mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-26 21:17:23 +00:00
proxy/iptables: rename chain variables
This commit is contained in:
Dan Winship
parent
548cf9d5de
commit
b9141e5c0d
@ -1003,7 +1003,7 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
allEndpoints := proxier.endpointsMap[svcName]
|
allEndpoints := proxier.endpointsMap[svcName]
|
||||||
|
|
||||||
// Figure out the endpoints for Cluster and Local traffic policy.
|
// Figure out the endpoints for Cluster and Local traffic policy.
|
||||||
// allLocallyReachableEndpoints is the set of all endpoints that can be reached
|
// allLocallyReachableEndpoints is the set of all endpoints that can be routed to
|
||||||
// from this node, given the service's traffic policies. hasEndpoints is true
|
// from this node, given the service's traffic policies. hasEndpoints is true
|
||||||
// if the service has any usable endpoints on any node, not just this one.
|
// if the service has any usable endpoints on any node, not just this one.
|
||||||
clusterEndpoints, localEndpoints, allLocallyReachableEndpoints, hasEndpoints := proxy.CategorizeEndpoints(allEndpoints, svcInfo, proxier.nodeLabels)
|
clusterEndpoints, localEndpoints, allLocallyReachableEndpoints, hasEndpoints := proxy.CategorizeEndpoints(allEndpoints, svcInfo, proxier.nodeLabels)
|
||||||
@ -1042,15 +1042,15 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
proxier.natRules.Write(args)
|
proxier.natRules.Write(args)
|
||||||
}
|
}
|
||||||
|
|
||||||
svcChain := svcInfo.servicePortChainName
|
policyClusterChain := svcInfo.servicePortChainName
|
||||||
svcLocalChain := svcInfo.serviceLocalChainName
|
policyLocalChain := svcInfo.serviceLocalChainName
|
||||||
svcXlbChain := svcInfo.serviceLBChainName
|
svcXlbChain := svcInfo.serviceLBChainName
|
||||||
|
|
||||||
internalTrafficChain := svcChain
|
internalTrafficChain := policyClusterChain
|
||||||
externalTrafficChain := svcChain
|
externalTrafficChain := policyClusterChain
|
||||||
|
|
||||||
if svcInfo.NodeLocalInternal() {
|
if svcInfo.NodeLocalInternal() {
|
||||||
internalTrafficChain = svcLocalChain
|
internalTrafficChain = policyLocalChain
|
||||||
}
|
}
|
||||||
if svcInfo.NodeLocalExternal() {
|
if svcInfo.NodeLocalExternal() {
|
||||||
externalTrafficChain = svcXlbChain
|
externalTrafficChain = svcXlbChain
|
||||||
@ -1058,12 +1058,12 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
|
|
||||||
if hasEndpoints && svcInfo.UsesClusterEndpoints() {
|
if hasEndpoints && svcInfo.UsesClusterEndpoints() {
|
||||||
// Create the Cluster traffic policy chain, retaining counters if possible.
|
// Create the Cluster traffic policy chain, retaining counters if possible.
|
||||||
if chain, ok := existingNATChains[svcChain]; ok {
|
if chain, ok := existingNATChains[policyClusterChain]; ok {
|
||||||
proxier.natChains.WriteBytes(chain)
|
proxier.natChains.WriteBytes(chain)
|
||||||
} else {
|
} else {
|
||||||
proxier.natChains.Write(utiliptables.MakeChainLine(svcChain))
|
proxier.natChains.Write(utiliptables.MakeChainLine(policyClusterChain))
|
||||||
}
|
}
|
||||||
activeNATChains[svcChain] = true
|
activeNATChains[policyClusterChain] = true
|
||||||
}
|
}
|
||||||
|
|
||||||
if hasEndpoints && svcInfo.ExternallyAccessible() && svcInfo.NodeLocalExternal() {
|
if hasEndpoints && svcInfo.ExternallyAccessible() && svcInfo.NodeLocalExternal() {
|
||||||
@ -1084,7 +1084,7 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
"-m", "comment", "--comment",
|
"-m", "comment", "--comment",
|
||||||
`"Redirect pods trying to reach external loadbalancer VIP to clusterIP"`,
|
`"Redirect pods trying to reach external loadbalancer VIP to clusterIP"`,
|
||||||
proxier.localDetector.IfLocal(),
|
proxier.localDetector.IfLocal(),
|
||||||
"-j", string(svcChain))
|
"-j", string(policyClusterChain))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Next, redirect all src-type=LOCAL -> LB IP to the service chain
|
// Next, redirect all src-type=LOCAL -> LB IP to the service chain
|
||||||
@ -1101,21 +1101,21 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
"-A", string(svcXlbChain),
|
"-A", string(svcXlbChain),
|
||||||
"-m", "comment", "--comment", fmt.Sprintf(`"route LOCAL traffic for %s LB IP to service chain"`, svcNameString),
|
"-m", "comment", "--comment", fmt.Sprintf(`"route LOCAL traffic for %s LB IP to service chain"`, svcNameString),
|
||||||
"-m", "addrtype", "--src-type", "LOCAL",
|
"-m", "addrtype", "--src-type", "LOCAL",
|
||||||
"-j", string(svcChain))
|
"-j", string(policyClusterChain))
|
||||||
|
|
||||||
// Everything else goes to the SVL chain
|
// Everything else goes to the SVL chain
|
||||||
proxier.natRules.Write(
|
proxier.natRules.Write(
|
||||||
"-A", string(svcXlbChain),
|
"-A", string(svcXlbChain),
|
||||||
"-j", string(svcLocalChain))
|
"-j", string(policyLocalChain))
|
||||||
}
|
}
|
||||||
|
|
||||||
if hasEndpoints && svcInfo.UsesLocalEndpoints() {
|
if hasEndpoints && svcInfo.UsesLocalEndpoints() {
|
||||||
if chain, ok := existingNATChains[svcLocalChain]; ok {
|
if chain, ok := existingNATChains[policyLocalChain]; ok {
|
||||||
proxier.natChains.WriteBytes(chain)
|
proxier.natChains.WriteBytes(chain)
|
||||||
} else {
|
} else {
|
||||||
proxier.natChains.Write(utiliptables.MakeChainLine(svcLocalChain))
|
proxier.natChains.Write(utiliptables.MakeChainLine(policyLocalChain))
|
||||||
}
|
}
|
||||||
activeNATChains[svcLocalChain] = true
|
activeNATChains[policyLocalChain] = true
|
||||||
}
|
}
|
||||||
|
|
||||||
// Capture the clusterIP.
|
// Capture the clusterIP.
|
||||||
@ -1136,7 +1136,6 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
// is that you can establish a static route for your Service range,
|
// is that you can establish a static route for your Service range,
|
||||||
// routing to any node, and that node will bridge into the Service
|
// routing to any node, and that node will bridge into the Service
|
||||||
// for you. Since that might bounce off-node, we masquerade here.
|
// for you. Since that might bounce off-node, we masquerade here.
|
||||||
// If/when we support "Local" policy for VIPs, we should update this.
|
|
||||||
proxier.natRules.Write(
|
proxier.natRules.Write(
|
||||||
"-A", string(internalTrafficChain),
|
"-A", string(internalTrafficChain),
|
||||||
args,
|
args,
|
||||||
@ -1174,7 +1173,7 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
// be always forwarded to the corresponding Service, so no need to SNAT
|
// be always forwarded to the corresponding Service, so no need to SNAT
|
||||||
// If we can't differentiate the local traffic we always SNAT.
|
// If we can't differentiate the local traffic we always SNAT.
|
||||||
if !svcInfo.NodeLocalExternal() {
|
if !svcInfo.NodeLocalExternal() {
|
||||||
appendTo := []string{"-A", string(svcChain)}
|
appendTo := []string{"-A", string(policyClusterChain)}
|
||||||
// This masquerades off-cluster traffic to a External IP.
|
// This masquerades off-cluster traffic to a External IP.
|
||||||
if proxier.localDetector.IsImplemented() {
|
if proxier.localDetector.IsImplemented() {
|
||||||
proxier.natRules.Write(
|
proxier.natRules.Write(
|
||||||
@ -1299,7 +1298,7 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
if !svcInfo.NodeLocalExternal() {
|
if !svcInfo.NodeLocalExternal() {
|
||||||
// Nodeports need SNAT, unless they're local.
|
// Nodeports need SNAT, unless they're local.
|
||||||
proxier.natRules.Write(
|
proxier.natRules.Write(
|
||||||
"-A", string(svcChain),
|
"-A", string(policyClusterChain),
|
||||||
args,
|
args,
|
||||||
"-j", string(KubeMarkMasqChain))
|
"-j", string(KubeMarkMasqChain))
|
||||||
} else {
|
} else {
|
||||||
@ -1347,24 +1346,26 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(clusterEndpoints) != 0 {
|
if svcInfo.UsesClusterEndpoints() {
|
||||||
// Write rules jumping from svcChain to clusterEndpoints
|
// Write rules jumping from policyClusterChain to clusterEndpoints
|
||||||
proxier.writeServiceToEndpointRules(svcNameString, svcInfo, svcChain, clusterEndpoints, args)
|
proxier.writeServiceToEndpointRules(svcNameString, svcInfo, policyClusterChain, clusterEndpoints, args)
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(localEndpoints) != 0 {
|
if svcInfo.UsesLocalEndpoints() {
|
||||||
// Write rules jumping from svcLocalChain to localEndpointChains
|
if len(localEndpoints) != 0 {
|
||||||
proxier.writeServiceToEndpointRules(svcNameString, svcInfo, svcLocalChain, localEndpoints, args)
|
// Write rules jumping from policyLocalChain to localEndpointChains
|
||||||
} else if hasEndpoints && svcInfo.UsesLocalEndpoints() {
|
proxier.writeServiceToEndpointRules(svcNameString, svcInfo, policyLocalChain, localEndpoints, args)
|
||||||
// Blackhole all traffic since there are no local endpoints
|
} else if hasEndpoints {
|
||||||
args = append(args[:0],
|
// Blackhole all traffic since there are no local endpoints
|
||||||
"-A", string(svcLocalChain),
|
args = append(args[:0],
|
||||||
"-m", "comment", "--comment",
|
"-A", string(policyLocalChain),
|
||||||
fmt.Sprintf(`"%s has no local endpoints"`, svcNameString),
|
"-m", "comment", "--comment",
|
||||||
"-j",
|
fmt.Sprintf(`"%s has no local endpoints"`, svcNameString),
|
||||||
string(KubeMarkDropChain),
|
"-j",
|
||||||
)
|
string(KubeMarkDropChain),
|
||||||
proxier.natRules.Write(args)
|
)
|
||||||
|
proxier.natRules.Write(args)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user