Proper ip-per-pod on GCE.

Back out the second iptables rule, now that we know what the problem was - we
need to open a firewal rule on each minion.

cluster/gce/util.sh

@@ -171,6 +171,13 @@ function kube-up {
       grep -v "^#" $(dirname $0)/templates/salt-minion.sh
     ) > ${KUBE_TEMP}/minion-start-${i}.sh
 
+    gcutil addfirewall ${MINION_NAMES[$i]}-all \
+      --norespect_terminal_width \
+      --project ${PROJECT} \
+      --network ${NETWORK} \
+      --allowed_ip_sources ${MINION_IP_RANGES[$i]} \
+      --allowed "tcp,udp,icmp,esp,ah,sctp" &
+
     gcutil addinstance ${MINION_NAMES[$i]} \
     --norespect_terminal_width \
       --project ${PROJECT} \
@@ -277,6 +284,12 @@ function kube-down {
     --zone ${ZONE} \
     ${MASTER_NAME} &
 
+  gcutil deletefirewall  \
+    --project ${PROJECT} \
+    --norespect_terminal_width \
+    --force \
+    ${MINION_NAMES[*]/%/-all} &
+
   gcutil deleteinstance \
     --project ${PROJECT} \
     --norespect_terminal_width \

cluster/saltbase/salt/_states/container_bridge.py

@@ -34,16 +34,11 @@ def ensure(name, cidr, mtu=1460):
     '''
     ret = {'name': name, 'changes': {}, 'result': False, 'comment': ''}
 
-    iptables_rule_1 = {
+    iptables_rule = {
         'table': 'nat',
         'chain': 'POSTROUTING',
         'rule': '-o eth0 -j MASQUERADE \! -d 10.0.0.0/8'
     }
-    iptables_rule_2 = {
-        'table': 'nat',
-        'chain': 'POSTROUTING',
-        'rule': '-s %s -j MASQUERADE \! -d %s' % (cidr, cidr)
-    }
 
     def bridge_exists(name):
         'Determine if a bridge exists already.'
@@ -95,10 +90,8 @@ def ensure(name, cidr, mtu=1460):
             ret['details'] = {}
         # This module function is strange and returns True if the rule exists.
         # If not, it returns a string with the error from the call to iptables.
-        ret['iptables_rule_1_exists'] = \
+        ret['iptables_rule_exists'] = \
-          __salt__['iptables.check'](**iptables_rule_1) == True
+          __salt__['iptables.check'](**iptables_rule) == True
-        ret['iptables_rule_2_exists'] = \
-          __salt__['iptables.check'](**iptables_rule_2) == True
         return ret
 
     # This is a little hacky.  I should probably import a real library for this
@@ -119,8 +112,7 @@ def ensure(name, cidr, mtu=1460):
         and current_state['details']['mtu'] == mtu
         and desired_network in current_state['details']['networks']
         and current_state['details']['up']
-        and current_state['iptables_rule_1_exists']
+        and current_state['iptables_rule_exists']):
-        and current_state['iptables_rule_2_exists']):
         ret['result'] = True
         ret['comment'] = 'System already in the correct state'
         return ret
@@ -155,10 +147,8 @@ def ensure(name, cidr, mtu=1460):
         __salt__['cmd.run'](
             'ip link set dev {0} up'.format(name))
     new_state = get_current_state()
-    if not new_state['iptables_rule_1_exists']:
+    if not new_state['iptables_rule_exists']:
-        __salt__['iptables.append'](**iptables_rule_1)
+        __salt__['iptables.append'](**iptables_rule)
-    if not new_state['iptables_rule_2_exists']:
-        __salt__['iptables.append'](**iptables_rule_2)
     new_state = get_current_state()
 
     ret['comment'] = 'The state of "{0}" was changed!'.format(name)