Simplify nftables/proxier.go by removing the "args" reuse
since that will be done differently in nftables
This commit is contained in:
Dan Winship
@@ -779,12 +779,6 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
// Accumulate NAT chains to keep.
|
// Accumulate NAT chains to keep.
|
||||||
activeNATChains := map[utiliptables.Chain]bool{} // use a map as a set
|
activeNATChains := map[utiliptables.Chain]bool{} // use a map as a set
|
||||||
|
|
||||||
// To avoid growing this slice, we arbitrarily set its size to 64,
|
|
||||||
// there is never more than that many arguments for a single line.
|
|
||||||
// Note that even if we go over 64, it will still be correct - it
|
|
||||||
// is just for efficiency, not correctness.
|
|
||||||
args := make([]string, 64)
|
|
||||||
|
|
||||||
// Compute total number of endpoint chains across all services
|
// Compute total number of endpoint chains across all services
|
||||||
// to get a sense of how big the cluster is.
|
// to get a sense of how big the cluster is.
|
||||||
totalEndpoints := 0
|
totalEndpoints := 0
|
||||||
@@ -1037,16 +1031,13 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
|
|
||||||
// Set up internal traffic handling.
|
// Set up internal traffic handling.
|
||||||
if hasInternalEndpoints {
|
if hasInternalEndpoints {
|
||||||
args = append(args[:0],
|
|
||||||
"-m", "comment", "--comment", fmt.Sprintf(`"%s cluster IP"`, svcPortNameString),
|
|
||||||
"-m", protocol, "-p", protocol,
|
|
||||||
"-d", svcInfo.ClusterIP().String(),
|
|
||||||
"--dport", strconv.Itoa(svcInfo.Port()),
|
|
||||||
)
|
|
||||||
if proxier.masqueradeAll {
|
if proxier.masqueradeAll {
|
||||||
proxier.natRules.Write(
|
proxier.natRules.Write(
|
||||||
"-A", string(internalTrafficChain),
|
"-A", string(internalTrafficChain),
|
||||||
args,
|
"-m", "comment", "--comment", fmt.Sprintf(`"%s cluster IP"`, svcPortNameString),
|
||||||
|
"-m", protocol, "-p", protocol,
|
||||||
|
"-d", svcInfo.ClusterIP().String(),
|
||||||
|
"--dport", strconv.Itoa(svcInfo.Port()),
|
||||||
"-j", string(kubeMarkMasqChain))
|
"-j", string(kubeMarkMasqChain))
|
||||||
} else if proxier.localDetector.IsImplemented() {
|
} else if proxier.localDetector.IsImplemented() {
|
||||||
// This masquerades off-cluster traffic to a service VIP. The
|
// This masquerades off-cluster traffic to a service VIP. The
|
||||||
@@ -1056,7 +1047,10 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
// off-node, we masquerade here.
|
// off-node, we masquerade here.
|
||||||
proxier.natRules.Write(
|
proxier.natRules.Write(
|
||||||
"-A", string(internalTrafficChain),
|
"-A", string(internalTrafficChain),
|
||||||
args,
|
"-m", "comment", "--comment", fmt.Sprintf(`"%s cluster IP"`, svcPortNameString),
|
||||||
|
"-m", protocol, "-p", protocol,
|
||||||
|
"-d", svcInfo.ClusterIP().String(),
|
||||||
|
"--dport", strconv.Itoa(svcInfo.Port()),
|
||||||
proxier.localDetector.IfNotLocal(),
|
proxier.localDetector.IfNotLocal(),
|
||||||
"-j", string(kubeMarkMasqChain))
|
"-j", string(kubeMarkMasqChain))
|
||||||
}
|
}
|
||||||
@@ -1128,15 +1122,16 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
// loadbalancers that preserve source IPs. For loadbalancers which
|
// loadbalancers that preserve source IPs. For loadbalancers which
|
||||||
// direct traffic to service NodePort, the firewall rules will not
|
// direct traffic to service NodePort, the firewall rules will not
|
||||||
// apply.
|
// apply.
|
||||||
args = append(args[:0],
|
|
||||||
"-A", string(fwChain),
|
|
||||||
"-m", "comment", "--comment", fmt.Sprintf(`"%s loadbalancer IP"`, svcPortNameString),
|
|
||||||
)
|
|
||||||
|
|
||||||
// firewall filter based on each source range
|
// firewall filter based on each source range
|
||||||
allowFromNode := false
|
allowFromNode := false
|
||||||
for _, src := range svcInfo.LoadBalancerSourceRanges() {
|
for _, src := range svcInfo.LoadBalancerSourceRanges() {
|
||||||
proxier.natRules.Write(args, "-s", src, "-j", string(externalTrafficChain))
|
proxier.natRules.Write(
|
||||||
|
"-A", string(fwChain),
|
||||||
|
"-m", "comment", "--comment", fmt.Sprintf(`"%s loadbalancer IP"`, svcPortNameString),
|
||||||
|
"-s", src,
|
||||||
|
"-j", string(externalTrafficChain),
|
||||||
|
)
|
||||||
_, cidr, err := netutils.ParseCIDRSloppy(src)
|
_, cidr, err := netutils.ParseCIDRSloppy(src)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.ErrorS(err, "Error parsing CIDR in LoadBalancerSourceRanges, dropping it", "cidr", cidr)
|
klog.ErrorS(err, "Error parsing CIDR in LoadBalancerSourceRanges, dropping it", "cidr", cidr)
|
||||||
@@ -1152,9 +1147,11 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
if allowFromNode {
|
if allowFromNode {
|
||||||
for _, lbip := range svcInfo.LoadBalancerVIPStrings() {
|
for _, lbip := range svcInfo.LoadBalancerVIPStrings() {
|
||||||
proxier.natRules.Write(
|
proxier.natRules.Write(
|
||||||
args,
|
"-A", string(fwChain),
|
||||||
|
"-m", "comment", "--comment", fmt.Sprintf(`"%s loadbalancer IP"`, svcPortNameString),
|
||||||
"-s", lbip,
|
"-s", lbip,
|
||||||
"-j", string(externalTrafficChain))
|
"-j", string(externalTrafficChain),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// If the packet was able to reach the end of firewall chain,
|
// If the packet was able to reach the end of firewall chain,
|
||||||
@@ -1170,14 +1167,14 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
// from clusterPolicyChain to the clusterEndpoints
|
// from clusterPolicyChain to the clusterEndpoints
|
||||||
if usesClusterPolicyChain {
|
if usesClusterPolicyChain {
|
||||||
proxier.natChains.Write(utiliptables.MakeChainLine(clusterPolicyChain))
|
proxier.natChains.Write(utiliptables.MakeChainLine(clusterPolicyChain))
|
||||||
proxier.writeServiceToEndpointRules(svcPortNameString, svcInfo, clusterPolicyChain, clusterEndpoints, args)
|
proxier.writeServiceToEndpointRules(svcPortNameString, svcInfo, clusterPolicyChain, clusterEndpoints)
|
||||||
}
|
}
|
||||||
|
|
||||||
// If Local policy is in use, create the chain and create rules jumping
|
// If Local policy is in use, create the chain and create rules jumping
|
||||||
// from localPolicyChain to the localEndpoints
|
// from localPolicyChain to the localEndpoints
|
||||||
if usesLocalPolicyChain {
|
if usesLocalPolicyChain {
|
||||||
proxier.natChains.Write(utiliptables.MakeChainLine(localPolicyChain))
|
proxier.natChains.Write(utiliptables.MakeChainLine(localPolicyChain))
|
||||||
proxier.writeServiceToEndpointRules(svcPortNameString, svcInfo, localPolicyChain, localEndpoints, args)
|
proxier.writeServiceToEndpointRules(svcPortNameString, svcInfo, localPolicyChain, localEndpoints)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate the per-endpoint chains.
|
// Generate the per-endpoint chains.
|
||||||
@@ -1194,20 +1191,24 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
proxier.natChains.Write(utiliptables.MakeChainLine(endpointChain))
|
proxier.natChains.Write(utiliptables.MakeChainLine(endpointChain))
|
||||||
activeNATChains[endpointChain] = true
|
activeNATChains[endpointChain] = true
|
||||||
|
|
||||||
args = append(args[:0], "-A", string(endpointChain))
|
|
||||||
args = append(args, "-m", "comment", "--comment", svcPortNameString)
|
|
||||||
// Handle traffic that loops back to the originator with SNAT.
|
// Handle traffic that loops back to the originator with SNAT.
|
||||||
proxier.natRules.Write(
|
proxier.natRules.Write(
|
||||||
args,
|
"-A", string(endpointChain),
|
||||||
|
"-m", "comment", "--comment", svcPortNameString,
|
||||||
"-s", epInfo.IP(),
|
"-s", epInfo.IP(),
|
||||||
"-j", string(kubeMarkMasqChain))
|
"-j", string(kubeMarkMasqChain),
|
||||||
// Update client-affinity lists.
|
)
|
||||||
|
commentAndAffinityArgs := []string{"-m", "comment", "--comment", svcPortNameString}
|
||||||
if svcInfo.SessionAffinityType() == v1.ServiceAffinityClientIP {
|
if svcInfo.SessionAffinityType() == v1.ServiceAffinityClientIP {
|
||||||
args = append(args, "-m", "recent", "--name", string(endpointChain), "--set")
|
commentAndAffinityArgs = append(commentAndAffinityArgs, "-m", "recent", "--name", string(endpointChain), "--set")
|
||||||
}
|
}
|
||||||
// DNAT to final destination.
|
// DNAT to final destination.
|
||||||
args = append(args, "-m", protocol, "-p", protocol, "-j", "DNAT", "--to-destination", epInfo.String())
|
proxier.natRules.Write(
|
||||||
proxier.natRules.Write(args)
|
"-A", string(endpointChain),
|
||||||
|
commentAndAffinityArgs,
|
||||||
|
"-m", protocol, "-p", protocol,
|
||||||
|
"-j", "DNAT", "--to-destination", epInfo.String(),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1356,7 +1357,7 @@ func (proxier *Proxier) syncProxyRules() {
|
|||||||
conntrack.CleanStaleEntries(proxier.iptables.IsIPv6(), proxier.exec, proxier.svcPortMap, serviceUpdateResult, endpointUpdateResult)
|
conntrack.CleanStaleEntries(proxier.iptables.IsIPv6(), proxier.exec, proxier.svcPortMap, serviceUpdateResult, endpointUpdateResult)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (proxier *Proxier) writeServiceToEndpointRules(svcPortNameString string, svcInfo proxy.ServicePort, svcChain utiliptables.Chain, endpoints []proxy.Endpoint, args []string) {
|
func (proxier *Proxier) writeServiceToEndpointRules(svcPortNameString string, svcInfo proxy.ServicePort, svcChain utiliptables.Chain, endpoints []proxy.Endpoint) {
|
||||||
// First write session affinity rules, if applicable.
|
// First write session affinity rules, if applicable.
|
||||||
if svcInfo.SessionAffinityType() == v1.ServiceAffinityClientIP {
|
if svcInfo.SessionAffinityType() == v1.ServiceAffinityClientIP {
|
||||||
for _, ep := range endpoints {
|
for _, ep := range endpoints {
|
||||||
@@ -1365,17 +1366,13 @@ func (proxier *Proxier) writeServiceToEndpointRules(svcPortNameString string, sv
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
comment := fmt.Sprintf(`"%s -> %s"`, svcPortNameString, epInfo.String())
|
comment := fmt.Sprintf(`"%s -> %s"`, svcPortNameString, epInfo.String())
|
||||||
|
proxier.natRules.Write(
|
||||||
args = append(args[:0],
|
|
||||||
"-A", string(svcChain),
|
"-A", string(svcChain),
|
||||||
)
|
"-m", "comment", "--comment", comment,
|
||||||
args = append(args, "-m", "comment", "--comment", comment)
|
|
||||||
args = append(args,
|
|
||||||
"-m", "recent", "--name", string(epInfo.ChainName),
|
"-m", "recent", "--name", string(epInfo.ChainName),
|
||||||
"--rcheck", "--seconds", strconv.Itoa(svcInfo.StickyMaxAgeSeconds()), "--reap",
|
"--rcheck", "--seconds", strconv.Itoa(svcInfo.StickyMaxAgeSeconds()), "--reap",
|
||||||
"-j", string(epInfo.ChainName),
|
"-j", string(epInfo.ChainName),
|
||||||
)
|
)
|
||||||
proxier.natRules.Write(args)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1388,16 +1385,23 @@ func (proxier *Proxier) writeServiceToEndpointRules(svcPortNameString string, sv
|
|||||||
}
|
}
|
||||||
comment := fmt.Sprintf(`"%s -> %s"`, svcPortNameString, epInfo.String())
|
comment := fmt.Sprintf(`"%s -> %s"`, svcPortNameString, epInfo.String())
|
||||||
|
|
||||||
args = append(args[:0], "-A", string(svcChain))
|
|
||||||
args = append(args, "-m", "comment", "--comment", comment)
|
|
||||||
if i < (numEndpoints - 1) {
|
if i < (numEndpoints - 1) {
|
||||||
// Each rule is a probabilistic match.
|
// Each rule is a probabilistic match.
|
||||||
args = append(args,
|
proxier.natRules.Write(
|
||||||
|
"-A", string(svcChain),
|
||||||
|
"-m", "comment", "--comment", comment,
|
||||||
"-m", "statistic",
|
"-m", "statistic",
|
||||||
"--mode", "random",
|
"--mode", "random",
|
||||||
"--probability", proxier.probability(numEndpoints-i))
|
"--probability", proxier.probability(numEndpoints-i),
|
||||||
|
"-j", string(epInfo.ChainName),
|
||||||
|
)
|
||||||
|
} else {
|
||||||
|
// The final (or only if n == 1) rule is a guaranteed match.
|
||||||
|
proxier.natRules.Write(
|
||||||
|
"-A", string(svcChain),
|
||||||
|
"-m", "comment", "--comment", comment,
|
||||||
|
"-j", string(epInfo.ChainName),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
// The final (or only if n == 1) rule is a guaranteed match.
|
|
||||||
proxier.natRules.Write(args, "-j", string(epInfo.ChainName))
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user