Merge pull request #90031 from thockin/proxy-cleanup

kube-proxy: Startup and updates logging

cmd/kube-proxy/app/server_others.go

@@ -91,10 +91,10 @@ func newProxyServer(
 		return nil, fmt.Errorf("unable to register configz: %s", err)
 	}
 
-	protocol := utiliptables.ProtocolIpv4
+	protocol := utiliptables.ProtocolIPv4
 	if net.ParseIP(config.BindAddress).To4() == nil {
 		klog.V(0).Infof("IPv6 bind address (%s), assume IPv6 operation", config.BindAddress)
-		protocol = utiliptables.ProtocolIpv6
+		protocol = utiliptables.ProtocolIPv6
 	}
 
 	var iptInterface utiliptables.Interface
@@ -199,12 +199,12 @@ func newProxyServer(
 			// Create iptables handlers for both families, one is already created
 			// Always ordered as IPv4, IPv6
 			var ipt [2]utiliptables.Interface
-			if iptInterface.IsIpv6() {
+			if iptInterface.IsIPv6() {
 				ipt[1] = iptInterface
-				ipt[0] = utiliptables.New(execer, utiliptables.ProtocolIpv4)
+				ipt[0] = utiliptables.New(execer, utiliptables.ProtocolIPv4)
 			} else {
 				ipt[0] = iptInterface
-				ipt[1] = utiliptables.New(execer, utiliptables.ProtocolIpv6)
+				ipt[1] = utiliptables.New(execer, utiliptables.ProtocolIPv6)
 			}
 
 			// Always ordered to match []ipt
@@ -267,12 +267,12 @@ func newProxyServer(
 			// Create iptables handlers for both families, one is already created
 			// Always ordered as IPv4, IPv6
 			var ipt [2]utiliptables.Interface
-			if iptInterface.IsIpv6() {
+			if iptInterface.IsIPv6() {
 				ipt[1] = iptInterface
-				ipt[0] = utiliptables.New(execer, utiliptables.ProtocolIpv4)
+				ipt[0] = utiliptables.New(execer, utiliptables.ProtocolIPv4)
 			} else {
 				ipt[0] = iptInterface
-				ipt[1] = utiliptables.New(execer, utiliptables.ProtocolIpv6)
+				ipt[1] = utiliptables.New(execer, utiliptables.ProtocolIPv6)
 			}
 
 			nodeIPs := nodeIPTuple(config.BindAddress)

cmd/kube-proxy/app/server_others_test.go

@@ -214,8 +214,8 @@ func Test_getLocalDetector(t *testing.T) {
 		{
 			mode:        proxyconfigapi.LocalModeClusterCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002::1234:abcd:ffff:c0a8:101/64"},
-			ipt:         utiliptablestest.NewIpv6Fake(),
+			ipt:         utiliptablestest.NewIPv6Fake(),
-			expected:    resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/64", utiliptablestest.NewIpv6Fake())),
+			expected:    resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/64", utiliptablestest.NewIPv6Fake())),
 			errExpected: false,
 		},
 		{
@@ -228,14 +228,14 @@ func Test_getLocalDetector(t *testing.T) {
 		{
 			mode:        proxyconfigapi.LocalModeClusterCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002::1234:abcd:ffff:c0a8:101"},
-			ipt:         utiliptablestest.NewIpv6Fake(),
+			ipt:         utiliptablestest.NewIPv6Fake(),
 			expected:    nil,
 			errExpected: true,
 		},
 		{
 			mode:        proxyconfigapi.LocalModeClusterCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
-			ipt:         utiliptablestest.NewIpv6Fake(),
+			ipt:         utiliptablestest.NewIPv6Fake(),
 			expected:    nil,
 			errExpected: true,
 		},
@@ -265,8 +265,8 @@ func Test_getLocalDetector(t *testing.T) {
 		{
 			mode:        proxyconfigapi.LocalModeNodeCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002::1234:abcd:ffff:c0a8:101/64"},
-			ipt:         utiliptablestest.NewIpv6Fake(),
+			ipt:         utiliptablestest.NewIPv6Fake(),
-			expected:    resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/96", utiliptablestest.NewIpv6Fake())),
+			expected:    resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/96", utiliptablestest.NewIPv6Fake())),
 			nodeInfo:    makeNodeWithPodCIDRs("2002::1234:abcd:ffff:c0a8:101/96"),
 			errExpected: false,
 		},
@@ -281,7 +281,7 @@ func Test_getLocalDetector(t *testing.T) {
 		{
 			mode:        proxyconfigapi.LocalModeNodeCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002::1234:abcd:ffff:c0a8:101"},
-			ipt:         utiliptablestest.NewIpv6Fake(),
+			ipt:         utiliptablestest.NewIPv6Fake(),
 			expected:    nil,
 			nodeInfo:    makeNodeWithPodCIDRs("2002::1234:abcd:ffff:c0a8:101"),
 			errExpected: true,
@@ -289,7 +289,7 @@ func Test_getLocalDetector(t *testing.T) {
 		{
 			mode:        proxyconfigapi.LocalModeNodeCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
-			ipt:         utiliptablestest.NewIpv6Fake(),
+			ipt:         utiliptablestest.NewIPv6Fake(),
 			expected:    nil,
 			nodeInfo:    makeNodeWithPodCIDRs("10.0.0.0/24"),
 			errExpected: true,
@@ -350,25 +350,25 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
 		{
 			mode:   proxyconfigapi.LocalModeClusterCIDR,
 			config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14,2002::1234:abcd:ffff:c0a8:101/64"},
-			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected: resolveDualStackLocalDetectors(t)(
 				proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/14", utiliptablestest.NewFake()))(
-				proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/64", utiliptablestest.NewIpv6Fake())),
+				proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/64", utiliptablestest.NewIPv6Fake())),
 			errExpected: false,
 		},
 		{
 			mode:   proxyconfigapi.LocalModeClusterCIDR,
 			config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002::1234:abcd:ffff:c0a8:101/64,10.0.0.0/14"},
-			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected: resolveDualStackLocalDetectors(t)(
 				proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/14", utiliptablestest.NewFake()))(
-				proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/64", utiliptablestest.NewIpv6Fake())),
+				proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/64", utiliptablestest.NewIPv6Fake())),
 			errExpected: false,
 		},
 		{
 			mode:   proxyconfigapi.LocalModeClusterCIDR,
 			config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
-			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected: [2]proxyutiliptables.LocalTrafficDetector{
 				resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/14", utiliptablestest.NewFake())),
 				proxyutiliptables.NewNoOpLocalDetector()},
@@ -377,16 +377,16 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
 		{
 			mode:   proxyconfigapi.LocalModeClusterCIDR,
 			config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002::1234:abcd:ffff:c0a8:101/64"},
-			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected: [2]proxyutiliptables.LocalTrafficDetector{
 				proxyutiliptables.NewNoOpLocalDetector(),
-				resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/64", utiliptablestest.NewIpv6Fake()))},
+				resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/64", utiliptablestest.NewIPv6Fake()))},
 			errExpected: false,
 		},
 		{
 			mode:        proxyconfigapi.LocalModeClusterCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""},
-			ipt:         [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:         [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected:    [2]proxyutiliptables.LocalTrafficDetector{proxyutiliptables.NewNoOpLocalDetector(), proxyutiliptables.NewNoOpLocalDetector()},
 			errExpected: false,
 		},
@@ -394,27 +394,27 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
 		{
 			mode:   proxyconfigapi.LocalModeNodeCIDR,
 			config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14,2002::1234:abcd:ffff:c0a8:101/64"},
-			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected: resolveDualStackLocalDetectors(t)(
 				proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/24", utiliptablestest.NewFake()))(
-				proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/96", utiliptablestest.NewIpv6Fake())),
+				proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/96", utiliptablestest.NewIPv6Fake())),
 			nodeInfo:    makeNodeWithPodCIDRs("10.0.0.0/24", "2002::1234:abcd:ffff:c0a8:101/96"),
 			errExpected: false,
 		},
 		{
 			mode:   proxyconfigapi.LocalModeNodeCIDR,
 			config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002::1234:abcd:ffff:c0a8:101/64,10.0.0.0/14"},
-			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected: resolveDualStackLocalDetectors(t)(
 				proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/24", utiliptablestest.NewFake()))(
-				proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/96", utiliptablestest.NewIpv6Fake())),
+				proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/96", utiliptablestest.NewIPv6Fake())),
 			nodeInfo:    makeNodeWithPodCIDRs("2002::1234:abcd:ffff:c0a8:101/96", "10.0.0.0/24"),
 			errExpected: false,
 		},
 		{
 			mode:   proxyconfigapi.LocalModeNodeCIDR,
 			config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
-			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected: [2]proxyutiliptables.LocalTrafficDetector{
 				resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/24", utiliptablestest.NewFake())),
 				proxyutiliptables.NewNoOpLocalDetector()},
@@ -424,17 +424,17 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
 		{
 			mode:   proxyconfigapi.LocalModeNodeCIDR,
 			config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002::1234:abcd:ffff:c0a8:101/64"},
-			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:    [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected: [2]proxyutiliptables.LocalTrafficDetector{
 				proxyutiliptables.NewNoOpLocalDetector(),
-				resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/96", utiliptablestest.NewIpv6Fake()))},
+				resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:c0a8:101/96", utiliptablestest.NewIPv6Fake()))},
 			nodeInfo:    makeNodeWithPodCIDRs("2002::1234:abcd:ffff:c0a8:101/96"),
 			errExpected: false,
 		},
 		{
 			mode:        proxyconfigapi.LocalModeNodeCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""},
-			ipt:         [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:         [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected:    [2]proxyutiliptables.LocalTrafficDetector{proxyutiliptables.NewNoOpLocalDetector(), proxyutiliptables.NewNoOpLocalDetector()},
 			nodeInfo:    makeNodeWithPodCIDRs(),
 			errExpected: false,
@@ -442,7 +442,7 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
 		{
 			mode:        proxyconfigapi.LocalModeNodeCIDR,
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""},
-			ipt:         [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:         [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected:    [2]proxyutiliptables.LocalTrafficDetector{proxyutiliptables.NewNoOpLocalDetector(), proxyutiliptables.NewNoOpLocalDetector()},
 			nodeInfo:    nil,
 			errExpected: false,
@@ -451,7 +451,7 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
 		{
 			mode:        proxyconfigapi.LocalMode("abcd"),
 			config:      &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""},
-			ipt:         [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIpv6Fake()},
+			ipt:         [2]utiliptables.Interface{utiliptablestest.NewFake(), utiliptablestest.NewIPv6Fake()},
 			expected:    [2]proxyutiliptables.LocalTrafficDetector{proxyutiliptables.NewNoOpLocalDetector(), proxyutiliptables.NewNoOpLocalDetector()},
 			errExpected: false,
 		},

pkg/kubelet/dockershim/network/hostport/fake_iptables.go

@@ -40,7 +40,7 @@ type fakeTable struct {
 type fakeIPTables struct {
 	tables        map[string]*fakeTable
 	builtinChains map[string]sets.String
-	ipv6          bool
+	protocol      utiliptables.Protocol
 }
 
 func NewFakeIPTables() *fakeIPTables {
@@ -51,7 +51,7 @@ func NewFakeIPTables() *fakeIPTables {
 			string(utiliptables.TableNAT):    sets.NewString("PREROUTING", "INPUT", "OUTPUT", "POSTROUTING"),
 			string(utiliptables.TableMangle): sets.NewString("PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"),
 		},
-		ipv6: false,
+		protocol: utiliptables.ProtocolIPv4,
 	}
 }
 
@@ -223,8 +223,12 @@ func (f *fakeIPTables) DeleteRule(tableName utiliptables.Table, chainName utilip
 	return nil
 }
 
-func (f *fakeIPTables) IsIpv6() bool {
+func (f *fakeIPTables) IsIPv6() bool {
-	return f.ipv6
+	return f.protocol == utiliptables.ProtocolIPv6
+}
+
+func (f *fakeIPTables) Protocol() utiliptables.Protocol {
+	return f.protocol
 }
 
 func saveChain(chain *fakeChain, data *bytes.Buffer) {

pkg/kubelet/dockershim/network/hostport/hostport.go

@@ -137,7 +137,7 @@ func ensureKubeHostportChains(iptables utiliptables.Interface, natInterfaceName
 	if natInterfaceName != "" && natInterfaceName != "lo" {
 		// Need to SNAT traffic from localhost
 		localhost := "127.0.0.0/8"
-		if iptables.IsIpv6() {
+		if iptables.IsIPv6() {
 			localhost = "::1/128"
 		}
 		args = []string{"-m", "comment", "--comment", "SNAT for localhost access to hostports", "-o", natInterfaceName, "-s", localhost, "-j", "MASQUERADE"}

pkg/kubelet/dockershim/network/hostport/hostport_manager.go

@@ -88,10 +88,10 @@ func (hm *hostportManager) Add(id string, podPortMapping *PodPortMapping, natInt
 		return fmt.Errorf("invalid or missing IP of pod %s", podFullName)
 	}
 	podIP := podPortMapping.IP.String()
-	isIpv6 := utilnet.IsIPv6(podPortMapping.IP)
+	isIPv6 := utilnet.IsIPv6(podPortMapping.IP)
 
-	if isIpv6 != hm.iptables.IsIpv6() {
+	if isIPv6 != hm.iptables.IsIPv6() {
-		return fmt.Errorf("HostPortManager IP family mismatch: %v, isIPv6 - %v", podIP, isIpv6)
+		return fmt.Errorf("HostPortManager IP family mismatch: %v, isIPv6 - %v", podIP, isIPv6)
 	}
 
 	if err = ensureKubeHostportChains(hm.iptables, natInterfaceName); err != nil {
@@ -180,9 +180,9 @@ func (hm *hostportManager) Add(id string, podPortMapping *PodPortMapping, natInt
 	// create a new conntrack entry without any DNAT. That will result in blackhole of the traffic even after correct
 	// iptables rules have been added back.
 	if hm.execer != nil && hm.conntrackFound {
-		klog.Infof("Starting to delete udp conntrack entries: %v, isIPv6 - %v", conntrackPortsToRemove, isIpv6)
+		klog.Infof("Starting to delete udp conntrack entries: %v, isIPv6 - %v", conntrackPortsToRemove, isIPv6)
 		for _, port := range conntrackPortsToRemove {
-			err = conntrack.ClearEntriesForPort(hm.execer, port, isIpv6, v1.ProtocolUDP)
+			err = conntrack.ClearEntriesForPort(hm.execer, port, isIPv6, v1.ProtocolUDP)
 			if err != nil {
 				klog.Errorf("Failed to clear udp conntrack for port %d, error: %v", port, err)
 			}

pkg/kubelet/dockershim/network/hostport/hostport_manager_test.go

@@ -387,7 +387,7 @@ func TestGetHostportChain(t *testing.T) {
 
 func TestHostportManagerIPv6(t *testing.T) {
 	iptables := NewFakeIPTables()
-	iptables.ipv6 = true
+	iptables.protocol = utiliptables.ProtocolIPv6
 	portOpener := NewFakeSocketManager()
 	manager := &hostportManager{
 		hostPortMap: make(map[hostport]closeable),

pkg/kubelet/dockershim/network/hostport/hostport_syncer.go

@@ -199,7 +199,7 @@ func (h *hostportSyncer) SyncHostports(natInterfaceName string, activePodPortMap
 		klog.V(4).Infof("syncHostportsRules took %v", time.Since(start))
 	}()
 
-	hostportPodMap, err := gatherAllHostports(activePodPortMappings, h.iptables.IsIpv6())
+	hostportPodMap, err := gatherAllHostports(activePodPortMappings, h.iptables.IsIPv6())
 	if err != nil {
 		return err
 	}

pkg/kubelet/dockershim/network/hostport/hostport_syncer_test.go

@@ -244,7 +244,7 @@ func matchRule(chain *fakeChain, match string) bool {
 
 func TestOpenPodHostportsIPv6(t *testing.T) {
 	fakeIPTables := NewFakeIPTables()
-	fakeIPTables.ipv6 = true
+	fakeIPTables.protocol = utiliptables.ProtocolIPv6
 	fakeOpener := NewFakeSocketManager()
 
 	h := &hostportSyncer{

pkg/kubelet/dockershim/network/kubenet/kubenet_linux.go

@@ -122,8 +122,8 @@ type kubenetNetworkPlugin struct {
 
 func NewPlugin(networkPluginDirs []string, cacheDir string) network.NetworkPlugin {
 	execer := utilexec.New()
-	iptInterface := utiliptables.New(execer, utiliptables.ProtocolIpv4)
+	iptInterface := utiliptables.New(execer, utiliptables.ProtocolIPv4)
-	iptInterfacev6 := utiliptables.New(execer, utiliptables.ProtocolIpv6)
+	iptInterfacev6 := utiliptables.New(execer, utiliptables.ProtocolIPv6)
 	return &kubenetNetworkPlugin{
 		podIPs:            make(map[kubecontainer.ContainerID]utilsets.String),
 		execer:            utilexec.New(),

pkg/kubelet/kubelet.go

@@ -523,10 +523,10 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 	}
 	httpClient := &http.Client{}
 	parsedNodeIP := net.ParseIP(nodeIP)
-	protocol := utilipt.ProtocolIpv4
+	protocol := utilipt.ProtocolIPv4
 	if utilnet.IsIPv6(parsedNodeIP) {
 		klog.V(0).Infof("IPv6 node IP (%s), assume IPv6 operation", nodeIP)
-		protocol = utilipt.ProtocolIpv6
+		protocol = utilipt.ProtocolIPv6
 	}
 
 	klet := &Kubelet{

pkg/proxy/endpoints.go

@@ -176,6 +176,10 @@ func (ect *EndpointChangeTracker) Update(previous, current *v1.Endpoints) bool {
 		// there will be no network programming for them and thus no network programming latency metric
 		// should be exported.
 		delete(ect.lastChangeTriggerTimes, namespacedName)
+	} else {
+		for spn, eps := range change.current {
+			klog.V(2).Infof("Service port %s updated: %d endpoints", spn, len(eps))
+		}
 	}
 
 	metrics.EndpointChangesPending.Set(float64(len(ect.items)))

pkg/proxy/iptables/proxier.go

@@ -269,10 +269,8 @@ func NewProxier(ipt utiliptables.Interface,
 	nodePortAddresses []string,
 ) (*Proxier, error) {
 	// Set the route_localnet sysctl we need for
-	if val, _ := sysctl.GetSysctl(sysctlRouteLocalnet); val != 1 {
+	if err := utilproxy.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil {
-		if err := sysctl.SetSysctl(sysctlRouteLocalnet, 1); err != nil {
+		return nil, err
-			return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
-		}
 	}
 
 	// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
@@ -285,12 +283,13 @@ func NewProxier(ipt utiliptables.Interface,
 	// Generate the masquerade mark to use for SNAT rules.
 	masqueradeValue := 1 << uint(masqueradeBit)
 	masqueradeMark := fmt.Sprintf("%#08x/%#08x", masqueradeValue, masqueradeValue)
+	klog.V(2).Infof("iptables(%s) masquerade mark: %s", ipt.Protocol(), masqueradeMark)
 
 	endpointSlicesEnabled := utilfeature.DefaultFeatureGate.Enabled(features.EndpointSliceProxying)
 
 	serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder)
 
-	isIPv6 := ipt.IsIpv6()
+	isIPv6 := ipt.IsIPv6()
 	proxier := &Proxier{
 		portsMap:                 make(map[utilproxy.LocalPort]utilproxy.Closeable),
 		serviceMap:               make(proxy.ServiceMap),
@@ -319,15 +318,25 @@ func NewProxier(ipt utiliptables.Interface,
 		nodePortAddresses:        nodePortAddresses,
 		networkInterfacer:        utilproxy.RealNetwork{},
 	}
+
 	burstSyncs := 2
-	klog.V(3).Infof("minSyncPeriod: %v, syncPeriod: %v, burstSyncs: %d", minSyncPeriod, syncPeriod, burstSyncs)
+	klog.V(2).Infof("iptables(%s) sync params: minSyncPeriod=%v, syncPeriod=%v, burstSyncs=%d",
+		ipt.Protocol(), minSyncPeriod, syncPeriod, burstSyncs)
 	// We pass syncPeriod to ipt.Monitor, which will call us only if it needs to.
 	// We need to pass *some* maxInterval to NewBoundedFrequencyRunner anyway though.
 	// time.Hour is arbitrary.
 	proxier.syncRunner = async.NewBoundedFrequencyRunner("sync-runner", proxier.syncProxyRules, minSyncPeriod, time.Hour, burstSyncs)
+
 	go ipt.Monitor(utiliptables.Chain("KUBE-PROXY-CANARY"),
 		[]utiliptables.Table{utiliptables.TableMangle, utiliptables.TableNAT, utiliptables.TableFilter},
 		proxier.syncProxyRules, syncPeriod, wait.NeverStop)
+
+	if ipt.HasRandomFully() {
+		klog.V(2).Infof("iptables(%s) supports --random-fully", ipt.Protocol())
+	} else {
+		klog.V(2).Infof("iptables(%s) does not support --random-fully", ipt.Protocol())
+	}
+
 	return proxier, nil
 }
 
@@ -787,7 +796,7 @@ func (proxier *Proxier) syncProxyRules() {
 	start := time.Now()
 	defer func() {
 		metrics.SyncProxyRulesLatency.Observe(metrics.SinceInSeconds(start))
-		klog.V(4).Infof("syncProxyRules took %v", time.Since(start))
+		klog.V(2).Infof("syncProxyRules took %v", time.Since(start))
 	}()
 
 	localAddrs, err := utilproxy.GetLocalAddrs()
@@ -818,7 +827,7 @@ func (proxier *Proxier) syncProxyRules() {
 		}
 	}
 
-	klog.V(3).Info("Syncing iptables rules")
+	klog.V(2).Info("Syncing iptables rules")
 
 	success := false
 	defer func() {
@@ -1459,7 +1468,7 @@ func (proxier *Proxier) syncProxyRules() {
 	if err != nil {
 		klog.Errorf("Failed to get node ip address matching nodeport cidr")
 	} else {
-		isIPv6 := proxier.iptables.IsIpv6()
+		isIPv6 := proxier.iptables.IsIPv6()
 		for address := range addresses {
 			// TODO(thockin, m1093782566): If/when we have dual-stack support we will want to distinguish v4 from v6 zero-CIDRs.
 			if utilproxy.IsZeroCIDR(address) {

pkg/proxy/iptables/proxier_test.go

@@ -2427,23 +2427,23 @@ COMMIT
 :KUBE-NODEPORTS - [0:0]
 :KUBE-POSTROUTING - [0:0]
 :KUBE-MARK-MASQ - [0:0]
-:KUBE-SVC-AHZNAGK3SCETOS2T - [0:0]
+:KUBE-SVC-AQI2S6QIMU7PVVRP - [0:0]
-:KUBE-SEP-PXD6POUVGD2I37UY - [0:0]
+:KUBE-SEP-3JOIVZTXZZRGORX4 - [0:0]
-:KUBE-SEP-SOKZUIT7SCEVIP33 - [0:0]
+:KUBE-SEP-IO5XOSKPAXIFQXAJ - [0:0]
-:KUBE-SEP-WVE3FAB34S7NZGDJ - [0:0]
+:KUBE-SEP-XGJFVO3L2O5SRFNT - [0:0]
 -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark  -j MASQUERADE
 -A KUBE-MARK-MASQ -j MARK --set-xmark 
--A KUBE-SERVICES -m comment --comment "ns1/svc1: cluster IP" -m tcp -p tcp -d 172.20.1.1/32 --dport 0 ! -s 10.0.0.0/24 -j KUBE-MARK-MASQ
+-A KUBE-SERVICES -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.20.1.1/32 --dport 0 ! -s 10.0.0.0/24 -j KUBE-MARK-MASQ
--A KUBE-SERVICES -m comment --comment "ns1/svc1: cluster IP" -m tcp -p tcp -d 172.20.1.1/32 --dport 0 -j KUBE-SVC-AHZNAGK3SCETOS2T
+-A KUBE-SERVICES -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.20.1.1/32 --dport 0 -j KUBE-SVC-AQI2S6QIMU7PVVRP
--A KUBE-SVC-AHZNAGK3SCETOS2T -m comment --comment ns1/svc1: -m statistic --mode random --probability 0.3333333333 -j KUBE-SEP-PXD6POUVGD2I37UY
+-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment ns1/svc1 -m statistic --mode random --probability 0.3333333333 -j KUBE-SEP-3JOIVZTXZZRGORX4
--A KUBE-SEP-PXD6POUVGD2I37UY -m comment --comment ns1/svc1: -s 10.0.1.1/32 -j KUBE-MARK-MASQ
+-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -s 10.0.1.1/32 -j KUBE-MARK-MASQ
--A KUBE-SEP-PXD6POUVGD2I37UY -m comment --comment ns1/svc1: -m tcp -p tcp -j DNAT --to-destination 10.0.1.1:80
+-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.1:80
--A KUBE-SVC-AHZNAGK3SCETOS2T -m comment --comment ns1/svc1: -m statistic --mode random --probability 0.5000000000 -j KUBE-SEP-SOKZUIT7SCEVIP33
+-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment ns1/svc1 -m statistic --mode random --probability 0.5000000000 -j KUBE-SEP-IO5XOSKPAXIFQXAJ
--A KUBE-SEP-SOKZUIT7SCEVIP33 -m comment --comment ns1/svc1: -s 10.0.1.2/32 -j KUBE-MARK-MASQ
+-A KUBE-SEP-IO5XOSKPAXIFQXAJ -m comment --comment ns1/svc1 -s 10.0.1.2/32 -j KUBE-MARK-MASQ
--A KUBE-SEP-SOKZUIT7SCEVIP33 -m comment --comment ns1/svc1: -m tcp -p tcp -j DNAT --to-destination 10.0.1.2:80
+-A KUBE-SEP-IO5XOSKPAXIFQXAJ -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.2:80
--A KUBE-SVC-AHZNAGK3SCETOS2T -m comment --comment ns1/svc1: -j KUBE-SEP-WVE3FAB34S7NZGDJ
+-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment ns1/svc1 -j KUBE-SEP-XGJFVO3L2O5SRFNT
--A KUBE-SEP-WVE3FAB34S7NZGDJ -m comment --comment ns1/svc1: -s 10.0.1.3/32 -j KUBE-MARK-MASQ
+-A KUBE-SEP-XGJFVO3L2O5SRFNT -m comment --comment ns1/svc1 -s 10.0.1.3/32 -j KUBE-MARK-MASQ
--A KUBE-SEP-WVE3FAB34S7NZGDJ -m comment --comment ns1/svc1: -m tcp -p tcp -j DNAT --to-destination 10.0.1.3:80
+-A KUBE-SEP-XGJFVO3L2O5SRFNT -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.3:80
 -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
 COMMIT
 `

pkg/proxy/ipvs/proxier.go

@@ -347,10 +347,8 @@ func NewProxier(ipt utiliptables.Interface,
 	kernelHandler KernelHandler,
 ) (*Proxier, error) {
 	// Set the route_localnet sysctl we need for
-	if val, _ := sysctl.GetSysctl(sysctlRouteLocalnet); val != 1 {
+	if err := utilproxy.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil {
-		if err := sysctl.SetSysctl(sysctlRouteLocalnet, 1); err != nil {
+		return nil, err
-			return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
-		}
 	}
 
 	// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
@@ -361,10 +359,8 @@ func NewProxier(ipt utiliptables.Interface,
 	}
 
 	// Set the conntrack sysctl we need for
-	if val, _ := sysctl.GetSysctl(sysctlVSConnTrack); val != 1 {
+	if err := utilproxy.EnsureSysctl(sysctl, sysctlVSConnTrack, 1); err != nil {
-		if err := sysctl.SetSysctl(sysctlVSConnTrack, 1); err != nil {
+		return nil, err
-			return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlVSConnTrack, err)
-		}
 	}
 
 	kernelVersionStr, err := kernelHandler.GetKernelVersion()
@@ -379,47 +375,35 @@ func NewProxier(ipt utiliptables.Interface,
 		klog.Errorf("can't set sysctl %s, kernel version must be at least %s", sysctlConnReuse, connReuseMinSupportedKernelVersion)
 	} else {
 		// Set the connection reuse mode
-		if val, _ := sysctl.GetSysctl(sysctlConnReuse); val != 0 {
+		if err := utilproxy.EnsureSysctl(sysctl, sysctlConnReuse, 0); err != nil {
-			if err := sysctl.SetSysctl(sysctlConnReuse, 0); err != nil {
+			return nil, err
-				return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlConnReuse, err)
-			}
 		}
 	}
 
 	// Set the expire_nodest_conn sysctl we need for
-	if val, _ := sysctl.GetSysctl(sysctlExpireNoDestConn); val != 1 {
+	if err := utilproxy.EnsureSysctl(sysctl, sysctlExpireNoDestConn, 1); err != nil {
-		if err := sysctl.SetSysctl(sysctlExpireNoDestConn, 1); err != nil {
+		return nil, err
-			return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlExpireNoDestConn, err)
-		}
 	}
 
 	// Set the expire_quiescent_template sysctl we need for
-	if val, _ := sysctl.GetSysctl(sysctlExpireQuiescentTemplate); val != 1 {
+	if err := utilproxy.EnsureSysctl(sysctl, sysctlExpireQuiescentTemplate, 1); err != nil {
-		if err := sysctl.SetSysctl(sysctlExpireQuiescentTemplate, 1); err != nil {
+		return nil, err
-			return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlExpireQuiescentTemplate, err)
-		}
 	}
 
 	// Set the ip_forward sysctl we need for
-	if val, _ := sysctl.GetSysctl(sysctlForward); val != 1 {
+	if err := utilproxy.EnsureSysctl(sysctl, sysctlForward, 1); err != nil {
-		if err := sysctl.SetSysctl(sysctlForward, 1); err != nil {
+		return nil, err
-			return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlForward, err)
-		}
 	}
 
 	if strictARP {
 		// Set the arp_ignore sysctl we need for
-		if val, _ := sysctl.GetSysctl(sysctlArpIgnore); val != 1 {
+		if err := utilproxy.EnsureSysctl(sysctl, sysctlArpIgnore, 1); err != nil {
-			if err := sysctl.SetSysctl(sysctlArpIgnore, 1); err != nil {
+			return nil, err
-				return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlArpIgnore, err)
-			}
 		}
 
 		// Set the arp_announce sysctl we need for
-		if val, _ := sysctl.GetSysctl(sysctlArpAnnounce); val != 2 {
+		if err := utilproxy.EnsureSysctl(sysctl, sysctlArpAnnounce, 2); err != nil {
-			if err := sysctl.SetSysctl(sysctlArpAnnounce, 2); err != nil {
+			return nil, err
-				return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlArpAnnounce, err)
-			}
 		}
 	}
 
@@ -490,7 +474,8 @@ func NewProxier(ipt utiliptables.Interface,
 		proxier.ipsetList[is.name] = NewIPSet(ipset, is.name, is.setType, isIPv6, is.comment)
 	}
 	burstSyncs := 2
-	klog.V(3).Infof("minSyncPeriod: %v, syncPeriod: %v, burstSyncs: %d", minSyncPeriod, syncPeriod, burstSyncs)
+	klog.V(2).Infof("ipvs(%s) sync params: minSyncPeriod=%v, syncPeriod=%v, burstSyncs=%d",
+		ipt.Protocol(), minSyncPeriod, syncPeriod, burstSyncs)
 	proxier.syncRunner = async.NewBoundedFrequencyRunner("sync-runner", proxier.syncProxyRules, minSyncPeriod, syncPeriod, burstSyncs)
 	proxier.gracefuldeleteManager.Run()
 	return proxier, nil
@@ -2103,10 +2088,10 @@ func (proxier *Proxier) isIPInExcludeCIDRs(ip net.IP) bool {
 
 func (proxier *Proxier) getLegacyBindAddr(activeBindAddrs map[string]bool, currentBindAddrs []string) map[string]bool {
 	legacyAddrs := make(map[string]bool)
-	isIpv6 := utilnet.IsIPv6(proxier.nodeIP)
+	isIPv6 := utilnet.IsIPv6(proxier.nodeIP)
 	for _, addr := range currentBindAddrs {
-		addrIsIpv6 := utilnet.IsIPv6(net.ParseIP(addr))
+		addrIsIPv6 := utilnet.IsIPv6(net.ParseIP(addr))
-		if addrIsIpv6 && !isIpv6 || !addrIsIpv6 && isIpv6 {
+		if addrIsIPv6 && !isIPv6 || !addrIsIPv6 && isIPv6 {
 			continue
 		}
 		if _, ok := activeBindAddrs[addr]; !ok {

pkg/proxy/service.go

@@ -263,6 +263,8 @@ func (sct *ServiceChangeTracker) Update(previous, current *v1.Service) bool {
 	// if change.previous equal to change.current, it means no change
 	if reflect.DeepEqual(change.previous, change.current) {
 		delete(sct.items, namespacedName)
+	} else {
+		klog.V(2).Infof("Service %s updated: %d ports", namespacedName, len(change.current))
 	}
 	metrics.ServiceChangesPending.Set(float64(len(sct.items)))
 	return len(sct.items) > 0

pkg/proxy/types.go

@@ -49,7 +49,14 @@ type ServicePortName struct {
 }
 
 func (spn ServicePortName) String() string {
-	return fmt.Sprintf("%s:%s", spn.NamespacedName.String(), spn.Port)
+	return fmt.Sprintf("%s%s", spn.NamespacedName.String(), fmtPortName(spn.Port))
+}
+
+func fmtPortName(in string) string {
+	if in == "" {
+		return ""
+	}
+	return fmt.Sprintf(":%s", in)
 }
 
 // ServicePort is an interface which abstracts information about a service.

pkg/proxy/util/BUILD

@@ -12,6 +12,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/apis/core/v1/helper:go_default_library",
+        "//pkg/util/sysctl:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/rand:go_default_library",

pkg/proxy/util/iptables/traffic.go

@@ -66,8 +66,8 @@ type detectLocalByCIDR struct {
 // NewDetectLocalByCIDR implements the LocalTrafficDetector interface using a CIDR. This can be used when a single CIDR
 // range can be used to capture the notion of local traffic.
 func NewDetectLocalByCIDR(cidr string, ipt utiliptables.Interface) (LocalTrafficDetector, error) {
-	if utilnet.IsIPv6CIDRString(cidr) != ipt.IsIpv6() {
+	if utilnet.IsIPv6CIDRString(cidr) != ipt.IsIPv6() {
-		return nil, fmt.Errorf("CIDR %s has incorrect IP version: expect isIPv6=%t", cidr, ipt.IsIpv6())
+		return nil, fmt.Errorf("CIDR %s has incorrect IP version: expect isIPv6=%t", cidr, ipt.IsIPv6())
 	}
 	_, _, err := net.ParseCIDR(cidr)
 	if err != nil {

pkg/proxy/util/iptables/traffic_test.go

@@ -70,12 +70,12 @@ func TestNewDetectLocalByCIDR(t *testing.T) {
 		},
 		{
 			cidr:        "2002::1234:abcd:ffff:c0a8:101/64",
-			ipt:         iptablestest.NewIpv6Fake(),
+			ipt:         iptablestest.NewIPv6Fake(),
 			errExpected: false,
 		},
 		{
 			cidr:        "10.0.0.0/14",
-			ipt:         iptablestest.NewIpv6Fake(),
+			ipt:         iptablestest.NewIPv6Fake(),
 			errExpected: true,
 		},
 		{
@@ -90,7 +90,7 @@ func TestNewDetectLocalByCIDR(t *testing.T) {
 		},
 		{
 			cidr:        "2002::1234:abcd:ffff:c0a8:101",
-			ipt:         iptablestest.NewIpv6Fake(),
+			ipt:         iptablestest.NewIPv6Fake(),
 			errExpected: true,
 		},
 		{
@@ -100,7 +100,7 @@ func TestNewDetectLocalByCIDR(t *testing.T) {
 		},
 		{
 			cidr:        "",
-			ipt:         iptablestest.NewIpv6Fake(),
+			ipt:         iptablestest.NewIPv6Fake(),
 			errExpected: true,
 		},
 	}
@@ -137,7 +137,7 @@ func TestDetectLocalByCIDR(t *testing.T) {
 		},
 		{
 			cidr:                    "2002::1234:abcd:ffff:c0a8:101/64",
-			ipt:                     iptablestest.NewIpv6Fake(),
+			ipt:                     iptablestest.NewIPv6Fake(),
 			chain:                   "TEST",
 			args:                    []string{"arg1", "arg2"},
 			expectedJumpIfOutput:    []string{"arg1", "arg2", "-s", "2002::1234:abcd:ffff:c0a8:101/64", "-j", "TEST"},

pkg/proxy/util/utils.go

@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/record"
 	helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
+	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
 	utilnet "k8s.io/utils/net"
 
 	"k8s.io/klog"
@@ -288,3 +289,14 @@ func ShuffleStrings(s []string) []string {
 	}
 	return shuffled
 }
+
+// EnsureSysctl sets a kernel sysctl to a given numeric value.
+func EnsureSysctl(sysctl utilsysctl.Interface, name string, newVal int) error {
+	if oldVal, _ := sysctl.GetSysctl(name); oldVal != newVal {
+		if err := sysctl.SetSysctl(name, newVal); err != nil {
+			return fmt.Errorf("can't set sysctl %s to %d: %v", name, newVal, err)
+		}
+		klog.V(1).Infof("Changed sysctl %q: %d -> %d", name, oldVal, newVal)
+	}
+	return nil
+}

pkg/proxy/winuserspace/proxier.go

@@ -213,7 +213,7 @@ func (proxier *Proxier) addServicePortPortal(servicePortPortalName ServicePortPo
 			return nil, fmt.Errorf("could not parse ip '%q'", listenIP)
 		}
 		// add the IP address.  Node port binds to all interfaces.
-		args := proxier.netshIpv4AddressAddArgs(serviceIP)
+		args := proxier.netshIPv4AddressAddArgs(serviceIP)
 		if existed, err := proxier.netsh.EnsureIPAddress(args, serviceIP); err != nil {
 			return nil, err
 		} else if !existed {
@@ -262,7 +262,7 @@ func (proxier *Proxier) closeServicePortPortal(servicePortPortalName ServicePort
 	// close the PortalProxy by deleting the service IP address
 	if info.portal.ip != allAvailableInterfaces {
 		serviceIP := net.ParseIP(info.portal.ip)
-		args := proxier.netshIpv4AddressDeleteArgs(serviceIP)
+		args := proxier.netshIPv4AddressDeleteArgs(serviceIP)
 		if err := proxier.netsh.DeleteIPAddress(args); err != nil {
 			return err
 		}
@@ -474,7 +474,7 @@ func isClosedError(err error) bool {
 	return strings.HasSuffix(err.Error(), "use of closed network connection")
 }
 
-func (proxier *Proxier) netshIpv4AddressAddArgs(destIP net.IP) []string {
+func (proxier *Proxier) netshIPv4AddressAddArgs(destIP net.IP) []string {
 	intName := proxier.netsh.GetInterfaceToAddIP()
 	args := []string{
 		"interface", "ipv4", "add", "address",
@@ -485,7 +485,7 @@ func (proxier *Proxier) netshIpv4AddressAddArgs(destIP net.IP) []string {
 	return args
 }
 
-func (proxier *Proxier) netshIpv4AddressDeleteArgs(destIP net.IP) []string {
+func (proxier *Proxier) netshIPv4AddressDeleteArgs(destIP net.IP) []string {
 	intName := proxier.netsh.GetInterfaceToAddIP()
 	args := []string{
 		"interface", "ipv4", "delete", "address",

pkg/util/iptables/iptables.go

@@ -55,8 +55,10 @@ type Interface interface {
 	EnsureRule(position RulePosition, table Table, chain Chain, args ...string) (bool, error)
 	// DeleteRule checks if the specified rule is present and, if so, deletes it.
 	DeleteRule(table Table, chain Chain, args ...string) error
-	// IsIpv6 returns true if this is managing ipv6 tables
+	// IsIPv6 returns true if this is managing ipv6 tables.
-	IsIpv6() bool
+	IsIPv6() bool
+	// Protocol returns the IP family this instance is managing,
+	Protocol() Protocol
 	// SaveInto calls `iptables-save` for table and stores result in a given buffer.
 	SaveInto(table Table, buffer *bytes.Buffer) error
 	// Restore runs `iptables-restore` passing data through []byte.
@@ -87,13 +89,13 @@ type Interface interface {
 }
 
 // Protocol defines the ip protocol either ipv4 or ipv6
-type Protocol byte
+type Protocol string
 
 const (
-	// ProtocolIpv4 represents ipv4 protocol in iptables
+	// ProtocolIPv4 represents ipv4 protocol in iptables
-	ProtocolIpv4 Protocol = iota + 1
+	ProtocolIPv4 Protocol = "IPv4"
-	// ProtocolIpv6 represents ipv6 protocol in iptables
+	// ProtocolIPv6 represents ipv6 protocol in iptables
-	ProtocolIpv6
+	ProtocolIPv6 Protocol = "IPv6"
 )
 
 // Table represents different iptable like filter,nat, mangle and raw
@@ -319,8 +321,12 @@ func (runner *runner) DeleteRule(table Table, chain Chain, args ...string) error
 	return nil
 }
 
-func (runner *runner) IsIpv6() bool {
+func (runner *runner) IsIPv6() bool {
-	return runner.protocol == ProtocolIpv6
+	return runner.protocol == ProtocolIPv6
+}
+
+func (runner *runner) Protocol() Protocol {
+	return runner.protocol
 }
 
 // SaveInto is part of Interface.
@@ -410,14 +416,14 @@ func (runner *runner) restoreInternal(args []string, data []byte, flush FlushFla
 }
 
 func iptablesSaveCommand(protocol Protocol) string {
-	if protocol == ProtocolIpv6 {
+	if protocol == ProtocolIPv6 {
 		return cmdIP6TablesSave
 	}
 	return cmdIPTablesSave
 }
 
 func iptablesRestoreCommand(protocol Protocol) string {
-	if protocol == ProtocolIpv6 {
+	if protocol == ProtocolIPv6 {
 		return cmdIP6TablesRestore
 	}
 	return cmdIPTablesRestore
@@ -425,7 +431,7 @@ func iptablesRestoreCommand(protocol Protocol) string {
 }
 
 func iptablesCommand(protocol Protocol) string {
-	if protocol == ProtocolIpv6 {
+	if protocol == ProtocolIPv6 {
 		return cmdIP6Tables
 	}
 	return cmdIPTables

pkg/util/iptables/iptables_test.go

@@ -35,18 +35,10 @@ import (
 
 const TestLockfilePath = "xtables.lock"
 
-func protocolStr(protocol Protocol) string {
-	if protocol == ProtocolIpv4 {
-		return "IPv4"
-	}
-	return "IPv6"
-}
-
 func testIPTablesVersionCmds(t *testing.T, protocol Protocol) {
 	version := " v1.4.22"
 	iptablesCmd := iptablesCommand(protocol)
 	iptablesRestoreCmd := iptablesRestoreCommand(protocol)
-	protoStr := protocolStr(protocol)
 
 	fcmd := fakeexec.FakeCmd{
 		CombinedOutputScript: []fakeexec.FakeAction{
@@ -66,26 +58,24 @@ func testIPTablesVersionCmds(t *testing.T, protocol Protocol) {
 
 	// Check that proper iptables version command was used during runner instantiation
 	if !sets.NewString(fcmd.CombinedOutputLog[0]...).HasAll(iptablesCmd, "--version") {
-		t.Errorf("%s runner instantiate: Expected cmd '%s --version', Got '%s'", protoStr, iptablesCmd, fcmd.CombinedOutputLog[0])
+		t.Errorf("%s runner instantiate: Expected cmd '%s --version', Got '%s'", protocol, iptablesCmd, fcmd.CombinedOutputLog[0])
 	}
 
 	// Check that proper iptables restore version command was used during runner instantiation
 	if !sets.NewString(fcmd.CombinedOutputLog[1]...).HasAll(iptablesRestoreCmd, "--version") {
-		t.Errorf("%s runner instantiate: Expected cmd '%s --version', Got '%s'", protoStr, iptablesRestoreCmd, fcmd.CombinedOutputLog[1])
+		t.Errorf("%s runner instantiate: Expected cmd '%s --version', Got '%s'", protocol, iptablesRestoreCmd, fcmd.CombinedOutputLog[1])
 	}
 }
 
 func TestIPTablesVersionCmdsIPv4(t *testing.T) {
-	testIPTablesVersionCmds(t, ProtocolIpv4)
+	testIPTablesVersionCmds(t, ProtocolIPv4)
 }
 
 func TestIPTablesVersionCmdsIPv6(t *testing.T) {
-	testIPTablesVersionCmds(t, ProtocolIpv6)
+	testIPTablesVersionCmds(t, ProtocolIPv6)
 }
 
 func testEnsureChain(t *testing.T, protocol Protocol) {
-	protoStr := protocolStr(protocol)
-
 	fcmd := fakeexec.FakeCmd{
 		CombinedOutputScript: []fakeexec.FakeAction{
 			// iptables version check
@@ -110,39 +100,39 @@ func testEnsureChain(t *testing.T, protocol Protocol) {
 	// Success.
 	exists, err := runner.EnsureChain(TableNAT, Chain("FOOBAR"))
 	if err != nil {
-		t.Errorf("%s new chain: Expected success, got %v", protoStr, err)
+		t.Errorf("%s new chain: Expected success, got %v", protocol, err)
 	}
 	if exists {
-		t.Errorf("%s new chain: Expected exists = false", protoStr)
+		t.Errorf("%s new chain: Expected exists = false", protocol)
 	}
 	if fcmd.CombinedOutputCalls != 2 {
-		t.Errorf("%s new chain: Expected 2 CombinedOutput() calls, got %d", protoStr, fcmd.CombinedOutputCalls)
+		t.Errorf("%s new chain: Expected 2 CombinedOutput() calls, got %d", protocol, fcmd.CombinedOutputCalls)
 	}
 	cmd := iptablesCommand(protocol)
 	if !sets.NewString(fcmd.CombinedOutputLog[1]...).HasAll(cmd, "-t", "nat", "-N", "FOOBAR") {
-		t.Errorf("%s new chain: Expected cmd containing '%s -t nat -N FOOBAR', got %s", protoStr, cmd, fcmd.CombinedOutputLog[2])
+		t.Errorf("%s new chain: Expected cmd containing '%s -t nat -N FOOBAR', got %s", protocol, cmd, fcmd.CombinedOutputLog[2])
 	}
 	// Exists.
 	exists, err = runner.EnsureChain(TableNAT, Chain("FOOBAR"))
 	if err != nil {
-		t.Errorf("%s existing chain: Expected success, got %v", protoStr, err)
+		t.Errorf("%s existing chain: Expected success, got %v", protocol, err)
 	}
 	if !exists {
-		t.Errorf("%s existing chain: Expected exists = true", protoStr)
+		t.Errorf("%s existing chain: Expected exists = true", protocol)
 	}
 	// Simulate failure.
 	_, err = runner.EnsureChain(TableNAT, Chain("FOOBAR"))
 	if err == nil {
-		t.Errorf("%s: Expected failure", protoStr)
+		t.Errorf("%s: Expected failure", protocol)
 	}
 }
 
-func TestEnsureChainIpv4(t *testing.T) {
+func TestEnsureChainIPv4(t *testing.T) {
-	testEnsureChain(t, ProtocolIpv4)
+	testEnsureChain(t, ProtocolIPv4)
 }
 
-func TestEnsureChainIpv6(t *testing.T) {
+func TestEnsureChainIPv6(t *testing.T) {
-	testEnsureChain(t, ProtocolIpv6)
+	testEnsureChain(t, ProtocolIPv6)
 }
 
 func TestFlushChain(t *testing.T) {
@@ -163,7 +153,7 @@ func TestFlushChain(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	// Success.
 	err := runner.FlushChain(TableNAT, Chain("FOOBAR"))
 	if err != nil {
@@ -200,7 +190,7 @@ func TestDeleteChain(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	// Success.
 	err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
 	if err != nil {
@@ -236,7 +226,7 @@ func TestEnsureRuleAlreadyExists(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	exists, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
 	if err != nil {
 		t.Errorf("expected success, got %v", err)
@@ -272,7 +262,7 @@ func TestEnsureRuleNew(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	exists, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
 	if err != nil {
 		t.Errorf("expected success, got %v", err)
@@ -305,7 +295,7 @@ func TestEnsureRuleErrorChecking(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	_, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
 	if err == nil {
 		t.Errorf("expected failure")
@@ -335,7 +325,7 @@ func TestEnsureRuleErrorCreating(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	_, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
 	if err == nil {
 		t.Errorf("expected failure")
@@ -362,7 +352,7 @@ func TestDeleteRuleDoesNotExist(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	err := runner.DeleteRule(TableNAT, ChainOutput, "abc", "123")
 	if err != nil {
 		t.Errorf("expected success, got %v", err)
@@ -395,7 +385,7 @@ func TestDeleteRuleExists(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	err := runner.DeleteRule(TableNAT, ChainOutput, "abc", "123")
 	if err != nil {
 		t.Errorf("expected success, got %v", err)
@@ -425,7 +415,7 @@ func TestDeleteRuleErrorChecking(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	err := runner.DeleteRule(TableNAT, ChainOutput, "abc", "123")
 	if err == nil {
 		t.Errorf("expected failure")
@@ -455,7 +445,7 @@ func TestDeleteRuleErrorDeleting(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	err := runner.DeleteRule(TableNAT, ChainOutput, "abc", "123")
 	if err == nil {
 		t.Errorf("expected failure")
@@ -490,7 +480,7 @@ func TestGetIPTablesHasCheckCommand(t *testing.T) {
 				func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 			},
 		}
-		ipt := New(&fexec, ProtocolIpv4)
+		ipt := New(&fexec, ProtocolIPv4)
 		runner := ipt.(*runner)
 		if testCase.Expected != runner.hasCheck {
 			t.Errorf("Expected result: %v, Got result: %v", testCase.Expected, runner.hasCheck)
@@ -504,12 +494,12 @@ func TestIPTablesCommands(t *testing.T) {
 		protocol    Protocol
 		expectedCmd string
 	}{
-		{"iptablesCommand", ProtocolIpv4, cmdIPTables},
+		{"iptablesCommand", ProtocolIPv4, cmdIPTables},
-		{"iptablesCommand", ProtocolIpv6, cmdIP6Tables},
+		{"iptablesCommand", ProtocolIPv6, cmdIP6Tables},
-		{"iptablesSaveCommand", ProtocolIpv4, cmdIPTablesSave},
+		{"iptablesSaveCommand", ProtocolIPv4, cmdIPTablesSave},
-		{"iptablesSaveCommand", ProtocolIpv6, cmdIP6TablesSave},
+		{"iptablesSaveCommand", ProtocolIPv6, cmdIP6TablesSave},
-		{"iptablesRestoreCommand", ProtocolIpv4, cmdIPTablesRestore},
+		{"iptablesRestoreCommand", ProtocolIPv4, cmdIPTablesRestore},
-		{"iptablesRestoreCommand", ProtocolIpv6, cmdIP6TablesRestore},
+		{"iptablesRestoreCommand", ProtocolIPv6, cmdIP6TablesRestore},
 	}
 	for _, testCase := range testCases {
 		var cmd string
@@ -651,7 +641,7 @@ func TestWaitFlagUnavailable(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
 	if err != nil {
 		t.Errorf("expected success, got %v", err)
@@ -682,7 +672,7 @@ func TestWaitFlagOld(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
 	if err != nil {
 		t.Errorf("expected success, got %v", err)
@@ -716,7 +706,7 @@ func TestWaitFlagNew(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
 	if err != nil {
 		t.Errorf("expected success, got %v", err)
@@ -747,7 +737,7 @@ func TestWaitIntervalFlagNew(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := New(&fexec, ProtocolIpv4)
+	runner := New(&fexec, ProtocolIPv4)
 	err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
 	if err != nil {
 		t.Errorf("expected success, got %v", err)
@@ -764,7 +754,6 @@ func testSaveInto(t *testing.T, protocol Protocol) {
 	version := " v1.9.22"
 	iptablesCmd := iptablesCommand(protocol)
 	iptablesSaveCmd := iptablesSaveCommand(protocol)
-	protoStr := protocolStr(protocol)
 
 	output := fmt.Sprintf(`# Generated by %s on Thu Jan 19 11:38:09 2017
 *filter
@@ -799,47 +788,46 @@ COMMIT
 	// Success.
 	err := runner.SaveInto(TableNAT, buffer)
 	if err != nil {
-		t.Fatalf("%s: Expected success, got %v", protoStr, err)
+		t.Fatalf("%s: Expected success, got %v", protocol, err)
 	}
 
 	if string(buffer.Bytes()) != output {
-		t.Errorf("%s: Expected output '%s', got '%v'", protoStr, output, string(buffer.Bytes()))
+		t.Errorf("%s: Expected output '%s', got '%v'", protocol, output, string(buffer.Bytes()))
 	}
 
 	if fcmd.CombinedOutputCalls != 1 {
-		t.Errorf("%s: Expected 1 CombinedOutput() calls, got %d", protoStr, fcmd.CombinedOutputCalls)
+		t.Errorf("%s: Expected 1 CombinedOutput() calls, got %d", protocol, fcmd.CombinedOutputCalls)
 	}
 	if fcmd.RunCalls != 1 {
-		t.Errorf("%s: Expected 1 Run() call, got %d", protoStr, fcmd.RunCalls)
+		t.Errorf("%s: Expected 1 Run() call, got %d", protocol, fcmd.RunCalls)
 	}
 	if !sets.NewString(fcmd.RunLog[0]...).HasAll(iptablesSaveCmd, "-t", "nat") {
-		t.Errorf("%s: Expected cmd containing '%s -t nat', got '%s'", protoStr, iptablesSaveCmd, fcmd.RunLog[0])
+		t.Errorf("%s: Expected cmd containing '%s -t nat', got '%s'", protocol, iptablesSaveCmd, fcmd.RunLog[0])
 	}
 
 	// Failure.
 	buffer.Reset()
 	err = runner.SaveInto(TableNAT, buffer)
 	if err == nil {
-		t.Errorf("%s: Expected failure", protoStr)
+		t.Errorf("%s: Expected failure", protocol)
 	}
 	if string(buffer.Bytes()) != stderrOutput {
-		t.Errorf("%s: Expected output '%s', got '%v'", protoStr, stderrOutput, string(buffer.Bytes()))
+		t.Errorf("%s: Expected output '%s', got '%v'", protocol, stderrOutput, string(buffer.Bytes()))
 	}
 }
 
 func TestSaveIntoIPv4(t *testing.T) {
-	testSaveInto(t, ProtocolIpv4)
+	testSaveInto(t, ProtocolIPv4)
 }
 
 func TestSaveIntoIPv6(t *testing.T) {
-	testSaveInto(t, ProtocolIpv6)
+	testSaveInto(t, ProtocolIPv6)
 }
 
 func testRestore(t *testing.T, protocol Protocol) {
 	version := " v1.9.22"
 	iptablesCmd := iptablesCommand(protocol)
 	iptablesRestoreCmd := iptablesRestoreCommand(protocol)
-	protoStr := protocolStr(protocol)
 
 	fcmd := fakeexec.FakeCmd{
 		CombinedOutputScript: []fakeexec.FakeAction{
@@ -867,64 +855,64 @@ func testRestore(t *testing.T, protocol Protocol) {
 	// both flags true
 	err := runner.Restore(TableNAT, []byte{}, FlushTables, RestoreCounters)
 	if err != nil {
-		t.Errorf("%s flush,restore: Expected success, got %v", protoStr, err)
+		t.Errorf("%s flush,restore: Expected success, got %v", protocol, err)
 	}
 
 	commandSet := sets.NewString(fcmd.CombinedOutputLog[1]...)
 	if !commandSet.HasAll(iptablesRestoreCmd, "-T", string(TableNAT), "--counters") || commandSet.HasAny("--noflush") {
-		t.Errorf("%s flush, restore: Expected cmd containing '%s -T %s --counters', got '%s'", protoStr, iptablesRestoreCmd, string(TableNAT), fcmd.CombinedOutputLog[1])
+		t.Errorf("%s flush, restore: Expected cmd containing '%s -T %s --counters', got '%s'", protocol, iptablesRestoreCmd, string(TableNAT), fcmd.CombinedOutputLog[1])
 	}
 
 	// FlushTables, NoRestoreCounters
 	err = runner.Restore(TableNAT, []byte{}, FlushTables, NoRestoreCounters)
 	if err != nil {
-		t.Errorf("%s flush, no restore: Expected success, got %v", protoStr, err)
+		t.Errorf("%s flush, no restore: Expected success, got %v", protocol, err)
 	}
 
 	commandSet = sets.NewString(fcmd.CombinedOutputLog[2]...)
 	if !commandSet.HasAll(iptablesRestoreCmd, "-T", string(TableNAT)) || commandSet.HasAny("--noflush", "--counters") {
-		t.Errorf("%s flush, no restore: Expected cmd containing '--noflush' or '--counters', got '%s'", protoStr, fcmd.CombinedOutputLog[2])
+		t.Errorf("%s flush, no restore: Expected cmd containing '--noflush' or '--counters', got '%s'", protocol, fcmd.CombinedOutputLog[2])
 	}
 
 	// NoFlushTables, RestoreCounters
 	err = runner.Restore(TableNAT, []byte{}, NoFlushTables, RestoreCounters)
 	if err != nil {
-		t.Errorf("%s no flush, restore: Expected success, got %v", protoStr, err)
+		t.Errorf("%s no flush, restore: Expected success, got %v", protocol, err)
 	}
 
 	commandSet = sets.NewString(fcmd.CombinedOutputLog[3]...)
 	if !commandSet.HasAll(iptablesRestoreCmd, "-T", string(TableNAT), "--noflush", "--counters") {
-		t.Errorf("%s no flush, restore: Expected cmd containing '--noflush' and '--counters', got '%s'", protoStr, fcmd.CombinedOutputLog[3])
+		t.Errorf("%s no flush, restore: Expected cmd containing '--noflush' and '--counters', got '%s'", protocol, fcmd.CombinedOutputLog[3])
 	}
 
 	// NoFlushTables, NoRestoreCounters
 	err = runner.Restore(TableNAT, []byte{}, NoFlushTables, NoRestoreCounters)
 	if err != nil {
-		t.Errorf("%s no flush, no restore: Expected success, got %v", protoStr, err)
+		t.Errorf("%s no flush, no restore: Expected success, got %v", protocol, err)
 	}
 
 	commandSet = sets.NewString(fcmd.CombinedOutputLog[4]...)
 	if !commandSet.HasAll(iptablesRestoreCmd, "-T", string(TableNAT), "--noflush") || commandSet.HasAny("--counters") {
-		t.Errorf("%s no flush, no restore: Expected cmd containing '%s -T %s --noflush', got '%s'", protoStr, iptablesRestoreCmd, string(TableNAT), fcmd.CombinedOutputLog[4])
+		t.Errorf("%s no flush, no restore: Expected cmd containing '%s -T %s --noflush', got '%s'", protocol, iptablesRestoreCmd, string(TableNAT), fcmd.CombinedOutputLog[4])
 	}
 
 	if fcmd.CombinedOutputCalls != 5 {
-		t.Errorf("%s: Expected 5 total CombinedOutput() calls, got %d", protoStr, fcmd.CombinedOutputCalls)
+		t.Errorf("%s: Expected 5 total CombinedOutput() calls, got %d", protocol, fcmd.CombinedOutputCalls)
 	}
 
 	// Failure.
 	err = runner.Restore(TableNAT, []byte{}, FlushTables, RestoreCounters)
 	if err == nil {
-		t.Errorf("%s Expected a failure", protoStr)
+		t.Errorf("%s Expected a failure", protocol)
 	}
 }
 
 func TestRestoreIPv4(t *testing.T) {
-	testRestore(t, ProtocolIpv4)
+	testRestore(t, ProtocolIPv4)
 }
 
 func TestRestoreIPv6(t *testing.T) {
-	testRestore(t, ProtocolIpv6)
+	testRestore(t, ProtocolIPv6)
 }
 
 // TestRestoreAll tests only the simplest use case, as flag handling code is already tested in TestRestore
@@ -944,7 +932,7 @@ func TestRestoreAll(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := newInternal(&fexec, ProtocolIpv4, TestLockfilePath)
+	runner := newInternal(&fexec, ProtocolIPv4, TestLockfilePath)
 	defer os.Remove(TestLockfilePath)
 
 	err := runner.RestoreAll([]byte{}, NoFlushTables, RestoreCounters)
@@ -985,7 +973,7 @@ func TestRestoreAllWait(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := newInternal(&fexec, ProtocolIpv4, TestLockfilePath)
+	runner := newInternal(&fexec, ProtocolIPv4, TestLockfilePath)
 	defer os.Remove(TestLockfilePath)
 
 	err := runner.RestoreAll([]byte{}, NoFlushTables, RestoreCounters)
@@ -1030,7 +1018,7 @@ func TestRestoreAllWaitOldIptablesRestore(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := newInternal(&fexec, ProtocolIpv4, TestLockfilePath)
+	runner := newInternal(&fexec, ProtocolIPv4, TestLockfilePath)
 	defer os.Remove(TestLockfilePath)
 
 	err := runner.RestoreAll([]byte{}, NoFlushTables, RestoreCounters)
@@ -1076,7 +1064,7 @@ func TestRestoreAllGrabNewLock(t *testing.T) {
 		},
 	}
 
-	runner := newInternal(&fexec, ProtocolIpv4, TestLockfilePath)
+	runner := newInternal(&fexec, ProtocolIPv4, TestLockfilePath)
 	defer os.Remove(TestLockfilePath)
 
 	// Grab the /run lock and ensure the RestoreAll fails
@@ -1118,7 +1106,7 @@ func TestRestoreAllGrabOldLock(t *testing.T) {
 		},
 	}
 
-	runner := newInternal(&fexec, ProtocolIpv4, TestLockfilePath)
+	runner := newInternal(&fexec, ProtocolIPv4, TestLockfilePath)
 	defer os.Remove(TestLockfilePath)
 
 	// Grab the abstract @xtables socket
@@ -1158,7 +1146,7 @@ func TestRestoreAllWaitBackportedIptablesRestore(t *testing.T) {
 			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
 		},
 	}
-	runner := newInternal(&fexec, ProtocolIpv4, TestLockfilePath)
+	runner := newInternal(&fexec, ProtocolIPv4, TestLockfilePath)
 	defer os.Remove(TestLockfilePath)
 
 	err := runner.RestoreAll([]byte{}, NoFlushTables, RestoreCounters)

pkg/util/iptables/monitor_test.go

@@ -180,7 +180,7 @@ func (mfc *monitorFakeCmd) Stop() {
 
 func TestIPTablesMonitor(t *testing.T) {
 	mfe := newMonitorFakeExec()
-	ipt := New(mfe, ProtocolIpv4)
+	ipt := New(mfe, ProtocolIPv4)
 
 	var reloads uint32
 	stopCh := make(chan struct{})

pkg/util/iptables/testing/fake.go

@@ -57,17 +57,17 @@ type Rule map[string]string
 type FakeIPTables struct {
 	hasRandomFully bool
 	Lines          []byte
-	ipv6           bool
+	protocol       iptables.Protocol
 }
 
 // NewFake returns a no-op iptables.Interface
 func NewFake() *FakeIPTables {
-	return &FakeIPTables{}
+	return &FakeIPTables{protocol: iptables.ProtocolIPv4}
 }
 
-// NewIpv6Fake returns a no-op iptables.Interface with IsIPv6() == true
+// NewIPv6Fake returns a no-op iptables.Interface with IsIPv6() == true
-func NewIpv6Fake() *FakeIPTables {
+func NewIPv6Fake() *FakeIPTables {
-	return &FakeIPTables{ipv6: true}
+	return &FakeIPTables{protocol: iptables.ProtocolIPv6}
 }
 
 // SetHasRandomFully is part of iptables.Interface
@@ -101,9 +101,14 @@ func (*FakeIPTables) DeleteRule(table iptables.Table, chain iptables.Chain, args
 	return nil
 }
 
-// IsIpv6 is part of iptables.Interface
+// IsIPv6 is part of iptables.Interface
-func (f *FakeIPTables) IsIpv6() bool {
+func (f *FakeIPTables) IsIPv6() bool {
-	return f.ipv6
+	return f.protocol == iptables.ProtocolIPv6
+}
+
+// Protocol is part of iptables.Interface
+func (f *FakeIPTables) Protocol() iptables.Protocol {
+	return f.protocol
 }
 
 // Save is part of iptables.Interface