From 3a5c23d727a0c766df2b897adb1e15dea2a6a9b4 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Fri, 14 Aug 2015 22:36:11 -0700 Subject: [PATCH] test for and set bridge-nf-call-iptables sysctl --- cmd/kube-proxy/app/server.go | 3 ++- pkg/proxy/iptables/proxier.go | 20 +++++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go index df7bdeb7b0..a058773ebf 100644 --- a/cmd/kube-proxy/app/server.go +++ b/cmd/kube-proxy/app/server.go @@ -159,7 +159,8 @@ func (s *ProxyServer) Run(_ []string) error { if !s.ForceUserspaceProxy && shouldUseIptables { glog.V(2).Info("Using iptables Proxier.") - proxierIptables, err := iptables.NewProxier(utiliptables.New(exec.New(), protocol), s.SyncPeriod) + execer := exec.New() + proxierIptables, err := iptables.NewProxier(utiliptables.New(execer, protocol), execer, s.SyncPeriod) if err != nil { glog.Fatalf("Unable to create proxier: %v", err) } diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index a364cfc1e7..91ca2b4996 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -100,6 +100,7 @@ func ShouldUseIptablesProxier() (bool, error) { const sysctlBase = "/proc/sys" const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet" +const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables" func getSysctl(sysctl string) (int, error) { data, err := ioutil.ReadFile(path.Join(sysctlBase, sysctl)) @@ -158,16 +159,25 @@ var _ proxy.ProxyProvider = &Proxier{} // An error will be returned if iptables fails to update or acquire the initial lock. // Once a proxier is created, it will keep iptables up to date in the background and // will not terminate if a particular iptables call fails. -func NewProxier(ipt utiliptables.Interface, syncPeriod time.Duration) (*Proxier, error) { - glog.V(2).Info("Tearing down userspace rules. Errors here are acceptable.") - // remove iptables rules/chains from the userspace Proxier - tearDownUserspaceIptables(ipt) +func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration) (*Proxier, error) { // Set the route_localnet sysctl we need for if err := setSysctl(sysctlRouteLocalnet, 1); err != nil { - return nil, fmt.Errorf("can't set sysctl route_localnet: %v", err) + return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err) } + // Load the module. It's OK if this fails (e.g. the module is not present) + // because we'll catch the error on the sysctl, which is what we actually + // care about. + exec.Command("modprobe", "br-netfilter").CombinedOutput() + if err := setSysctl(sysctlBridgeCallIptables, 1); err != nil { + return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err) + } + + // No turning back. Remove artifacts that might still exist from the userspace Proxier. + glog.V(2).Info("Tearing down userspace rules. Errors here are acceptable.") + tearDownUserspaceIptables(ipt) + return &Proxier{ serviceMap: make(map[proxy.ServicePortName]*serviceInfo), syncPeriod: syncPeriod,