From 1a04732b00c7d73f81883e78ca0c0b87f5bef137 Mon Sep 17 00:00:00 2001
From: Lucas Mundim <lucas.mundim@corp.globo.com>
Date: Thu, 7 Feb 2019 04:06:15 -0200
Subject: [PATCH] Perform cleanup of depreciated masquerade iptables rules (if
 needed)

---
 .../proxy/network_services_controller.go      | 41 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
index b0035ac1e2..e8bf060d40 100644
--- a/pkg/controllers/proxy/network_services_controller.go
+++ b/pkg/controllers/proxy/network_services_controller.go
@@ -277,8 +277,14 @@ func (nsc *NetworkServicesController) Run(healthChan chan<- *healthcheck.Control
 
 	glog.Infof("Starting network services controller")
 
+	glog.V(1).Info("Performing cleanup of depreciated masquerade iptables rules (if needed).")
+	err := nsc.deleteBadMasqueradeIptablesRules()
+	if err != nil {
+		glog.Errorf("Error cleaning up old/bad masquerade rules: %s", err.Error())
+	}
+
 	// enable masquerade rule
-	err := nsc.ensureMasqueradeIptablesRule()
+	err = nsc.ensureMasqueradeIptablesRule()
 	if err != nil {
 		return errors.New("Failed to do add masquerade rule in POSTROUTING chain of nat table due to: %s" + err.Error())
 	}
@@ -1512,6 +1518,39 @@ func (nsc *NetworkServicesController) ensureMasqueradeIptablesRule() error {
 	return nil
 }
 
+// Delete old/bad iptables rules to masquerade outbound IPVS traffic.
+func (nsc *NetworkServicesController) deleteBadMasqueradeIptablesRules() error {
+	iptablesCmdHandler, err := iptables.New()
+	if err != nil {
+		return errors.New("Failed create iptables handler:" + err.Error())
+	}
+
+	var argsBad = [][]string{
+		{"-m", "ipvs", "--ipvs", "--vdir", "ORIGINAL", "--vmethod", "MASQ", "-m", "comment", "--comment", "", "-j", "MASQUERADE"},
+		{"-m", "ipvs", "--ipvs", "--vdir", "ORIGINAL", "--vmethod", "MASQ", "-m", "comment", "--comment", "", "!", "-s", nsc.podCidr, "!", "-d", nsc.podCidr, "-j", "MASQUERADE"},
+	}
+
+	for _, args := range argsBad {
+		exists, err := iptablesCmdHandler.Exists("nat", "POSTROUTING", args...)
+		if err != nil {
+			return fmt.Errorf("Failed to lookup iptables rule: %s", err.Error())
+		}
+
+		if exists {
+			err = iptablesCmdHandler.Delete("nat", "POSTROUTING", args...)
+			if err != nil {
+				return fmt.Errorf("Failed to delete old/bad iptables rule to "+
+					"masquerade outbound IVPS traffic: %s.\n"+
+					"Masquerade all might still work, or bugs may persist after upgrade...",
+					err)
+			}
+			glog.Infof("Deleted old/bad iptables rule to masquerade outbound traffic.")
+		}
+	}
+
+	return nil
+}
+
 // syncHairpinIptablesRules adds/removes iptables rules pertaining to traffic
 // from an Endpoint (Pod) to its own service VIP. Rules are only applied if
 // enabled globally via CLI argument or a service has an annotation requesting