From f65fbc877b6dc9f85f5fd52de1fa966abfff7365 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Sat, 9 Jul 2022 11:47:21 -0400 Subject: [PATCH] proxy/iptables: remove last references to KUBE-MARK-DROP --- pkg/proxy/iptables/proxier.go | 18 ------------------ pkg/proxy/iptables/proxier_test.go | 14 +------------- 2 files changed, 1 insertion(+), 31 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 9104c61435b..a5c9f695639 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -70,9 +70,6 @@ const ( // kubeMarkMasqChain is the mark-for-masquerade chain kubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ" - // kubeMarkDropChain is the mark-for-drop chain - kubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP" - // the kubernetes forward chain kubeForwardChain utiliptables.Chain = "KUBE-FORWARD" @@ -397,13 +394,6 @@ var iptablesJumpChains = []iptablesJumpChain{ {utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil}, } -var iptablesEnsureChains = []struct { - table utiliptables.Table - chain utiliptables.Chain -}{ - {utiliptables.TableNAT, kubeMarkDropChain}, -} - var iptablesCleanupOnlyChains = []iptablesJumpChain{ // Present in kube 1.13 - 1.19. Removed by #95252 in favor of adding reject rules for incoming/forwarding packets to kubeExternalServicesChain {utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, @@ -883,14 +873,6 @@ func (proxier *Proxier) syncProxyRules() { } } - // ensure KUBE-MARK-DROP chain exist but do not change any rules - for _, ch := range iptablesEnsureChains { - if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil { - klog.ErrorS(err, "Failed to ensure chain exists", "table", ch.table, "chain", ch.chain) - return - } - } - // // Below this point we will not return until we try to write the iptables rules. // diff --git a/pkg/proxy/iptables/proxier_test.go b/pkg/proxy/iptables/proxier_test.go index f55207d1338..73aae014a06 100644 --- a/pkg/proxy/iptables/proxier_test.go +++ b/pkg/proxy/iptables/proxier_test.go @@ -736,7 +736,6 @@ func checkIPTablesRuleJumps(ruleData string) error { // Ignore jumps to chains that we expect to exist even if kube-proxy // didn't create them itself. jumpedChains.Delete("ACCEPT", "REJECT", "DROP", "MARK", "RETURN", "DNAT", "SNAT", "MASQUERADE") - jumpedChains.Delete(string(kubeMarkDropChain)) // Find cases where we have "-A FOO ... -j BAR" but no ":BAR", meaning // that we are jumping to a chain that was not created. @@ -1436,10 +1435,8 @@ type iptablesTracer struct { // the return value of tracePacket. outputs []string - // markMasq and markDrop track whether the packet has been marked for masquerading - // or dropping. + // markMasq tracks whether the packet has been marked for masquerading markMasq bool - markDrop bool } // newIPTablesTracer creates an iptablesTracer. nodeIP is the IP to treat as the local @@ -1525,10 +1522,6 @@ func (tracer *iptablesTracer) runChain(table utiliptables.Table, chain utiliptab tracer.markMasq = true continue - case "KUBE-MARK-DROP": - tracer.markDrop = true - continue - case "ACCEPT", "REJECT", "DROP": // (only valid in filter) tracer.outputs = append(tracer.outputs, rule.Jump.Value) @@ -1580,11 +1573,6 @@ func tracePacket(t *testing.T, ipt *iptablestest.FakeIPTables, sourceIP, destIP, // inbound, outbound, or intra-host packet, which we don't know. So we just run // the interesting tables manually. (Theoretically this could cause conflicts in // the future in which case we'd have to do something more complicated.) - - // The DROP rule is created by kubelet, not us, so we have to simulate that manually. - if tracer.markDrop { - return tracer.matches, "DROP", false - } tracer.runChain(utiliptables.TableFilter, kubeServicesChain, sourceIP, destIP, destPort) tracer.runChain(utiliptables.TableFilter, kubeExternalServicesChain, sourceIP, destIP, destPort) tracer.runChain(utiliptables.TableFilter, kubeNodePortsChain, sourceIP, destIP, destPort)