cilium · tklauser · Oct 14, 2020 · Oct 2, 2020 · Oct 8, 2020
diff --git a/AUTHORS b/AUTHORS
@@ -107,6 +107,7 @@ Juan Jimenez-Anca                       cortopy@users.noreply.github.com
 Julien Balestra                         julien.balestra@datadoghq.com
 Julien Kassar                           github@kassisol.com
 Junli Ou                                oujunli306@gmail.com
+Karl Heins                              karlheins@northwesternmutual.com
 Katarzyna Borkmann                      kasia@iogearbox.net
 Kevin Burke                             kevin@burke.dev
 Kiran Bondalapati                       kiran@bondalapati.com

diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md
diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -613,6 +613,9 @@ func init() {
 	flags.Duration(option.IPTablesLockTimeout, 5*time.Second, "Time to pass to each iptables invocation to wait for xtables lock acquisition")
 	option.BindEnv(option.IPTablesLockTimeout)
 
+	flags.Bool(option.IPTablesRandomFully, false, "Set iptables flag random-fully on masquerading rules")
+	option.BindEnv(option.IPTablesRandomFully)
+
 	flags.Int(option.MaxCtrlIntervalName, 0, "Maximum interval (in seconds) between controller runs. Zero is no limit.")
 	flags.MarkHidden(option.MaxCtrlIntervalName)
 	option.BindEnv(option.MaxCtrlIntervalName)

diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -404,6 +404,10 @@ data:
   enable-xt-socket-fallback: {{ .Values.enableXTSocketFallback | quote }}
   install-iptables-rules: {{ .Values.installIptablesRules | quote }}
 
+{{- if hasKey .Values "ipTablesRandomFully" }}
+  iptables-random-fully: {{ .Values.ipTablesRandomFully | quote }}
+{{- end }}
+
 {{- if hasKey .Values "iptablesLockTimeout" }}
   iptables-lock-timeout: {{ .Values.iptablesLockTimeout | quote }}
 {{- end }}

diff --git a/pkg/datapath/iptables/iptables.go b/pkg/datapath/iptables/iptables.go
@@ -946,26 +946,34 @@ func (m *IptablesManager) InstallRules(ifName string) error {
 			// * Non-tunnel mode:
 			//   * May not be targeted to an IP in the cluster range
 			if option.Config.EgressMasqueradeInterfaces != "" {
-				if err := runProg("iptables", append(
+				progArgs := append(
 					m.waitArgs,
 					"-t", "nat",
 					"-A", ciliumPostNatChain,
 					"!", "-d", datapath.RemoteSNATDstAddrExclusionCIDR().String(),
 					"-o", option.Config.EgressMasqueradeInterfaces,
 					"-m", "comment", "--comment", "cilium masquerade non-cluster",
-					"-j", "MASQUERADE"), false); err != nil {
+					"-j", "MASQUERADE")
+				if option.Config.IPTablesRandomFully {
+					progArgs = append(progArgs, "--random-fully")
+				}
+				if err := runProg("iptables", progArgs, false); err != nil {
 					return err
 				}
 			} else {
-				if err := runProg("iptables", append(
+				progArgs := append(
 					m.waitArgs,
 					"-t", "nat",
 					"-A", ciliumPostNatChain,
 					"-s", node.GetIPv4AllocRange().String(),
 					"!", "-d", datapath.RemoteSNATDstAddrExclusionCIDR().String(),
 					"!", "-o", "cilium_+",
 					"-m", "comment", "--comment", "cilium masquerade non-cluster",
-					"-j", "MASQUERADE"), false); err != nil {
+					"-j", "MASQUERADE")
+				if option.Config.IPTablesRandomFully {
+					progArgs = append(progArgs, "--random-fully")
+				}
+				if err := runProg("iptables", progArgs, false); err != nil {
 					return err
 				}
 			}

diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -320,6 +320,9 @@ const (
 
 	IPTablesLockTimeout = "iptables-lock-timeout"
 
+	// IPTablesRandomFully sets iptables flag random-fully on masquerading rules
+	IPTablesRandomFully = "iptables-random-fully"
+
 	// IPv6NodeAddr is the IPv6 address of node
 	IPv6NodeAddr = "ipv6-node"
 
@@ -1080,6 +1083,7 @@ var HelpFlagSections = []FlagsSection{
 			DisableIptablesFeederRules,
 			InstallIptRules,
 			IPTablesLockTimeout,
+			IPTablesRandomFully,
 		},
 	},
 	{
@@ -1514,6 +1518,10 @@ type DaemonConfig struct {
 	// iptables CLI is directly invoked from the Cilium agent.
 	IPTablesLockTimeout time.Duration
 
+	// IPTablesRandomFully defines the "--random-fully" iptables option when the
+	// iptables CLI is directly invoked from the Cilium agent.
+	IPTablesRandomFully bool
+
 	// K8sNamespace is the name of the namespace in which Cilium is
 	// deployed in when running in Kubernetes mode
 	K8sNamespace string
@@ -2490,6 +2498,7 @@ func (c *DaemonConfig) Populate() {
 	c.IPMasqAgentConfigPath = viper.GetString(IPMasqAgentConfigPath)
 	c.InstallIptRules = viper.GetBool(InstallIptRules)
 	c.IPTablesLockTimeout = viper.GetDuration(IPTablesLockTimeout)
+	c.IPTablesRandomFully = viper.GetBool(IPTablesRandomFully)
 	c.IPSecKeyFile = viper.GetString(IPSecKeyFileName)
 	c.ModePreFilter = viper.GetString(PrefilterMode)
 	c.EnableMonitor = viper.GetBool(EnableMonitorName)

diff --git a/test/k8sT/DatapathConfiguration.go b/test/k8sT/DatapathConfiguration.go
@@ -267,6 +267,18 @@ var _ = Describe("K8sDatapathConfig", func() {
 					Should(BeTrue(), "Connectivity test to http://google.com failed")
 			}
 		})
+
+		It("Check iptables masquerading with random-fully", func() {
+			deploymentManager.DeployCilium(map[string]string{
+				"bpf.masquerade":      "false",
+				"ipTablesRandomFully": "true",
+			}, DeployCiliumOptionsAndDNS)
+			Expect(testPodConnectivityAcrossNodes(kubectl)).Should(BeTrue(), "Connectivity test between nodes failed")
+
+			By("Test iptables masquerading")
+			Expect(testPodHTTPToOutside(kubectl, "http://google.com", false, false)).
+				Should(BeTrue(), "Connectivity test to http://google.com failed")
+		})
 	})
 
 	Context("DirectRouting", func() {