Fix Forward chain default reject policy for IPVS proxier #62007
Conversation
k8s-ci-robot
added
release-note
|
/cc @Lion-Wei |
m1093782566
force-pushed
the
kube-forward
branch
from
c8a516f
to
697e48b
Compare
m1093782566
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
pkg/proxy/ipvs/proxier.go
Outdated
| @@ -556,7 +560,7 @@ func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool | |||
| for _, tc := range tableChainsWithJumpService { | |||
| if err := ipt.DeleteRule(tc.table, tc.chain, args...); err != nil { | |||
| if !utiliptables.IsNotFoundError(err) { | |||
| glog.Errorf("Error removing pure-iptables proxy rule: %v", err) | |||
| glog.Errorf("Error removing ipvs Proxier iptables rule: %v", err) | |||
There was a problem hiding this comment.
Nit: "Error removing iptables rule in ipvs proxier" sounds a little better. You can make this change in multiple places.
There was a problem hiding this comment.
Sounds fair, it's fixed now.
pkg/proxy/ipvs/proxier.go
Outdated
| } | ||
| } | ||
|
|
||
| // Flush and remove all of our chains "-t nat" chains. |
There was a problem hiding this comment.
Nit: Flush and remove all our "-t nat" chains.
pkg/proxy/ipvs/proxier.go
Outdated
| @@ -589,6 +605,22 @@ func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool | |||
| } | |||
| } | |||
| } | |||
| // Flush and remove all of our chains "-t filter" chains. | |||
There was a problem hiding this comment.
Nit: Flush and remove all our "-t filter" chains.
| @@ -1294,7 +1342,42 @@ func (proxier *Proxier) syncProxyRules() { | |||
| writeLine(proxier.natRules, append(args, "-j", string(KubeMarkMasqChain))...) | |||
| } | |||
|
|
|||
| // If the masqueradeMark has been added then we want to forward that same | |||
| // traffic, this allows NodePort traffic to be forwarded even if the default | |||
| // FORWARD policy is not accept. | |||
There was a problem hiding this comment.
Can you add a period after "that same traffic"?
|
|
||
| // The following rules can only be set if clusterCIDR has been defined. | ||
| if len(proxier.clusterCIDR) != 0 { | ||
| // The following two rules ensure the traffic after the initial packet |
There was a problem hiding this comment.
"...after the initial packet is accepted... will be accepted. Specifically, the traffic must be sourced or destined to the clusterCIDR..."
k8s-ci-robot
added
the
needs-rebase
m1093782566
force-pushed
the
kube-forward
branch
from
697e48b
to
36ffb7c
Compare
k8s-ci-robot
removed
the
needs-rebase
pkg/proxy/ipvs/proxier.go
Outdated
| } | ||
| } | ||
| // Flush and remove all of our "-t filter" chains. | ||
| for _, chain := range []utiliptables.Chain{KubeForwardChain} { |
There was a problem hiding this comment.
Nice catch! It's fixed now. PTAL. Thanks!
m1093782566
force-pushed
the
kube-forward
branch
from
36ffb7c
to
00430b4
Compare
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Lion-Wei, m1093782566 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
Testing with the IPVS mode proxier on a host with iptables FORWARD policy = DROP, as configured by docker in recent versions, I found that traffic to NodePorts failed when the NodePort forwarded the traffic to another node.
Saw the iptables FORWARD=DROP counter increasing with each packet.
IPVS mode should whitelist such traffic in a similar way to the iptables mode:
PR implementing the fix for iptables mode: #52569
Which issue(s) this PR fixes:
Fixes #59656
Special notes for your reviewer:
Release note: