d3fe48e848
The nat KUBE-SERVICES chain is called from OUTPUT and PREROUTING stages. In clusters with large number of services, the nat-KUBE-SERVICES chain is the largest chain with for eg: 33k rules. This patch aims to move the KubeMarkMasq rules from the kubeServicesChain into the respective KUBE-SVC-* chains. This way during each packet-rule matching we won't have to traverse the MASQ rules of all services which get accumulated in the KUBE-SERVICES and/or KUBE-NODEPORTS chains. Since the jump to KUBE-MARK-MASQ ultimately sets the 0x400 mark for nodeIP SNAT, it should not matter whether the jump is made from KUBE-SERVICES or KUBE-SVC-* chains. Specifically we change: 1) For ClusterIP svc, we move the KUBE-MARK-MASQ jump rule from KUBE-SERVICES chain into KUBE-SVC-* chain. 2) For ExternalIP svc, we move the KUBE-MARK-MASQ jump rule in the case of non-ServiceExternalTrafficPolicyTypeLocal from KUBE-SERVICES chain into KUBE-SVC-* chain. 3) For NodePorts svc, we move the KUBE-MARK-MASQ jump rule in case of non-ServiceExternalTrafficPolicyTypeLocal from KUBE-NODEPORTS chain to KUBE-SVC-* chain. 4) For load-balancer svc, we don't change anything since it is already svc specific due to creation of KUBE-FW-* chains per svc. This would cut the rules per svc in KUBE-SERVICES and KUBE-NODEPORTS in half. |
||
|---|---|---|
| .. | ||
| iptables | ||
| testing | ||
| endpoints_test.go | ||
| endpoints.go | ||
| network.go | ||
| utils_test.go | ||
| utils.go | ||