github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
119,738 Commits 1 Branch 31 Tags 1,019 MiB
ae3235aa01
Commit Graph

21 Commits

Author SHA1 Message Date
Dan Winship
0993bb78ef Redo service dispatch with maps 2023-10-31 17:54:53 -04:00
Dan Winship
9d71513ac1 Redo no-endpoint handling with maps 2023-10-31 17:54:53 -04:00
Dan Winship
4128631d0f Redo LoadBalancerSourceRanges firewall using sets 2023-10-31 17:54:53 -04:00
Dan Winship
edaa1d735b Redo --nodeport-addresses handling with a set 2023-10-31 17:54:53 -04:00
Dan Winship
ef1347b06d Port NAT rules to nftables (and backend is now functional) 2023-10-31 17:54:51 -04:00
Dan Winship
0c5c620b4f Port filter rules to nftables 2023-10-31 17:40:45 -04:00
Dan Winship
6cff415305 Port service/endpoint chain creation/cleanup to nftables 2023-10-31 17:40:45 -04:00
Dan Winship
2735ad541e Port table setup/cleanup code to nftables 2023-10-31 17:40:30 -04:00
Dan Winship
bcced184c5 Replace "iptables-restore" sync in nftables/proxier.go with (trivial) "nft -f -" sync 2023-10-31 17:38:32 -04:00
Dan Winship
93860a5217 Distinguish iptables-based and nftables-based backends, do startup cleanup 
When switching from iptables or ipvs to nftables, clean up old
iptables/ipvs rules. When switching the other way, clean up old
nftables rules.
 2023-10-31 17:38:32 -04:00
Dan Winship
abb1a458a9 Create an nftables.Interface in nftables proxier 
And update most of the comments to refer to "nftables" rather than
"iptables" (even though it doesn't actually do any nftables updating
at this point).

For now the proxy also internally creates a
utiliptablestesting.FakeIPTables to keep the existing sync code
compiling.
 2023-10-31 17:38:29 -04:00
Dan Winship
958e80ca3b Clarify nftables/proxier.go by distinguishing nat/filter table KUBE-SERVICES chains 
(It is confusing, but allowed, to have distinct "KUBE-SERVICES" chains
in "nat" and "filter" in iptables, but in nftables the "type nat" and
"type filter" chains end up in the same table, so we'll need different
names for the two.)
 2023-10-31 17:33:53 -04:00
Dan Winship
3abdda9800 Simplify nftables/proxier.go by using string rather than utiliptables.Chain 
Change the svcPortInfo and endpointInfo fields to string rather than
utiliptables.Chain, and various fixups from there.

Also use a proper set for activeNATChains, and fix the capitalization
of endpointInfo.chainName.
 2023-10-31 17:33:53 -04:00
Dan Winship
96e53f64f4 Simplify nftables/proxier.go by removing the "args" reuse 
since that will be done differently in nftables
 2023-10-31 17:33:53 -04:00
Dan Winship
6535ac1e61 Simplify nftables/proxier.go by removing Monitor stuff 
since it shouldn't be necessary
 2023-10-31 17:33:53 -04:00
Dan Winship
ecb7752f0b Simplify nftables/proxier.go by removing HaveRandomFully checks 2023-10-31 17:33:53 -04:00
Dan Winship
5f09106063 Simplify nftables/proxier.go by dropping "-j ACCEPT" rules 2023-10-31 17:33:53 -04:00
Dan Winship
1a6b9b811e Simplify nftables/proxier.go by removing localhost nodeport support 
and related route_localnet setting / anti-martian-packet rule
 2023-10-31 17:33:53 -04:00
Dan Winship
e7c35d27f7 Simplify nftables/proxier.go by removing partial syncing 
Since optimization will be done differently in nftables.
 2023-10-31 17:33:53 -04:00
Dan Winship
39a5af1d0a Simplify nftables/proxier.go by removing large-cluster mode 
since things will be optimized differently in nftables
 2023-10-31 17:33:53 -04:00
Dan Winship
a70653143e Add a dummy nftables kube-proxy backend which is just a copy of iptables 2023-10-31 17:31:42 -04:00