mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
Merge pull request #110289 from danwinship/kep-3178-source-ranges-drop
Don't use KUBE-MARK-DROP for LoadBalancerSourceRanges
This commit is contained in:
commit
e16ac34361
@ -158,8 +158,8 @@ func TestNumberIptablesRules(t *testing.T) {
|
|||||||
},
|
},
|
||||||
services: 1,
|
services: 1,
|
||||||
epPerService: 1,
|
epPerService: 1,
|
||||||
expectedFilterRules: 3,
|
expectedFilterRules: 4,
|
||||||
expectedNatRules: 17,
|
expectedNatRules: 16,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "1 Services 2 EndpointPerService - LoadBalancer",
|
name: "1 Services 2 EndpointPerService - LoadBalancer",
|
||||||
@ -173,8 +173,8 @@ func TestNumberIptablesRules(t *testing.T) {
|
|||||||
},
|
},
|
||||||
services: 1,
|
services: 1,
|
||||||
epPerService: 2,
|
epPerService: 2,
|
||||||
expectedFilterRules: 3,
|
expectedFilterRules: 4,
|
||||||
expectedNatRules: 20,
|
expectedNatRules: 19,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "1 Services 10 EndpointPerService - LoadBalancer",
|
name: "1 Services 10 EndpointPerService - LoadBalancer",
|
||||||
@ -188,8 +188,8 @@ func TestNumberIptablesRules(t *testing.T) {
|
|||||||
},
|
},
|
||||||
services: 1,
|
services: 1,
|
||||||
epPerService: 10,
|
epPerService: 10,
|
||||||
expectedFilterRules: 3,
|
expectedFilterRules: 4,
|
||||||
expectedNatRules: 44,
|
expectedNatRules: 43,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "10 Services 0 EndpointsPerService - LoadBalancer",
|
name: "10 Services 0 EndpointsPerService - LoadBalancer",
|
||||||
@ -218,8 +218,8 @@ func TestNumberIptablesRules(t *testing.T) {
|
|||||||
},
|
},
|
||||||
services: 10,
|
services: 10,
|
||||||
epPerService: 1,
|
epPerService: 1,
|
||||||
expectedFilterRules: 3,
|
expectedFilterRules: 13,
|
||||||
expectedNatRules: 125,
|
expectedNatRules: 115,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "10 Services 2 EndpointPerService - LoadBalancer",
|
name: "10 Services 2 EndpointPerService - LoadBalancer",
|
||||||
@ -233,8 +233,8 @@ func TestNumberIptablesRules(t *testing.T) {
|
|||||||
},
|
},
|
||||||
services: 10,
|
services: 10,
|
||||||
epPerService: 2,
|
epPerService: 2,
|
||||||
expectedFilterRules: 3,
|
expectedFilterRules: 13,
|
||||||
expectedNatRules: 155,
|
expectedNatRules: 145,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "10 Services 10 EndpointPerService - LoadBalancer",
|
name: "10 Services 10 EndpointPerService - LoadBalancer",
|
||||||
@ -248,8 +248,8 @@ func TestNumberIptablesRules(t *testing.T) {
|
|||||||
},
|
},
|
||||||
services: 10,
|
services: 10,
|
||||||
epPerService: 10,
|
epPerService: 10,
|
||||||
expectedFilterRules: 3,
|
expectedFilterRules: 13,
|
||||||
expectedNatRules: 395,
|
expectedNatRules: 385,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -70,12 +70,12 @@ const (
|
|||||||
// kubeMarkMasqChain is the mark-for-masquerade chain
|
// kubeMarkMasqChain is the mark-for-masquerade chain
|
||||||
kubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
|
kubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
|
||||||
|
|
||||||
// kubeMarkDropChain is the mark-for-drop chain
|
|
||||||
kubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
|
|
||||||
|
|
||||||
// the kubernetes forward chain
|
// the kubernetes forward chain
|
||||||
kubeForwardChain utiliptables.Chain = "KUBE-FORWARD"
|
kubeForwardChain utiliptables.Chain = "KUBE-FORWARD"
|
||||||
|
|
||||||
|
// kubeProxyFirewallChain is the kube-proxy firewall chain
|
||||||
|
kubeProxyFirewallChain utiliptables.Chain = "KUBE-PROXY-FIREWALL"
|
||||||
|
|
||||||
// kube proxy canary chain is used for monitoring rule reload
|
// kube proxy canary chain is used for monitoring rule reload
|
||||||
kubeProxyCanaryChain utiliptables.Chain = "KUBE-PROXY-CANARY"
|
kubeProxyCanaryChain utiliptables.Chain = "KUBE-PROXY-CANARY"
|
||||||
|
|
||||||
@ -386,18 +386,14 @@ var iptablesJumpChains = []iptablesJumpChain{
|
|||||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainForward, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainForward, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||||
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil},
|
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil},
|
||||||
|
{utiliptables.TableFilter, kubeProxyFirewallChain, utiliptables.ChainInput, "kubernetes load balancer firewall", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||||
|
{utiliptables.TableFilter, kubeProxyFirewallChain, utiliptables.ChainOutput, "kubernetes load balancer firewall", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||||
|
{utiliptables.TableFilter, kubeProxyFirewallChain, utiliptables.ChainForward, "kubernetes load balancer firewall", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||||
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil},
|
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil},
|
||||||
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals", nil},
|
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals", nil},
|
||||||
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
|
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
|
||||||
}
|
}
|
||||||
|
|
||||||
var iptablesEnsureChains = []struct {
|
|
||||||
table utiliptables.Table
|
|
||||||
chain utiliptables.Chain
|
|
||||||
}{
|
|
||||||
{utiliptables.TableNAT, kubeMarkDropChain},
|
|
||||||
}
|
|
||||||
|
|
||||||
var iptablesCleanupOnlyChains = []iptablesJumpChain{
|
var iptablesCleanupOnlyChains = []iptablesJumpChain{
|
||||||
// Present in kube 1.13 - 1.19. Removed by #95252 in favor of adding reject rules for incoming/forwarding packets to kubeExternalServicesChain
|
// Present in kube 1.13 - 1.19. Removed by #95252 in favor of adding reject rules for incoming/forwarding packets to kubeExternalServicesChain
|
||||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||||
@ -877,14 +873,6 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// ensure KUBE-MARK-DROP chain exist but do not change any rules
|
|
||||||
for _, ch := range iptablesEnsureChains {
|
|
||||||
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
|
|
||||||
klog.ErrorS(err, "Failed to ensure chain exists", "table", ch.table, "chain", ch.chain)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// Below this point we will not return until we try to write the iptables rules.
|
// Below this point we will not return until we try to write the iptables rules.
|
||||||
//
|
//
|
||||||
@ -896,9 +884,8 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
proxier.natChains.Reset()
|
proxier.natChains.Reset()
|
||||||
proxier.natRules.Reset()
|
proxier.natRules.Reset()
|
||||||
|
|
||||||
// Make sure we keep stats for the top-level chains, if they existed
|
// Write chain lines for all the "top-level" chains we'll be filling in
|
||||||
// (which most should have because we created them above).
|
for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeExternalServicesChain, kubeForwardChain, kubeNodePortsChain, kubeProxyFirewallChain} {
|
||||||
for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeExternalServicesChain, kubeForwardChain, kubeNodePortsChain} {
|
|
||||||
proxier.filterChains.Write(utiliptables.MakeChainLine(chainName))
|
proxier.filterChains.Write(utiliptables.MakeChainLine(chainName))
|
||||||
}
|
}
|
||||||
for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeNodePortsChain, kubePostroutingChain, kubeMarkMasqChain} {
|
for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeNodePortsChain, kubePostroutingChain, kubeMarkMasqChain} {
|
||||||
@ -1158,6 +1145,15 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
"-j", string(loadBalancerTrafficChain))
|
"-j", string(loadBalancerTrafficChain))
|
||||||
|
|
||||||
}
|
}
|
||||||
|
if usesFWChain {
|
||||||
|
proxier.filterRules.Write(
|
||||||
|
"-A", string(kubeProxyFirewallChain),
|
||||||
|
"-m", "comment", "--comment", fmt.Sprintf(`"%s traffic not accepted by %s"`, svcPortNameString, svcInfo.firewallChainName),
|
||||||
|
"-m", protocol, "-p", protocol,
|
||||||
|
"-d", lbip,
|
||||||
|
"--dport", strconv.Itoa(svcInfo.Port()),
|
||||||
|
"-j", "DROP")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if !hasExternalEndpoints {
|
if !hasExternalEndpoints {
|
||||||
// Either no endpoints at all (REJECT) or no endpoints for
|
// Either no endpoints at all (REJECT) or no endpoints for
|
||||||
@ -1339,9 +1335,8 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// If the packet was able to reach the end of firewall chain,
|
// If the packet was able to reach the end of firewall chain,
|
||||||
// then it did not get DNATed. It means the packet cannot go
|
// then it did not get DNATed and will be dropped later by the
|
||||||
// thru the firewall, then mark it for DROP.
|
// corresponding KUBE-PROXY-FIREWALL rule.
|
||||||
proxier.natRules.Write(args, "-j", string(kubeMarkDropChain))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// If Cluster policy is in use, create the chain and create rules jumping
|
// If Cluster policy is in use, create the chain and create rules jumping
|
||||||
|
@ -736,7 +736,6 @@ func checkIPTablesRuleJumps(ruleData string) error {
|
|||||||
// Ignore jumps to chains that we expect to exist even if kube-proxy
|
// Ignore jumps to chains that we expect to exist even if kube-proxy
|
||||||
// didn't create them itself.
|
// didn't create them itself.
|
||||||
jumpedChains.Delete("ACCEPT", "REJECT", "DROP", "MARK", "RETURN", "DNAT", "SNAT", "MASQUERADE")
|
jumpedChains.Delete("ACCEPT", "REJECT", "DROP", "MARK", "RETURN", "DNAT", "SNAT", "MASQUERADE")
|
||||||
jumpedChains.Delete(string(kubeMarkDropChain))
|
|
||||||
|
|
||||||
// Find cases where we have "-A FOO ... -j BAR" but no ":BAR", meaning
|
// Find cases where we have "-A FOO ... -j BAR" but no ":BAR", meaning
|
||||||
// that we are jumping to a chain that was not created.
|
// that we are jumping to a chain that was not created.
|
||||||
@ -759,7 +758,7 @@ func checkIPTablesRuleJumps(ruleData string) error {
|
|||||||
// Find cases where we have ":BAR" but no "-A FOO ... -j BAR", meaning
|
// Find cases where we have ":BAR" but no "-A FOO ... -j BAR", meaning
|
||||||
// that we are creating an empty chain but not using it for anything.
|
// that we are creating an empty chain but not using it for anything.
|
||||||
extraChains := createdChains.Difference(jumpedChains)
|
extraChains := createdChains.Difference(jumpedChains)
|
||||||
extraChains.Delete(string(kubeServicesChain), string(kubeExternalServicesChain), string(kubeNodePortsChain), string(kubePostroutingChain), string(kubeForwardChain), string(kubeMarkMasqChain))
|
extraChains.Delete(string(kubeServicesChain), string(kubeExternalServicesChain), string(kubeNodePortsChain), string(kubePostroutingChain), string(kubeForwardChain), string(kubeMarkMasqChain), string(kubeProxyFirewallChain))
|
||||||
if len(extraChains) > 0 {
|
if len(extraChains) > 0 {
|
||||||
return fmt.Errorf("some chains in %s are created but not used: %v", tableName, extraChains.List())
|
return fmt.Errorf("some chains in %s are created but not used: %v", tableName, extraChains.List())
|
||||||
}
|
}
|
||||||
@ -1018,6 +1017,7 @@ func TestSortIPTablesRules(t *testing.T) {
|
|||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
:KUBE-NODEPORTS - [0:0]
|
:KUBE-NODEPORTS - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
||||||
@ -1025,6 +1025,7 @@ func TestSortIPTablesRules(t *testing.T) {
|
|||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A KUBE-PROXY-FIREWALL -m comment --comment "ns5/svc5:p80 traffic not accepted by KUBE-FW-NUKIZ6OKUXPJNT4C" -m tcp -p tcp -d 5.6.7.8 --dport 80 -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
*nat
|
*nat
|
||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
@ -1060,7 +1061,6 @@ func TestSortIPTablesRules(t *testing.T) {
|
|||||||
-A KUBE-SEP-RS4RBKLTHTF2IUXJ -m comment --comment ns2/svc2:p80 -s 10.180.0.2 -j KUBE-MARK-MASQ
|
-A KUBE-SEP-RS4RBKLTHTF2IUXJ -m comment --comment ns2/svc2:p80 -s 10.180.0.2 -j KUBE-MARK-MASQ
|
||||||
-A KUBE-SEP-RS4RBKLTHTF2IUXJ -m comment --comment ns2/svc2:p80 -m tcp -p tcp -j DNAT --to-destination 10.180.0.2:80
|
-A KUBE-SEP-RS4RBKLTHTF2IUXJ -m comment --comment ns2/svc2:p80 -m tcp -p tcp -j DNAT --to-destination 10.180.0.2:80
|
||||||
-A KUBE-FW-GNZBNJ2PO5MGZ6GT -m comment --comment "ns2/svc2:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-GNZBNJ2PO5MGZ6GT
|
-A KUBE-FW-GNZBNJ2PO5MGZ6GT -m comment --comment "ns2/svc2:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-GNZBNJ2PO5MGZ6GT
|
||||||
-A KUBE-FW-GNZBNJ2PO5MGZ6GT -m comment --comment "ns2/svc2:p80 loadbalancer IP" -j KUBE-MARK-DROP
|
|
||||||
-A KUBE-NODEPORTS -m comment --comment ns2/svc2:p80 -m tcp -p tcp --dport 3001 -j KUBE-EXT-GNZBNJ2PO5MGZ6GT
|
-A KUBE-NODEPORTS -m comment --comment ns2/svc2:p80 -m tcp -p tcp --dport 3001 -j KUBE-EXT-GNZBNJ2PO5MGZ6GT
|
||||||
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "Redirect pods trying to reach external loadbalancer VIP to clusterIP" -s 10.0.0.0/8 -j KUBE-SVC-GNZBNJ2PO5MGZ6GT
|
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "Redirect pods trying to reach external loadbalancer VIP to clusterIP" -s 10.0.0.0/8 -j KUBE-SVC-GNZBNJ2PO5MGZ6GT
|
||||||
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "masquerade LOCAL traffic for ns2/svc2:p80 LB IP" -m addrtype --src-type LOCAL -j KUBE-MARK-MASQ
|
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "masquerade LOCAL traffic for ns2/svc2:p80 LB IP" -m addrtype --src-type LOCAL -j KUBE-MARK-MASQ
|
||||||
@ -1093,6 +1093,7 @@ func TestSortIPTablesRules(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
||||||
@ -1100,6 +1101,7 @@ func TestSortIPTablesRules(t *testing.T) {
|
|||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A KUBE-PROXY-FIREWALL -m comment --comment "ns5/svc5:p80 traffic not accepted by KUBE-FW-NUKIZ6OKUXPJNT4C" -m tcp -p tcp -d 5.6.7.8 --dport 80 -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
*nat
|
*nat
|
||||||
:KUBE-NODEPORTS - [0:0]
|
:KUBE-NODEPORTS - [0:0]
|
||||||
@ -1133,7 +1135,6 @@ func TestSortIPTablesRules(t *testing.T) {
|
|||||||
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "route LOCAL traffic for ns2/svc2:p80 LB IP to service chain" -m addrtype --src-type LOCAL -j KUBE-SVC-GNZBNJ2PO5MGZ6GT
|
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "route LOCAL traffic for ns2/svc2:p80 LB IP to service chain" -m addrtype --src-type LOCAL -j KUBE-SVC-GNZBNJ2PO5MGZ6GT
|
||||||
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -j KUBE-SVL-GNZBNJ2PO5MGZ6GT
|
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -j KUBE-SVL-GNZBNJ2PO5MGZ6GT
|
||||||
-A KUBE-FW-GNZBNJ2PO5MGZ6GT -m comment --comment "ns2/svc2:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-GNZBNJ2PO5MGZ6GT
|
-A KUBE-FW-GNZBNJ2PO5MGZ6GT -m comment --comment "ns2/svc2:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-GNZBNJ2PO5MGZ6GT
|
||||||
-A KUBE-FW-GNZBNJ2PO5MGZ6GT -m comment --comment "ns2/svc2:p80 loadbalancer IP" -j KUBE-MARK-DROP
|
|
||||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||||
@ -1434,10 +1435,8 @@ type iptablesTracer struct {
|
|||||||
// the return value of tracePacket.
|
// the return value of tracePacket.
|
||||||
outputs []string
|
outputs []string
|
||||||
|
|
||||||
// markMasq and markDrop track whether the packet has been marked for masquerading
|
// markMasq tracks whether the packet has been marked for masquerading
|
||||||
// or dropping.
|
|
||||||
markMasq bool
|
markMasq bool
|
||||||
markDrop bool
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// newIPTablesTracer creates an iptablesTracer. nodeIP is the IP to treat as the local
|
// newIPTablesTracer creates an iptablesTracer. nodeIP is the IP to treat as the local
|
||||||
@ -1523,10 +1522,6 @@ func (tracer *iptablesTracer) runChain(table utiliptables.Table, chain utiliptab
|
|||||||
tracer.markMasq = true
|
tracer.markMasq = true
|
||||||
continue
|
continue
|
||||||
|
|
||||||
case "KUBE-MARK-DROP":
|
|
||||||
tracer.markDrop = true
|
|
||||||
continue
|
|
||||||
|
|
||||||
case "ACCEPT", "REJECT", "DROP":
|
case "ACCEPT", "REJECT", "DROP":
|
||||||
// (only valid in filter)
|
// (only valid in filter)
|
||||||
tracer.outputs = append(tracer.outputs, rule.Jump.Value)
|
tracer.outputs = append(tracer.outputs, rule.Jump.Value)
|
||||||
@ -1578,14 +1573,10 @@ func tracePacket(t *testing.T, ipt *iptablestest.FakeIPTables, sourceIP, destIP,
|
|||||||
// inbound, outbound, or intra-host packet, which we don't know. So we just run
|
// inbound, outbound, or intra-host packet, which we don't know. So we just run
|
||||||
// the interesting tables manually. (Theoretically this could cause conflicts in
|
// the interesting tables manually. (Theoretically this could cause conflicts in
|
||||||
// the future in which case we'd have to do something more complicated.)
|
// the future in which case we'd have to do something more complicated.)
|
||||||
|
|
||||||
// The DROP rule is created by kubelet, not us, so we have to simulate that manually.
|
|
||||||
if tracer.markDrop {
|
|
||||||
return tracer.matches, "DROP", false
|
|
||||||
}
|
|
||||||
tracer.runChain(utiliptables.TableFilter, kubeServicesChain, sourceIP, destIP, destPort)
|
tracer.runChain(utiliptables.TableFilter, kubeServicesChain, sourceIP, destIP, destPort)
|
||||||
tracer.runChain(utiliptables.TableFilter, kubeExternalServicesChain, sourceIP, destIP, destPort)
|
tracer.runChain(utiliptables.TableFilter, kubeExternalServicesChain, sourceIP, destIP, destPort)
|
||||||
tracer.runChain(utiliptables.TableFilter, kubeNodePortsChain, sourceIP, destIP, destPort)
|
tracer.runChain(utiliptables.TableFilter, kubeNodePortsChain, sourceIP, destIP, destPort)
|
||||||
|
tracer.runChain(utiliptables.TableFilter, kubeProxyFirewallChain, sourceIP, destIP, destPort)
|
||||||
|
|
||||||
// Finally, the nat:POSTROUTING rules run, but the only interesting thing that
|
// Finally, the nat:POSTROUTING rules run, but the only interesting thing that
|
||||||
// happens there is that the masquerade mark gets turned into actual masquerading.
|
// happens there is that the masquerade mark gets turned into actual masquerading.
|
||||||
@ -1637,6 +1628,7 @@ func TestTracePackets(t *testing.T) {
|
|||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
:KUBE-NODEPORTS - [0:0]
|
:KUBE-NODEPORTS - [0:0]
|
||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A INPUT -m comment --comment kubernetes health check service ports -j KUBE-NODEPORTS
|
-A INPUT -m comment --comment kubernetes health check service ports -j KUBE-NODEPORTS
|
||||||
-A INPUT -m conntrack --ctstate NEW -m comment --comment kubernetes externally-visible service portals -j KUBE-EXTERNAL-SERVICES
|
-A INPUT -m conntrack --ctstate NEW -m comment --comment kubernetes externally-visible service portals -j KUBE-EXTERNAL-SERVICES
|
||||||
-A FORWARD -m comment --comment kubernetes forwarding rules -j KUBE-FORWARD
|
-A FORWARD -m comment --comment kubernetes forwarding rules -j KUBE-FORWARD
|
||||||
@ -1651,6 +1643,7 @@ func TestTracePackets(t *testing.T) {
|
|||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A KUBE-PROXY-FIREWALL -m comment --comment "ns5/svc5:p80 traffic not accepted by KUBE-FW-NUKIZ6OKUXPJNT4C" -m tcp -p tcp -d 5.6.7.8 --dport 80 -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
*nat
|
*nat
|
||||||
:PREROUTING - [0:0]
|
:PREROUTING - [0:0]
|
||||||
@ -1707,7 +1700,6 @@ func TestTracePackets(t *testing.T) {
|
|||||||
-A KUBE-EXT-X27LE4BHSL4DOUIK -m comment --comment "masquerade traffic for ns3/svc3:p80 external destinations" -j KUBE-MARK-MASQ
|
-A KUBE-EXT-X27LE4BHSL4DOUIK -m comment --comment "masquerade traffic for ns3/svc3:p80 external destinations" -j KUBE-MARK-MASQ
|
||||||
-A KUBE-EXT-X27LE4BHSL4DOUIK -j KUBE-SVC-X27LE4BHSL4DOUIK
|
-A KUBE-EXT-X27LE4BHSL4DOUIK -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||||
-A KUBE-FW-NUKIZ6OKUXPJNT4C -m comment --comment "ns5/svc5:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-NUKIZ6OKUXPJNT4C
|
-A KUBE-FW-NUKIZ6OKUXPJNT4C -m comment --comment "ns5/svc5:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-NUKIZ6OKUXPJNT4C
|
||||||
-A KUBE-FW-NUKIZ6OKUXPJNT4C -m comment --comment "ns5/svc5:p80 loadbalancer IP" -j KUBE-MARK-DROP
|
|
||||||
-A KUBE-SEP-C6EBXVWJJZMIWKLZ -m comment --comment ns4/svc4:p80 -s 10.180.0.5 -j KUBE-MARK-MASQ
|
-A KUBE-SEP-C6EBXVWJJZMIWKLZ -m comment --comment ns4/svc4:p80 -s 10.180.0.5 -j KUBE-MARK-MASQ
|
||||||
-A KUBE-SEP-C6EBXVWJJZMIWKLZ -m comment --comment ns4/svc4:p80 -m tcp -p tcp -j DNAT --to-destination 10.180.0.5:80
|
-A KUBE-SEP-C6EBXVWJJZMIWKLZ -m comment --comment ns4/svc4:p80 -m tcp -p tcp -j DNAT --to-destination 10.180.0.5:80
|
||||||
-A KUBE-SEP-I77PXRDZVX7PMWMN -m comment --comment ns5/svc5:p80 -s 10.180.0.3 -j KUBE-MARK-MASQ
|
-A KUBE-SEP-I77PXRDZVX7PMWMN -m comment --comment ns5/svc5:p80 -s 10.180.0.3 -j KUBE-MARK-MASQ
|
||||||
@ -1771,19 +1763,12 @@ func TestTracePackets(t *testing.T) {
|
|||||||
masq: true,
|
masq: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "DROP (via filter table)",
|
name: "DROP",
|
||||||
sourceIP: testExternalClient,
|
sourceIP: testExternalClient,
|
||||||
destIP: "192.168.99.22",
|
destIP: "192.168.99.22",
|
||||||
destPort: 80,
|
destPort: 80,
|
||||||
output: "DROP",
|
output: "DROP",
|
||||||
},
|
},
|
||||||
{
|
|
||||||
name: "DROP (via KUBE-MARK-DROP)",
|
|
||||||
sourceIP: testExternalClientBlocked,
|
|
||||||
destIP: "5.6.7.8",
|
|
||||||
destPort: 80,
|
|
||||||
output: "DROP",
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
name: "ACCEPT (NodePortHealthCheck)",
|
name: "ACCEPT (NodePortHealthCheck)",
|
||||||
sourceIP: testNodeIP,
|
sourceIP: testNodeIP,
|
||||||
@ -1967,6 +1952,7 @@ func TestOverallIPTablesRulesWithMultipleServices(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-SERVICES -m comment --comment "ns6/svc6:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.46 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns6/svc6:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.46 --dport 80 -j REJECT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP
|
||||||
@ -1975,6 +1961,7 @@ func TestOverallIPTablesRulesWithMultipleServices(t *testing.T) {
|
|||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A KUBE-PROXY-FIREWALL -m comment --comment "ns5/svc5:p80 traffic not accepted by KUBE-FW-NUKIZ6OKUXPJNT4C" -m tcp -p tcp -d 5.6.7.8 --dport 80 -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
*nat
|
*nat
|
||||||
:KUBE-NODEPORTS - [0:0]
|
:KUBE-NODEPORTS - [0:0]
|
||||||
@ -2020,7 +2007,6 @@ func TestOverallIPTablesRulesWithMultipleServices(t *testing.T) {
|
|||||||
-A KUBE-EXT-X27LE4BHSL4DOUIK -m comment --comment "masquerade traffic for ns3/svc3:p80 external destinations" -j KUBE-MARK-MASQ
|
-A KUBE-EXT-X27LE4BHSL4DOUIK -m comment --comment "masquerade traffic for ns3/svc3:p80 external destinations" -j KUBE-MARK-MASQ
|
||||||
-A KUBE-EXT-X27LE4BHSL4DOUIK -j KUBE-SVC-X27LE4BHSL4DOUIK
|
-A KUBE-EXT-X27LE4BHSL4DOUIK -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||||
-A KUBE-FW-NUKIZ6OKUXPJNT4C -m comment --comment "ns5/svc5:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-NUKIZ6OKUXPJNT4C
|
-A KUBE-FW-NUKIZ6OKUXPJNT4C -m comment --comment "ns5/svc5:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-NUKIZ6OKUXPJNT4C
|
||||||
-A KUBE-FW-NUKIZ6OKUXPJNT4C -m comment --comment "ns5/svc5:p80 loadbalancer IP" -j KUBE-MARK-DROP
|
|
||||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||||
@ -2094,6 +2080,7 @@ func TestClusterIPReject(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
@ -2171,6 +2158,7 @@ func TestClusterIPEndpointsJump(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -2277,9 +2265,12 @@ func TestLoadBalancer(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A KUBE-PROXY-FIREWALL -m comment --comment "ns1/svc1:p80 traffic not accepted by KUBE-FW-XPGD46QRK7WJZT7O" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
||||||
|
-A KUBE-PROXY-FIREWALL -m comment --comment "ns1/svc1:p80 traffic not accepted by KUBE-FW-XPGD46QRK7WJZT7O" -m tcp -p tcp -d 5.6.7.8 --dport 80 -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
*nat
|
*nat
|
||||||
:KUBE-NODEPORTS - [0:0]
|
:KUBE-NODEPORTS - [0:0]
|
||||||
@ -2301,7 +2292,6 @@ func TestLoadBalancer(t *testing.T) {
|
|||||||
-A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-XPGD46QRK7WJZT7O
|
-A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-XPGD46QRK7WJZT7O
|
||||||
-A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 1.2.3.4 -j KUBE-EXT-XPGD46QRK7WJZT7O
|
-A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 1.2.3.4 -j KUBE-EXT-XPGD46QRK7WJZT7O
|
||||||
-A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 5.6.7.8 -j KUBE-EXT-XPGD46QRK7WJZT7O
|
-A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 5.6.7.8 -j KUBE-EXT-XPGD46QRK7WJZT7O
|
||||||
-A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -j KUBE-MARK-DROP
|
|
||||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||||
@ -2473,6 +2463,7 @@ func TestNodePort(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -2574,6 +2565,7 @@ func TestHealthCheckNodePort(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.42 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.42 --dport 80 -j REJECT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j REJECT
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j REJECT
|
||||||
@ -2633,6 +2625,7 @@ func TestMasqueradeRule(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -2692,6 +2685,7 @@ func TestExternalIPsReject(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 192.168.99.11 --dport 80 -j REJECT
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 192.168.99.11 --dport 80 -j REJECT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
@ -2783,6 +2777,7 @@ func TestOnlyLocalExternalIPs(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -2894,6 +2889,7 @@ func TestNonLocalExternalIPs(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -2979,6 +2975,7 @@ func TestNodePortReject(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j REJECT
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j REJECT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
@ -3068,6 +3065,7 @@ func TestLoadBalancerReject(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
||||||
@ -3180,6 +3178,7 @@ func TestOnlyLocalLoadBalancing(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
@ -3262,6 +3261,7 @@ func TestOnlyLocalNodePortsNoClusterCIDR(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -3309,6 +3309,7 @@ func TestOnlyLocalNodePorts(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -4657,6 +4658,7 @@ func TestEndpointSliceE2E(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -5106,6 +5108,7 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -5188,6 +5191,7 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -5239,6 +5243,7 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no local endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j DROP
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no local endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j DROP
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
@ -5482,6 +5487,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyLocal(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
@ -5620,6 +5626,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyLocal(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
@ -5750,6 +5757,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyLocal(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
@ -5881,6 +5889,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyLocal(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
@ -5966,6 +5975,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyLocal(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
@ -6060,6 +6070,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyLocal(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j REJECT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
||||||
@ -6260,6 +6271,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyCluster(t *testing.T)
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -6389,6 +6401,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyCluster(t *testing.T)
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -6511,6 +6524,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyCluster(t *testing.T)
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -6639,6 +6653,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyCluster(t *testing.T)
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j REJECT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
@ -6708,6 +6723,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyCluster(t *testing.T)
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -6801,6 +6817,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyCluster(t *testing.T)
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j REJECT
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
@ -7696,6 +7713,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -7763,6 +7781,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -7812,6 +7831,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -7867,6 +7887,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j REJECT
|
-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j REJECT
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
@ -7920,6 +7941,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -7971,6 +7993,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -8024,6 +8047,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
@ -8076,6 +8100,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
|||||||
:KUBE-SERVICES - [0:0]
|
:KUBE-SERVICES - [0:0]
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||||
:KUBE-FORWARD - [0:0]
|
:KUBE-FORWARD - [0:0]
|
||||||
|
:KUBE-PROXY-FIREWALL - [0:0]
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
Loading…
Reference in New Issue
Block a user