github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-09 12:07:47 +00:00
Code Issues Projects Releases Wiki Activity

append KUBE-HOSTPORTS to system chains instead of prepend

Browse Source
This commit is contained in:
Minhan Xia 2017-06-15 12:06:46 -07:00
parent 695d438508
commit e6add2072b
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/kubelet/network/hostport/hostport.go
View File

@ -184,7 +184,10 @@ func ensureKubeHostportChains(iptables utiliptables.Interface, natInterfaceName
"-m", "addrtype", "--dst-type", "LOCAL", "-m", "addrtype", "--dst-type", "LOCAL",
"-j", string(kubeHostportsChain)} "-j", string(kubeHostportsChain)}
for _, tc := range tableChainsNeedJumpServices { for _, tc := range tableChainsNeedJumpServices {
if _, err := iptables.EnsureRule(utiliptables.Prepend, tc.table, tc.chain, args...); err != nil { // KUBE-HOSTPORTS chain needs to be appended to the system chains.
// This ensures KUBE-SERVICES chain gets processed first.
// Since rules in KUBE-HOSTPORTS chain matches broader cases, allow the more specific rules to be processed first.
if _, err := iptables.EnsureRule(utiliptables.Append, tc.table, tc.chain, args...); err != nil {
return fmt.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", tc.table, tc.chain, kubeHostportsChain, err) return fmt.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", tc.table, tc.chain, kubeHostportsChain, err)
} }
} }