From ba19451020457c2fa89ee9066986243956048091 Mon Sep 17 00:00:00 2001
From: Andrew Sy Kim <kiman@vmware.com>
Date: Mon, 3 Jun 2019 16:11:17 -0400
Subject: [PATCH] iptables proxier: fix comments for LB IP traffic from local
 address

Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
---
 pkg/proxy/iptables/proxier.go | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go
index 4fd1185d284..867b20e6cd4 100644
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@@ -1220,16 +1220,6 @@ func (proxier *Proxier) syncProxyRules() {
 			continue
 		}
 
-		// For LBs with externalTrafficPolicy=Local, we need to re-route any local traffic to the service chain masqueraded.
-		// Masqueraded traffic in this scenario is okay since source IP preservation only applies to external traffic anyways.
-		args = append(args[:0], "-A", string(svcXlbChain))
-		writeLine(proxier.natRules, append(args,
-			"-m", "comment", "--comment", fmt.Sprintf(`"masquerade LOCAL traffic for %s LB IP"`, svcNameString),
-			"-m", "addrtype", "--src-type", "LOCAL", "-j", string(KubeMarkMasqChain))...)
-		writeLine(proxier.natRules, append(args,
-			"-m", "comment", "--comment", fmt.Sprintf(`"route LOCAL traffic for %s LB IP to service chain"`, svcNameString),
-			"-m", "addrtype", "--src-type", "LOCAL", "-j", string(svcChain))...)
-
 		// First rule in the chain redirects all pod -> external VIP traffic to the
 		// Service's ClusterIP instead. This happens whether or not we have local
 		// endpoints; only if clusterCIDR is specified
@@ -1244,6 +1234,17 @@ func (proxier *Proxier) syncProxyRules() {
 			writeLine(proxier.natRules, args...)
 		}
 
+		// Next, redirect all src-type=LOCAL -> LB IP to the service chain for externalTrafficPolicy=Local
+		// This allows traffic originating from the host to be redirected to the service correctly,
+		// otherwise traffic to LB IPs are dropped if there are no local endpoints.
+		args = append(args[:0], "-A", string(svcXlbChain))
+		writeLine(proxier.natRules, append(args,
+			"-m", "comment", "--comment", fmt.Sprintf(`"masquerade LOCAL traffic for %s LB IP"`, svcNameString),
+			"-m", "addrtype", "--src-type", "LOCAL", "-j", string(KubeMarkMasqChain))...)
+		writeLine(proxier.natRules, append(args,
+			"-m", "comment", "--comment", fmt.Sprintf(`"route LOCAL traffic for %s LB IP to service chain"`, svcNameString),
+			"-m", "addrtype", "--src-type", "LOCAL", "-j", string(svcChain))...)
+
 		numLocalEndpoints := len(localEndpointChains)
 		if numLocalEndpoints == 0 {
 			// Blackhole all traffic since there are no local endpoints