test for and set bridge-nf-call-iptables sysctl

2015-08-14 22:36:11 -07:00 · 2015-08-14 22:36:11 -07:00 · 3a5c23d727
parent 9cf33772b4
commit 3a5c23d727
2 changed files with 17 additions and 6 deletions
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@ -159,7 +159,8 @@ func (s *ProxyServer) Run(_ []string) error {
 	if !s.ForceUserspaceProxy && shouldUseIptables {
 		glog.V(2).Info("Using iptables Proxier.")

-		proxierIptables, err := iptables.NewProxier(utiliptables.New(exec.New(), protocol), s.SyncPeriod)
+		execer := exec.New()
+		proxierIptables, err := iptables.NewProxier(utiliptables.New(execer, protocol), execer, s.SyncPeriod)
 		if err != nil {
 			glog.Fatalf("Unable to create proxier: %v", err)
 		}
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -100,6 +100,7 @@ func ShouldUseIptablesProxier() (bool, error) {

 const sysctlBase = "/proc/sys"
 const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
+const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"

 func getSysctl(sysctl string) (int, error) {
 	data, err := ioutil.ReadFile(path.Join(sysctlBase, sysctl))
@ -158,16 +159,25 @@ var _ proxy.ProxyProvider = &Proxier{}
 // An error will be returned if iptables fails to update or acquire the initial lock.
 // Once a proxier is created, it will keep iptables up to date in the background and
 // will not terminate if a particular iptables call fails.
-func NewProxier(ipt utiliptables.Interface, syncPeriod time.Duration) (*Proxier, error) {
-	glog.V(2).Info("Tearing down userspace rules. Errors here are acceptable.")
-	// remove iptables rules/chains from the userspace Proxier
-	tearDownUserspaceIptables(ipt)
+func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration) (*Proxier, error) {

 	// Set the route_localnet sysctl we need for
 	if err := setSysctl(sysctlRouteLocalnet, 1); err != nil {
-		return nil, fmt.Errorf("can't set sysctl route_localnet: %v", err)
+		return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
 	}

+	// Load the module.  It's OK if this fails (e.g. the module is not present)
+	// because we'll catch the error on the sysctl, which is what we actually
+	// care about.
+	exec.Command("modprobe", "br-netfilter").CombinedOutput()
+	if err := setSysctl(sysctlBridgeCallIptables, 1); err != nil {
+		return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
+	}
+
+	// No turning back. Remove artifacts that might still exist from the userspace Proxier.
+	glog.V(2).Info("Tearing down userspace rules. Errors here are acceptable.")
+	tearDownUserspaceIptables(ipt)
+
 	return &Proxier{
 		serviceMap: make(map[proxy.ServicePortName]*serviceInfo),
 		syncPeriod: syncPeriod,