From b3c2888e717e7fd25674c3d3e7835bcde9839b5a Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Thu, 3 Jan 2019 10:23:20 -0800 Subject: [PATCH 1/5] kube-proxy: rename internal field for clarity --- pkg/proxy/iptables/proxier.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 4734de066d..a22e39bf1e 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -359,7 +359,7 @@ func NewProxier(ipt utiliptables.Interface, type iptablesJumpChain struct { table utiliptables.Table - chain utiliptables.Chain + dstChain utiliptables.Chain sourceChain utiliptables.Chain comment string extraArgs []string @@ -388,7 +388,7 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) { for _, chain := range append(iptablesJumpChains, iptablesCleanupOnlyChains...) { args := append(chain.extraArgs, "-m", "comment", "--comment", chain.comment, - "-j", string(chain.chain), + "-j", string(chain.dstChain), ) if err := ipt.DeleteRule(chain.table, chain.sourceChain, args...); err != nil { if !utiliptables.IsNotFoundError(err) { @@ -671,16 +671,16 @@ func (proxier *Proxier) syncProxyRules() { // Create and link the kube chains. for _, chain := range iptablesJumpChains { - if _, err := proxier.iptables.EnsureChain(chain.table, chain.chain); err != nil { + if _, err := proxier.iptables.EnsureChain(chain.table, chain.dstChain); err != nil { klog.Errorf("Failed to ensure that %s chain %s exists: %v", chain.table, kubeServicesChain, err) return } args := append(chain.extraArgs, "-m", "comment", "--comment", chain.comment, - "-j", string(chain.chain), + "-j", string(chain.dstChain), ) if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, chain.table, chain.sourceChain, args...); err != nil { - klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", chain.table, chain.sourceChain, chain.chain, err) + klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", chain.table, chain.sourceChain, chain.dstChain, err) return } } From 2106447d2142330e27f6c5fe39f723121d4907be Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Thu, 3 Jan 2019 10:25:55 -0800 Subject: [PATCH 2/5] kube-proxy: rename vars for clarity, fix err str --- pkg/proxy/iptables/proxier.go | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index a22e39bf1e..021f0ef639 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -385,12 +385,12 @@ var iptablesCleanupOnlyChains = []iptablesJumpChain{ // It returns true if an error was encountered. Errors are logged. func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) { // Unlink our chains - for _, chain := range append(iptablesJumpChains, iptablesCleanupOnlyChains...) { - args := append(chain.extraArgs, - "-m", "comment", "--comment", chain.comment, - "-j", string(chain.dstChain), + for _, jump := range append(iptablesJumpChains, iptablesCleanupOnlyChains...) { + args := append(jump.extraArgs, + "-m", "comment", "--comment", jump.comment, + "-j", string(jump.dstChain), ) - if err := ipt.DeleteRule(chain.table, chain.sourceChain, args...); err != nil { + if err := ipt.DeleteRule(jump.table, jump.sourceChain, args...); err != nil { if !utiliptables.IsNotFoundError(err) { klog.Errorf("Error removing pure-iptables proxy rule: %v", err) encounteredError = true @@ -670,17 +670,17 @@ func (proxier *Proxier) syncProxyRules() { klog.V(3).Info("Syncing iptables rules") // Create and link the kube chains. - for _, chain := range iptablesJumpChains { - if _, err := proxier.iptables.EnsureChain(chain.table, chain.dstChain); err != nil { - klog.Errorf("Failed to ensure that %s chain %s exists: %v", chain.table, kubeServicesChain, err) + for _, jump := range iptablesJumpChains { + if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil { + klog.Errorf("Failed to ensure that %s chain %s exists: %v", jump.table, jump.dstChain, err) return } - args := append(chain.extraArgs, - "-m", "comment", "--comment", chain.comment, - "-j", string(chain.dstChain), + args := append(jump.extraArgs, + "-m", "comment", "--comment", jump.comment, + "-j", string(jump.dstChain), ) - if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, chain.table, chain.sourceChain, args...); err != nil { - klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", chain.table, chain.sourceChain, chain.dstChain, err) + if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, jump.table, jump.sourceChain, args...); err != nil { + klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", jump.table, jump.sourceChain, jump.dstChain, err) return } } From 51442b1e8ed0bc533ab219cde7280aeff7c8bec1 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Thu, 3 Jan 2019 10:26:51 -0800 Subject: [PATCH 3/5] kube-proxy: rename field for congruence --- pkg/proxy/iptables/proxier.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 021f0ef639..6a34f5b40f 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -358,11 +358,11 @@ func NewProxier(ipt utiliptables.Interface, } type iptablesJumpChain struct { - table utiliptables.Table - dstChain utiliptables.Chain - sourceChain utiliptables.Chain - comment string - extraArgs []string + table utiliptables.Table + dstChain utiliptables.Chain + srcChain utiliptables.Chain + comment string + extraArgs []string } var iptablesJumpChains = []iptablesJumpChain{ @@ -390,7 +390,7 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) { "-m", "comment", "--comment", jump.comment, "-j", string(jump.dstChain), ) - if err := ipt.DeleteRule(jump.table, jump.sourceChain, args...); err != nil { + if err := ipt.DeleteRule(jump.table, jump.srcChain, args...); err != nil { if !utiliptables.IsNotFoundError(err) { klog.Errorf("Error removing pure-iptables proxy rule: %v", err) encounteredError = true @@ -679,8 +679,8 @@ func (proxier *Proxier) syncProxyRules() { "-m", "comment", "--comment", jump.comment, "-j", string(jump.dstChain), ) - if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, jump.table, jump.sourceChain, args...); err != nil { - klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", jump.table, jump.sourceChain, jump.dstChain, err) + if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, jump.table, jump.srcChain, args...); err != nil { + klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", jump.table, jump.srcChain, jump.dstChain, err) return } } From 0d451d7a4c0d07ad6925261953235fe711324e08 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Thu, 3 Jan 2019 10:35:43 -0800 Subject: [PATCH 4/5] kube-proxy: remove old cleanup rules --- pkg/proxy/iptables/proxier.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 6a34f5b40f..c6598243ab 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -374,12 +374,7 @@ var iptablesJumpChains = []iptablesJumpChain{ {utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil}, } -var iptablesCleanupOnlyChains = []iptablesJumpChain{ - // Present in kube 1.6 - 1.9. Removed by #56164 in favor of kubeExternalServicesChain - {utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals", nil}, - // Present in kube <= 1.9. Removed by #60306 in favor of rule with extraArgs - {utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil}, -} +var iptablesCleanupOnlyChains = []iptablesJumpChain{} // CleanupLeftovers removes all iptables rules and chains created by the Proxier // It returns true if an error was encountered. Errors are logged. From df77e8eefdc13e7d66be5cbd552f102a03c908d5 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Thu, 3 Jan 2019 10:33:11 -0800 Subject: [PATCH 5/5] kube-proxy: reject 0 endpoints on forward Previously we only REJECTed on OUTPUT which works for packets from the node but not for packets from pods on the node. --- pkg/proxy/iptables/proxier.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index c6598243ab..b2081071f6 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -367,11 +367,12 @@ type iptablesJumpChain struct { var iptablesJumpChains = []iptablesJumpChain{ {utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainInput, "kubernetes externally-visible service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, + {utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainForward, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, {utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}}, + {utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil}, {utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil}, {utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals", nil}, {utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil}, - {utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil}, } var iptablesCleanupOnlyChains = []iptablesJumpChain{}