fix nodeport localhost martian source error

2018-01-07 15:07:59 +08:00 · 2018-01-07 15:07:59 +08:00 · 60bde9fbe2
parent cfc1d47397
commit 60bde9fbe2
1 changed files with 8 additions and 1 deletions
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -1172,6 +1172,7 @@ func (proxier *Proxier) syncProxyRules() {
 	// Build rules for each service.
 	var svcNameString string
 	for svcName, svcInfo := range proxier.serviceMap {
+		isIPv6 := utilproxy.IsIPv6(svcInfo.clusterIP)
 		protocol := strings.ToLower(string(svcInfo.protocol))
 		svcNameString = svcInfo.serviceNameString

@ -1384,7 +1385,6 @@ func (proxier *Proxier) syncProxyRules() {
 					// This is very low impact. The NodePort range is intentionally obscure, and unlikely to actually collide with real Services.
 					// This only affects UDP connections, which are not common.
 					// See issue: https://github.com/kubernetes/kubernetes/issues/49881
-					isIPv6 := utilproxy.IsIPv6(svcInfo.clusterIP)
 					err := utilproxy.ClearUDPConntrackForPort(proxier.exec, lp.Port, isIPv6)
 					if err != nil {
 						glog.Errorf("Failed to clear udp conntrack for port %d, error: %v", lp.Port, err)
@ -1407,6 +1407,13 @@ func (proxier *Proxier) syncProxyRules() {
 			} else {
 				// TODO: Make all nodePorts jump to the firewall chain.
 				// Currently we only create it for loadbalancers (#33586).
+
+				// Fix localhost martian source error
+				loopback := "127.0.0.0/8"
+				if isIPv6 {
+					loopback = "::1/128"
+				}
+				writeLine(proxier.natRules, append(args, "-s", loopback, "-j", string(KubeMarkMasqChain))...)
 				writeLine(proxier.natRules, append(args, "-j", string(svcXlbChain))...)
 			}