diff --git a/cmd/ip-masq-agent/ip-masq-agent.go b/cmd/ip-masq-agent/ip-masq-agent.go index 1624267..01b209d 100644 --- a/cmd/ip-masq-agent/ip-masq-agent.go +++ b/cmd/ip-masq-agent/ip-masq-agent.go @@ -61,7 +61,7 @@ var ( noMasqueradeAllReservedRangesFlag = flag.Bool("nomasq-all-reserved-ranges", false, "Whether to disable masquerade for all IPv4 ranges reserved by RFCs.") enableIPv6 = flag.Bool("enable-ipv6", false, "Whether to enable IPv6.") - randomFully = flag.Bool("random-fully", true, "Whether to add --random-fully to the masquerade rule.") + randomFully = flag.Bool("random-fully", true, "Whether to add --random-fully to the masquerade rule, if the system supports it.") ) // MasqConfig object @@ -337,7 +337,7 @@ func (m *MasqDaemon) syncMasqRules() error { } // masquerade all other traffic that is not bound for a --dst-type LOCAL destination - writeMasqRules(lines, toPorts) + writeMasqRules(lines, m.iptables.HasRandomFully(), toPorts) writeLine(lines, "COMMIT") m.logVerbose(lines.String(), logParentID).Infof("IPv4 masquerading rules: %q", lines) @@ -382,7 +382,7 @@ func (m *MasqDaemon) syncMasqRulesIPv6() error { } // masquerade all other traffic that is not bound for a --dst-type LOCAL destination - writeMasqRules(lines6, toPorts) + writeMasqRules(lines6, m.ip6tables.HasRandomFully(), toPorts) writeLine(lines6, "COMMIT") m.logVerbose(lines6.String(), logParentID).Infof("IPv6 masquerading rules: %q", lines6) @@ -429,9 +429,9 @@ func writeNonMasqRule(lines *bytes.Buffer, cidr string) { const masqRuleComment = `-m comment --comment "ip-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)"` -func writeMasqRules(lines *bytes.Buffer, toPorts interval.Intervals) { +func writeMasqRules(lines *bytes.Buffer, hasRandomFully bool, toPorts interval.Intervals) { args := []string{masqRuleComment, "-j", "MASQUERADE"} - if *randomFully { + if hasRandomFully && *randomFully { args = append(args, "--random-fully") } diff --git a/cmd/ip-masq-agent/ip-masq-agent_test.go b/cmd/ip-masq-agent/ip-masq-agent_test.go index 0955575..b85b40b 100644 --- a/cmd/ip-masq-agent/ip-masq-agent_test.go +++ b/cmd/ip-masq-agent/ip-masq-agent_test.go @@ -33,6 +33,7 @@ import ( iptest "k8s.io/kubernetes/pkg/util/iptables/testing" ) +var hasRandomFully bool var wantRandomFully string // turn off glog logging during tests to avoid clutter in output @@ -45,22 +46,34 @@ func TestMain(m *testing.M) { for _, tc := range []struct { arg string + has bool want string }{ + {}, { + arg: "false", + }, + { + arg: "true", + }, + { + has: true, want: randomFully, }, { arg: "false", + has: true, }, { arg: "true", + has: true, want: randomFully, }, } { if tc.arg != "" { flag.Set("random-fully", tc.arg) } + hasRandomFully = tc.has wantRandomFully = tc.want ec = max(ec, m.Run()) @@ -72,6 +85,7 @@ func TestMain(m *testing.M) { func NewFakeMasqDaemon() *MasqDaemon { masqChain = "IP-MASQ-AGENT" iptables := iptest.NewFake() + iptables.SetHasRandomFully(hasRandomFully) iptables.Dump = &iptest.IPTablesDump{ Tables: []iptest.Table{ { @@ -83,6 +97,7 @@ func NewFakeMasqDaemon() *MasqDaemon { }, } ip6tables := iptest.NewIPv6Fake() + ip6tables.SetHasRandomFully(hasRandomFully) ip6tables.Dump = &iptest.IPTablesDump{ Tables: []iptest.Table{ { @@ -577,7 +592,7 @@ func TestWriteMasqRules(t *testing.T) { } lines := bytes.NewBuffer(nil) - writeMasqRules(lines, toPorts) + writeMasqRules(lines, hasRandomFully, toPorts) s := lines.String() if s != tt.want {