-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Forward chain default reject policy for IPVS proxier #62007
Conversation
/cc @Lion-Wei |
c8a516f
to
697e48b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some comments. Does this need unit tests?
pkg/proxy/ipvs/proxier.go
Outdated
@@ -556,7 +560,7 @@ func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool | |||
for _, tc := range tableChainsWithJumpService { | |||
if err := ipt.DeleteRule(tc.table, tc.chain, args...); err != nil { | |||
if !utiliptables.IsNotFoundError(err) { | |||
glog.Errorf("Error removing pure-iptables proxy rule: %v", err) | |||
glog.Errorf("Error removing ipvs Proxier iptables rule: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: "Error removing iptables rule in ipvs proxier" sounds a little better. You can make this change in multiple places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds fair, it's fixed now.
pkg/proxy/ipvs/proxier.go
Outdated
} | ||
} | ||
|
||
// Flush and remove all of our chains "-t nat" chains. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Flush and remove all our "-t nat" chains.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
pkg/proxy/ipvs/proxier.go
Outdated
@@ -589,6 +605,22 @@ func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool | |||
} | |||
} | |||
} | |||
// Flush and remove all of our chains "-t filter" chains. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Flush and remove all our "-t filter" chains.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -1294,7 +1342,42 @@ func (proxier *Proxier) syncProxyRules() { | |||
writeLine(proxier.natRules, append(args, "-j", string(KubeMarkMasqChain))...) | |||
} | |||
|
|||
// If the masqueradeMark has been added then we want to forward that same | |||
// traffic, this allows NodePort traffic to be forwarded even if the default | |||
// FORWARD policy is not accept. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a period after "that same traffic"?
|
||
// The following rules can only be set if clusterCIDR has been defined. | ||
if len(proxier.clusterCIDR) != 0 { | ||
// The following two rules ensure the traffic after the initial packet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"...after the initial packet is accepted... will be accepted. Specifically, the traffic must be sourced or destined to the clusterCIDR..."
697e48b
to
36ffb7c
Compare
pkg/proxy/ipvs/proxier.go
Outdated
} | ||
} | ||
// Flush and remove all of our "-t filter" chains. | ||
for _, chain := range []utiliptables.Chain{KubeForwardChain} { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This for
seems weird?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch! It's fixed now. PTAL. Thanks!
36ffb7c
to
00430b4
Compare
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Lion-Wei, m1093782566 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
Testing with the IPVS mode proxier on a host with iptables FORWARD policy = DROP, as configured by docker in recent versions, I found that traffic to NodePorts failed when the NodePort forwarded the traffic to another node.
Saw the iptables FORWARD=DROP counter increasing with each packet.
IPVS mode should whitelist such traffic in a similar way to the iptables mode:
PR implementing the fix for iptables mode: #52569
Which issue(s) this PR fixes:
Fixes #59656
Special notes for your reviewer:
Release note: