From 9a423b6c6bce4c0c3b67c2f125c83739c5a60f83 Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Sun, 2 Apr 2017 23:37:19 -0700
Subject: [PATCH] kube-proxy: filter INPUT as well as OUTPUT

We need to apply filter rules on the way in (nodeports) and out (cluster
IPs).  Testing here is insufficient to have caught this - will come back
for that.
---
 pkg/proxy/iptables/proxier.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go
index f79f9053a00..656acea677e 100644
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@@ -357,6 +357,7 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
 		table utiliptables.Table
 		chain utiliptables.Chain
 	}{
+		{utiliptables.TableFilter, utiliptables.ChainInput},
 		{utiliptables.TableFilter, utiliptables.ChainOutput},
 		{utiliptables.TableNAT, utiliptables.ChainOutput},
 		{utiliptables.TableNAT, utiliptables.ChainPrerouting},
@@ -790,6 +791,7 @@ func (proxier *Proxier) syncProxyRules() {
 			table utiliptables.Table
 			chain utiliptables.Chain
 		}{
+			{utiliptables.TableFilter, utiliptables.ChainInput},
 			{utiliptables.TableFilter, utiliptables.ChainOutput},
 			{utiliptables.TableNAT, utiliptables.ChainOutput},
 			{utiliptables.TableNAT, utiliptables.ChainPrerouting},