New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Forward chain default reject policy for IPVS proxier #62007

Merged
merged 1 commit into from Apr 16, 2018

Conversation

@m1093782566
Member

m1093782566 commented Apr 2, 2018

What this PR does / why we need it:

Testing with the IPVS mode proxier on a host with iptables FORWARD policy = DROP, as configured by docker in recent versions, I found that traffic to NodePorts failed when the NodePort forwarded the traffic to another node.

Saw the iptables FORWARD=DROP counter increasing with each packet.

IPVS mode should whitelist such traffic in a similar way to the iptables mode:

PR implementing the fix for iptables mode: #52569

Which issue(s) this PR fixes:
Fixes #59656

Special notes for your reviewer:

Release note:

Fix Forward chain default reject policy for IPVS proxier
@m1093782566

This comment has been minimized.

Member

m1093782566 commented Apr 2, 2018

/cc @Lion-Wei

@k8s-ci-robot k8s-ci-robot requested a review from Lion-Wei Apr 2, 2018

@m1093782566 m1093782566 changed the title from [WIP] Fix Forward chain default reject policy for IPVS proxier to Fix Forward chain default reject policy for IPVS proxier Apr 2, 2018

@rramkumar1

Added some comments. Does this need unit tests?

@@ -556,7 +560,7 @@ func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool
for _, tc := range tableChainsWithJumpService {
if err := ipt.DeleteRule(tc.table, tc.chain, args...); err != nil {
if !utiliptables.IsNotFoundError(err) {
glog.Errorf("Error removing pure-iptables proxy rule: %v", err)
glog.Errorf("Error removing ipvs Proxier iptables rule: %v", err)

This comment has been minimized.

@rramkumar1

rramkumar1 Apr 2, 2018

Member

Nit: "Error removing iptables rule in ipvs proxier" sounds a little better. You can make this change in multiple places.

This comment has been minimized.

@m1093782566

m1093782566 Apr 12, 2018

Member

Sounds fair, it's fixed now.

}
}
// Flush and remove all of our chains "-t nat" chains.

This comment has been minimized.

@rramkumar1

rramkumar1 Apr 2, 2018

Member

Nit: Flush and remove all our "-t nat" chains.

This comment has been minimized.

@m1093782566
@@ -589,6 +605,22 @@ func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool
}
}
}
// Flush and remove all of our chains "-t filter" chains.

This comment has been minimized.

@rramkumar1

rramkumar1 Apr 2, 2018

Member

Nit: Flush and remove all our "-t filter" chains.

This comment has been minimized.

@m1093782566
@@ -1294,7 +1342,42 @@ func (proxier *Proxier) syncProxyRules() {
writeLine(proxier.natRules, append(args, "-j", string(KubeMarkMasqChain))...)
}
// If the masqueradeMark has been added then we want to forward that same
// traffic, this allows NodePort traffic to be forwarded even if the default
// FORWARD policy is not accept.

This comment has been minimized.

@rramkumar1

rramkumar1 Apr 2, 2018

Member

Can you add a period after "that same traffic"?

// The following rules can only be set if clusterCIDR has been defined.
if len(proxier.clusterCIDR) != 0 {
// The following two rules ensure the traffic after the initial packet

This comment has been minimized.

@rramkumar1

rramkumar1 Apr 2, 2018

Member

"...after the initial packet is accepted... will be accepted. Specifically, the traffic must be sourced or destined to the clusterCIDR..."

}
}
// Flush and remove all of our "-t filter" chains.
for _, chain := range []utiliptables.Chain{KubeForwardChain} {

This comment has been minimized.

@Lion-Wei

Lion-Wei Apr 12, 2018

Contributor

This for seems weird?

This comment has been minimized.

@m1093782566

m1093782566 Apr 12, 2018

Member

Nice catch! It's fixed now. PTAL. Thanks!

@m1093782566

This comment has been minimized.

Member

m1093782566 commented Apr 12, 2018

/retest

@Lion-Wei

This comment has been minimized.

Contributor

Lion-Wei commented Apr 16, 2018

/lgtm

@k8s-ci-robot

This comment has been minimized.

Contributor

k8s-ci-robot commented Apr 16, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Lion-Wei, m1093782566

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Apr 16, 2018

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Apr 16, 2018

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-merge-robot k8s-merge-robot merged commit 2ef566d into kubernetes:master Apr 16, 2018

14 of 15 checks passed

Submit Queue Required Github CI test is not green: pull-kubernetes-e2e-gce
Details
cla/linuxfoundation m1093782566 authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment