutingChain), "MASQUERADE", "dst,dst,src", ""}, {kubeLoadBalancerSet, string(kubeServicesChain), string(kubeLoadBalancerChain), "dst,dst", ""}, - {kubeLoadbalancerFWSet, string(kubeLoadBalancerChain), string(kubeFirewallChain), "dst,dst", ""}, + {kubeLoadBalancerFWSet, string(kubeLoadBalancerChain), string(kubeFirewallChain), "dst,dst", ""}, {kubeLoadBalancerSourceCIDRSet, string(kubeFirewallChain), "RETURN", "dst,dst,src", ""}, {kubeLoadBalancerSourceIPSet, string(kubeFirewallChain), "RETURN", "dst,dst,src", ""}, {kubeLoadBalancerLocalSet, string(kubeLoadBalancerChain), "RETURN", "dst,dst", ""}, @@ -1307,11 +1307,11 @@ func (proxier *Proxier) syncProxyRules() { // The service firewall rules are created based on ServiceSpec.loadBalancerSourceRanges field. // This currently works for loadbalancers that preserves source ips. // For loadbalancers which direct traffic to service NodePort, the firewall rules will not apply. - if valid := proxier.ipsetList[kubeLoadbalancerFWSet].validateEntry(entry); !valid { - klog.ErrorS(nil, "Error adding entry to ipset", "entry", entry, "ipset", proxier.ipsetList[kubeLoadbalancerFWSet].Name) + if valid := proxier.ipsetList[kubeLoadBalancerFWSet].validateEntry(entry); !valid { + klog.ErrorS(nil, "Error adding entry to ipset", "entry", entry, "ipset", proxier.ipsetList[kubeLoadBalancerFWSet].Name) continue } - proxier.ipsetList[kubeLoadbalancerFWSet].activeEntries.Insert(entry.String()) + proxier.ipsetList[kubeLoadBalancerFWSet].activeEntries.Insert(entry.String()) allowFromNode := false for _, src := range svcInfo.LoadBalancerSourceRanges() { // ipset call @@ -1731,13 +1731,13 @@ func (proxier *Proxier) writeIptablesRules() { ) proxier.natRules.Write(args, "-j", string(kubeNodePortChain)) - // mark drop for KUBE-LOAD-BALANCER + // mark for masquerading for KUBE-LOAD-BALANCER proxier.natRules.Write( "-A", string(kubeLoadBalancerChain), "-j", string(kubeMarkMasqChain), ) - // mark drop for KUBE-FIRE-WALL + // mark drop for KUBE-FIREWALL proxier.natRules.Write( "-A", string(kubeFirewallChain), "-j", string(kubeMarkDropChain), diff --git a/pkg/proxy/ipvs/proxier_test.go b/pkg/proxy/ipvs/proxier_test.go index 5b7374c1571..47634137b7e 100644 --- a/pkg/proxy/ipvs/proxier_test.go +++ b/pkg/proxy/ipvs/proxier_test.go @@ -2151,7 +2151,7 @@ func TestHealthCheckNodePort(t *testing.T) { checkIptables(t, ipt, epIpt) } -func TestLoadBalanceSourceRanges(t *testing.T) { +func TestLoadBalancerSourceRanges(t *testing.T) { ipt, fp := buildFakeProxier() svcIP := "10.20.30.41" @@ -2214,7 +2214,7 @@ func TestLoadBalanceSourceRanges(t *testing.T) { Protocol: strings.ToLower(string(v1.ProtocolTCP)), SetType: utilipset.HashIPPort, }}, - kubeLoadbalancerFWSet: {{ + kubeLoadBalancerFWSet: {{ IP: svcLBIP, Port: svcPort, Protocol: strings.ToLower(string(v1.ProtocolTCP)), @@ -2244,7 +2244,7 @@ func TestLoadBalanceSourceRanges(t *testing.T) { JumpChain: "ACCEPT", MatchSet: kubeLoadBalancerSet, }}, string(kubeLoadBalancerChain): {{ - JumpChain: string(kubeFirewallChain), MatchSet: kubeLoadbalancerFWSet, + JumpChain: string(kubeFirewallChain), MatchSet: kubeLoadBalancerFWSet, }, { JumpChain: string(kubeMarkMasqChain), MatchSet: "", }},