Periodicaly sync iptables MASQUERADE rules

cloudnativelabs · Dec 24, 2018 · 9cea203 · 9cea203
1 parent c63e71a
commit 9cea203
Showing 1 changed file with 24 additions and 5 deletions.
diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
@@ -350,6 +350,12 @@ func (nsc *NetworkServicesController) sync() error {
 	nsc.mu.Lock()
 	defer nsc.mu.Unlock()
 
+	// enable masquerad rule
+	err = ensureMasqueradeIptablesRule(nsc.masqueradeAll, nsc.podCidr)
+	if err != nil {
+		glog.Errorf("Failed to do add masquerad rule in POSTROUTING chain of nat table due to: %s", err.Error())
+	}
+
 	nsc.serviceMap = nsc.buildServicesInfo()
 	nsc.endpointsMap = nsc.buildEndpointsInfo()
 	err = nsc.syncHairpinIptablesRules()
@@ -1273,21 +1279,34 @@ func ensureMasqueradeIptablesRule(masqueradeAll bool, podCidr string) error {
 	var args []string
 	if masqueradeAll {
 		args = []string{"-m", "ipvs", "--ipvs", "--vdir", "ORIGINAL", "--vmethod", "MASQ", "-m", "comment", "--comment", "", "-j", "MASQUERADE"}
-		err = iptablesCmdHandler.AppendUnique("nat", "POSTROUTING", args...)
+		exists, err := iptablesCmdHandler.Exists("nat", "POSTROUTING", args...)
 		if err != nil {
-			return errors.New("Failed to run iptables command" + err.Error())
+			return fmt.Errorf("Failed to run iptables command: %s", err.Error())
+		}
+		if !exists {
+			err = iptablesCmdHandler.AppendUnique("nat", "POSTROUTING", args...)
+			if err != nil {
+				return errors.New("Failed to run iptables command" + err.Error())
+			}
+			glog.V(1).Info("Successfully added iptables masquerad rule")
 		}
 	}
 	if len(podCidr) > 0 {
 		//TODO: ipset should be used for destination podCidr(s) match after multiple podCidr(s) per node get supported
 		args = []string{"-m", "ipvs", "--ipvs", "--vdir", "ORIGINAL", "--vmethod", "MASQ", "-m", "comment", "--comment", "",
 			"!", "-s", podCidr, "!", "-d", podCidr, "-j", "MASQUERADE"}
-		err = iptablesCmdHandler.AppendUnique("nat", "POSTROUTING", args...)
+		exists, err := iptablesCmdHandler.Exists("nat", "POSTROUTING", args...)
 		if err != nil {
-			return errors.New("Failed to run iptables command" + err.Error())
+			return fmt.Errorf("Failed to run iptables command: %s", err.Error())
+		}
+		if !exists {
+			err = iptablesCmdHandler.AppendUnique("nat", "POSTROUTING", args...)
+			if err != nil {
+				return errors.New("Failed to run iptables command" + err.Error())
+			}
+			glog.V(1).Info("Successfully added iptables masquerad rule")
 		}
 	}
-	glog.V(1).Info("Successfully added iptables masquerad rule")
 	return nil
 }