Skip to content

Commit 48e2c7b

Browse files
bazuchanmurali-reddy
bazuchan
authored and
murali-reddy
committed
Add iptables input rules for ipvs services (#604)
1 parent c38e8f6 commit 48e2c7b

File tree

1 file changed

+61
-0
lines changed

1 file changed

+61
-0
lines changed

pkg/controllers/proxy/network_services_controller.go

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,7 @@ const (
5656
svcSchedFlagsAnnotation = "kube-router.io/service.schedflags"
5757

5858
LeaderElectionRecordAnnotationKey = "control-plane.alpha.kubernetes.io/leader"
59+
svcIpSetName = "KUBE-SVC-ALL"
5960
)
6061

6162
var (
@@ -368,6 +369,60 @@ func (nsc *NetworkServicesController) sync() error {
368369
return nil
369370
}
370371

372+
func (nsc *NetworkServicesController) setupIpvsFirewall() error {
373+
// Add ipset containg all SVCs
374+
ipSetHandler, err := utils.NewIPSet(false)
375+
if err != nil {
376+
return err
377+
}
378+
379+
svcIpSet, err := ipSetHandler.Create(svcIpSetName, utils.TypeHashIPPort, utils.OptionTimeout, "0")
380+
if err != nil {
381+
return fmt.Errorf("failed to create ipset: %s", err.Error())
382+
}
383+
384+
ipvsSvcs, err := nsc.ln.ipvsGetServices()
385+
if err != nil {
386+
return errors.New("Failed to list IPVS services: " + err.Error())
387+
}
388+
389+
svcSets := make([]string, 0, len(ipvsSvcs))
390+
for _, ipvsSvc := range ipvsSvcs {
391+
protocol := "udp"
392+
if ipvsSvc.Protocol == syscall.IPPROTO_TCP {
393+
protocol = "tcp"
394+
}
395+
set := fmt.Sprintf("%s,%s:%d", ipvsSvc.Address.String(), protocol, ipvsSvc.Port)
396+
svcSets = append(svcSets, set)
397+
}
398+
399+
err = svcIpSet.Refresh(svcSets, utils.OptionTimeout, "0")
400+
if err != nil {
401+
return fmt.Errorf("failed to sync ipset: %s", err.Error())
402+
}
403+
404+
// Add iptables rule to allow input traffic to ipvs services
405+
iptablesCmdHandler, err := iptables.New()
406+
if err != nil {
407+
return errors.New("Failed to initialize iptables executor" + err.Error())
408+
}
409+
410+
comment := "allow input traffic to ipvs services"
411+
args := []string{"-m", "comment", "--comment", comment, "-m", "set", "--match-set", svcIpSetName, "dst,dst", "-j", "ACCEPT"}
412+
exists, err := iptablesCmdHandler.Exists("filter", "INPUT", args...)
413+
if err != nil {
414+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
415+
}
416+
if !exists {
417+
err := iptablesCmdHandler.Insert("filter", "INPUT", 1, args...)
418+
if err != nil {
419+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
420+
}
421+
}
422+
423+
return nil
424+
}
425+
371426
func (nsc *NetworkServicesController) publishMetrics(serviceInfoMap serviceInfoMap) error {
372427
start := time.Now()
373428
defer func() {
@@ -890,6 +945,12 @@ func (nsc *NetworkServicesController) syncIpvsServices(serviceInfoMap serviceInf
890945
}
891946
}
892947
}
948+
949+
err = nsc.setupIpvsFirewall()
950+
if err != nil {
951+
glog.Errorf("Error syncing ipvs svc iptable rules: %s", err.Error())
952+
}
953+
893954
glog.V(1).Info("IPVS servers and services are synced to desired state")
894955
return nil
895956
}

0 commit comments

Comments
 (0)