Merge pull request #43972 from thockin/fix-43969-proxy-filter-input

Automatic merge from submit-queue kube-proxy: filter INPUT as well as OUTPUT We need to apply filter rules on the way in (nodeports) and out (cluster IPs). Testing here is insufficient to have caught this - will come back for that. Fixes #43969 @justinsb since you have the best repro, can you test? It passes what I think is repro. @ethernetdan we will want this in 1.6.x ```release-note Fix bug with service nodeports that have no backends not being rejected, when they should be. This is not a regression vs v1.5 - it's a fix that didn't quite fix hard enough. ```
2025-07-23 19:56:01 +00:00 · 2017-04-05 23:18:29 -07:00 · 2017-04-05 23:18:29 -07:00 · bc8a7556d8
commit bc8a7556d8
parent 422497b4cf 9a423b6c6b
1 changed files with 2 additions and 0 deletions
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -358,6 +358,7 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
 		table utiliptables.Table
 		chain utiliptables.Chain
 	}{
+		{utiliptables.TableFilter, utiliptables.ChainInput},
 		{utiliptables.TableFilter, utiliptables.ChainOutput},
 		{utiliptables.TableNAT, utiliptables.ChainOutput},
 		{utiliptables.TableNAT, utiliptables.ChainPrerouting},
@ -795,6 +796,7 @@ func (proxier *Proxier) syncProxyRules(reason syncReason) {
 			table utiliptables.Table
 			chain utiliptables.Chain
 		}{
+			{utiliptables.TableFilter, utiliptables.ChainInput},
 			{utiliptables.TableFilter, utiliptables.ChainOutput},
 			{utiliptables.TableNAT, utiliptables.ChainOutput},
 			{utiliptables.TableNAT, utiliptables.ChainPrerouting},