Commitbfa33b1

committed

fix(kube-proxy) avoid add zero-masked loadBalancerSourceRanges to ipset

Signed-off-by: roc <roc@imroc.cc>

1 parent033ffc7 commitbfa33b1Copy full SHA for bfa33b1

File tree

+15

-7

lines changed

+15

-7

lines changed

Lines changed: 7 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ package proxy`
`19`	`19`	`import (`
`20`	`20`	`"fmt"`
`21`	`21`	`"net"`
	`22`	`+"slices"`
`22`	`23`	`"strings"`
`23`	`24`
`24`	`25`	`v1"k8s.io/api/core/v1"`
`@@ -205,7 +206,12 @@ func newBaseServiceInfo(service v1.Service, ipFamily v1.IPFamily, port v1.Serv`
`205`	`206`	`}`
`206`	`207`
`207`	`208`	`cidrFamilyMap:=proxyutil.MapCIDRsByIPFamily(loadBalancerSourceRanges)`
`208`		`-info.loadBalancerSourceRanges=cidrFamilyMap[ipFamily]`
	`209`	`+cidrs:=cidrFamilyMap[ipFamily]`
	`210`	`+// zero-masked cidr means "allow any", which same as the empty loadBalancerSourceRanges.`
	`211`	`+ifslices.ContainsFunc(cidrs,proxyutil.IsZeroCIDR) {`
	`212`	`+cidrs= []*net.IPNet{}`
	`213`	`+}`
	`214`	`+info.loadBalancerSourceRanges=cidrs`
`209`	`215`
`210`	`216`	`// Filter Load Balancer Ingress IPs to correct IP family. While proxying load`
`211`	`217`	`// balancers might choose to proxy connections from an LB IP of one family to a`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ func NewNodePortAddresses(family v1.IPFamily, cidrStrings []string) *NodePortAdd`
`68`	`68`	`}`
`69`	`69`	`}`
`70`	`70`
`71`		`-ifIsZeroCIDR(str) {`
	`71`	`+ifIsZeroCIDR(cidr) {`
`72`	`72`	`// Ignore everything else`
`73`	`73`	`npa.cidrs= []*net.IPNet{cidr}`
`74`	`74`	`npa.matchAll=true`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -45,11 +45,12 @@ const (`
`45`	`45`
`46`	`46`	`// IsZeroCIDR checks whether the input CIDR string is either`
`47`	`47`	`// the IPv4 or IPv6 zero CIDR`
`48`		`-funcIsZeroCIDR(cidrstring)bool {`
`49`		`-ifcidr==IPv4ZeroCIDR\|\|cidr==IPv6ZeroCIDR {`
`50`		`-returntrue`
	`48`	`+funcIsZeroCIDR(cidr*net.IPNet)bool {`
	`49`	`+ifcidr==nil {`
	`50`	`+returnfalse`
`51`	`51`	`}`
`52`		`-returnfalse`
	`52`	`+prefixLen,_:=cidr.Mask.Size()`
	`53`	`+returnprefixLen==0`
`53`	`54`	`}`
`54`	`55`
`55`	`56`	`// ShouldSkipService checks if a given service should skip proxying`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -682,7 +682,8 @@ func TestIsZeroCIDR(t *testing.T) {`
`682`	`682`	`}`
`683`	`683`	`for_,tc:=rangetestCases {`
`684`	`684`	`t.Run(tc.name,func(t*testing.T) {`
`685`		`-ifgot:=IsZeroCIDR(tc.input);tc.expected!=got {`
	`685`	`+_,cidr,_:=netutils.ParseCIDRSloppy(tc.input)`
	`686`	`+ifgot:=IsZeroCIDR(cidr);tc.expected!=got {`
`686`	`687`	`t.Errorf("IsZeroCIDR() = %t, want %t",got,tc.expected)`
`687`	`688`	`}`
`688`	`689`	`})`

Comments

(0)