Skip to content

Commit 5fc8069

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#94591 from Lion-Wei/lb-fw
Fix failing test "Services should only allow access from service loadbalancer source ranges"
2 parents 23e5a85 + 1f7ea16 commit 5fc8069

File tree

2 files changed

+30
-1
lines changed

2 files changed

+30
-1
lines changed

pkg/proxy/iptables/proxier.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -399,6 +399,13 @@ var iptablesJumpChains = []iptablesJumpChain{
399399
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
400400
}
401401

402+
var iptablesEnsureChains = []struct {
403+
table utiliptables.Table
404+
chain utiliptables.Chain
405+
}{
406+
{utiliptables.TableNAT, KubeMarkDropChain},
407+
}
408+
402409
var iptablesCleanupOnlyChains = []iptablesJumpChain{}
403410

404411
// CleanupLeftovers removes all iptables rules and chains created by the Proxier
@@ -868,6 +875,14 @@ func (proxier *Proxier) syncProxyRules() {
868875
}
869876
}
870877

878+
// ensure KUBE-MARK-DROP chain exist but do not change any rules
879+
for _, ch := range iptablesEnsureChains {
880+
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
881+
klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err)
882+
return
883+
}
884+
}
885+
871886
//
872887
// Below this point we will not return until we try to write the iptables rules.
873888
//

pkg/proxy/ipvs/proxier.go

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,10 +117,16 @@ var iptablesChains = []struct {
117117
{utiliptables.TableNAT, KubeNodePortChain},
118118
{utiliptables.TableNAT, KubeLoadBalancerChain},
119119
{utiliptables.TableNAT, KubeMarkMasqChain},
120-
{utiliptables.TableNAT, KubeMarkDropChain},
121120
{utiliptables.TableFilter, KubeForwardChain},
122121
}
123122

123+
var iptablesEnsureChains = []struct {
124+
table utiliptables.Table
125+
chain utiliptables.Chain
126+
}{
127+
{utiliptables.TableNAT, KubeMarkDropChain},
128+
}
129+
124130
var iptablesCleanupChains = []struct {
125131
table utiliptables.Table
126132
chain utiliptables.Chain
@@ -1858,6 +1864,14 @@ func (proxier *Proxier) createAndLinkeKubeChain() {
18581864
existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter)
18591865
existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT)
18601866

1867+
// ensure KUBE-MARK-DROP chain exist but do not change any rules
1868+
for _, ch := range iptablesEnsureChains {
1869+
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
1870+
klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err)
1871+
return
1872+
}
1873+
}
1874+
18611875
// Make sure we keep stats for the top-level chains
18621876
for _, ch := range iptablesChains {
18631877
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {

0 commit comments

Comments
 (0)