From 60bde9fbe2707b013fc03bd41c09fb04d0c6815e Mon Sep 17 00:00:00 2001 From: m1093782566 Date: Sun, 7 Jan 2018 15:07:59 +0800 Subject: [PATCH] fix nodeport localhost martian source error --- pkg/proxy/iptables/proxier.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 1710d989f97..468fefe0c4c 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -1172,6 +1172,7 @@ func (proxier *Proxier) syncProxyRules() { // Build rules for each service. var svcNameString string for svcName, svcInfo := range proxier.serviceMap { + isIPv6 := utilproxy.IsIPv6(svcInfo.clusterIP) protocol := strings.ToLower(string(svcInfo.protocol)) svcNameString = svcInfo.serviceNameString @@ -1384,7 +1385,6 @@ func (proxier *Proxier) syncProxyRules() { // This is very low impact. The NodePort range is intentionally obscure, and unlikely to actually collide with real Services. // This only affects UDP connections, which are not common. // See issue: https://github.com/kubernetes/kubernetes/issues/49881 - isIPv6 := utilproxy.IsIPv6(svcInfo.clusterIP) err := utilproxy.ClearUDPConntrackForPort(proxier.exec, lp.Port, isIPv6) if err != nil { glog.Errorf("Failed to clear udp conntrack for port %d, error: %v", lp.Port, err) @@ -1407,6 +1407,13 @@ func (proxier *Proxier) syncProxyRules() { } else { // TODO: Make all nodePorts jump to the firewall chain. // Currently we only create it for loadbalancers (#33586). + + // Fix localhost martian source error + loopback := "127.0.0.0/8" + if isIPv6 { + loopback = "::1/128" + } + writeLine(proxier.natRules, append(args, "-s", loopback, "-j", string(KubeMarkMasqChain))...) writeLine(proxier.natRules, append(args, "-j", string(svcXlbChain))...) }