ipvs: add addrtype match for nodeport

2018-07-04 17:33:31 +08:00 · 2018-07-04 17:33:31 +08:00 · b2bf173aaf
commit b2bf173aaf
parent fc081b5941
2 changed files with 15 additions and 13 deletions
--- a/pkg/proxy/ipvs/proxier.go
+++ b/pkg/proxy/ipvs/proxier.go
@ -135,6 +135,7 @@ var ipsetInfo = []struct {
 // `iptables -t nat -A <from> -m set --match-set <name> <matchType> -j <to>`
 // example: iptables -t nat -A KUBE-SERVICES -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-NODE-PORT
 // ipsets with other match rules will be created Individually.
 // Note: kubeNodePortLocalSetTCP must be prior to kubeNodePortSetTCP, the same for UDP.
 var ipsetWithIptablesChain = []struct {
 	name          string
 	from          string
@ -148,10 +149,10 @@ var ipsetWithIptablesChain = []struct {
 	{kubeLoadBalancerSourceCIDRSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""},
 	{kubeLoadBalancerSourceIPSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""},
 	{kubeLoadBalancerLocalSet, string(KubeLoadBalancerChain), "RETURN", "dst,dst", ""},
 	{kubeNodePortSetTCP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "tcp"},
 	{kubeNodePortLocalSetTCP, string(KubeNodePortChain), "RETURN", "dst", "tcp"},
-	{kubeNodePortSetUDP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "udp"},
+	{kubeNodePortSetTCP, string(KubeNodePortChain), string(KubeMarkMasqChain), "dst", "tcp"},
 	{kubeNodePortLocalSetUDP, string(KubeNodePortChain), "RETURN", "dst", "udp"},
 	{kubeNodePortSetUDP, string(KubeNodePortChain), string(KubeMarkMasqChain), "dst", "udp"},
 }
 var ipvsModules = []string{
@ -1270,11 +1271,12 @@ func (proxier *Proxier) writeIptablesRules() {
 		writeLine(proxier.natRules, append(dstLocalOnlyArgs, "-j", "ACCEPT")...)
 	}
-	// mark masq for KUBE-NODE-PORT
+	// -A KUBE-SERVICES  -m addrtype  --dst-type LOCAL -j KUBE-NODE-PORT
-	writeLine(proxier.natRules, []string{
+	args = append(args[:0],
-		"-A", string(KubeNodePortChain),
+		"-A", string(kubeServicesChain),
-		"-j", string(KubeMarkMasqChain),
+		"-m", "addrtype", "--dst-type", "LOCAL",
-	}...)
+	)
 	writeLine(proxier.natRules, append(args, "-j", string(KubeNodePortChain))...)
 	// mark drop for KUBE-LOAD-BALANCER
 	writeLine(proxier.natRules, []string{
--- a/pkg/proxy/ipvs/proxier_test.go
+++ b/pkg/proxy/ipvs/proxier_test.go
@ -477,11 +477,11 @@ func TestNodePortUDP(t *testing.T) {
 	// Check iptables chain and rules
 	epIpt := netlinktest.ExpectedIptablesChain{
 		string(kubeServicesChain): {{
 			JumpChain: string(KubeNodePortChain), MatchSet: kubeNodePortSetUDP,
 		}},
 		string(KubeNodePortChain): {{
-			JumpChain: string(KubeMarkMasqChain), MatchSet: "",
+			JumpChain: string(KubeMarkMasqChain), MatchSet: kubeNodePortSetUDP,
 		}},
 		string(kubeServicesChain): {{
 			JumpChain: string(KubeNodePortChain), MatchSet: "",
 		}},
 	}
 	checkIptables(t, ipt, epIpt)
@ -1049,12 +1049,12 @@ func TestOnlyLocalNodePorts(t *testing.T) {
 	// Check iptables chain and rules
 	epIpt := netlinktest.ExpectedIptablesChain{
 		string(kubeServicesChain): {{
-			JumpChain: string(KubeNodePortChain), MatchSet: kubeNodePortSetTCP,
+			JumpChain: string(KubeNodePortChain), MatchSet: "",
 		}},
 		string(KubeNodePortChain): {{
 			JumpChain: "RETURN", MatchSet: kubeNodePortLocalSetTCP,
 		}, {
-			JumpChain: string(KubeMarkMasqChain), MatchSet: "",
+			JumpChain: string(KubeMarkMasqChain), MatchSet: kubeNodePortSetTCP,
 		}},
 	}
 	checkIptables(t, ipt, epIpt)