Skip to content

Commit

Permalink
Don't set --random-fully if it's not supported even if the flag is true
Browse files Browse the repository at this point in the history
  • Loading branch information
jingyuanliang committed Oct 22, 2024
1 parent 71cd5d0 commit b2fb01e
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 6 deletions.
10 changes: 5 additions & 5 deletions cmd/ip-masq-agent/ip-masq-agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ var (

noMasqueradeAllReservedRangesFlag = flag.Bool("nomasq-all-reserved-ranges", false, "Whether to disable masquerade for all IPv4 ranges reserved by RFCs.")
enableIPv6 = flag.Bool("enable-ipv6", false, "Whether to enable IPv6.")
randomFully = flag.Bool("random-fully", true, "Whether to add --random-fully to the masquerade rule.")
randomFully = flag.Bool("random-fully", true, "Whether to add --random-fully to the masquerade rule, if the system supports it.")
)

// MasqConfig object
Expand Down Expand Up @@ -337,7 +337,7 @@ func (m *MasqDaemon) syncMasqRules() error {
}

// masquerade all other traffic that is not bound for a --dst-type LOCAL destination
writeMasqRules(lines, toPorts)
writeMasqRules(lines, m.iptables.HasRandomFully(), toPorts)

writeLine(lines, "COMMIT")
m.logVerbose(lines.String(), logParentID).Infof("IPv4 masquerading rules: %q", lines)
Expand Down Expand Up @@ -382,7 +382,7 @@ func (m *MasqDaemon) syncMasqRulesIPv6() error {
}

// masquerade all other traffic that is not bound for a --dst-type LOCAL destination
writeMasqRules(lines6, toPorts)
writeMasqRules(lines6, m.ip6tables.HasRandomFully(), toPorts)

writeLine(lines6, "COMMIT")
m.logVerbose(lines6.String(), logParentID).Infof("IPv6 masquerading rules: %q", lines6)
Expand Down Expand Up @@ -429,9 +429,9 @@ func writeNonMasqRule(lines *bytes.Buffer, cidr string) {

const masqRuleComment = `-m comment --comment "ip-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)"`

func writeMasqRules(lines *bytes.Buffer, toPorts interval.Intervals) {
func writeMasqRules(lines *bytes.Buffer, hasRandomFully bool, toPorts interval.Intervals) {
args := []string{masqRuleComment, "-j", "MASQUERADE"}
if *randomFully {
if hasRandomFully && *randomFully {
args = append(args, "--random-fully")
}

Expand Down
17 changes: 16 additions & 1 deletion cmd/ip-masq-agent/ip-masq-agent_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
iptest "k8s.io/kubernetes/pkg/util/iptables/testing"
)

var hasRandomFully bool
var wantRandomFully string

// turn off glog logging during tests to avoid clutter in output
Expand All @@ -45,22 +46,34 @@ func TestMain(m *testing.M) {

for _, tc := range []struct {
arg string
has bool
want string
}{
{},
{
arg: "false",
},
{
arg: "true",
},
{
has: true,
want: randomFully,
},
{
arg: "false",
has: true,
},
{
arg: "true",
has: true,
want: randomFully,
},
} {
if tc.arg != "" {
flag.Set("random-fully", tc.arg)
}
hasRandomFully = tc.has
wantRandomFully = tc.want

ec = max(ec, m.Run())
Expand All @@ -72,6 +85,7 @@ func TestMain(m *testing.M) {
func NewFakeMasqDaemon() *MasqDaemon {
masqChain = "IP-MASQ-AGENT"
iptables := iptest.NewFake()
iptables.SetHasRandomFully(hasRandomFully)
iptables.Dump = &iptest.IPTablesDump{
Tables: []iptest.Table{
{
Expand All @@ -83,6 +97,7 @@ func NewFakeMasqDaemon() *MasqDaemon {
},
}
ip6tables := iptest.NewIPv6Fake()
ip6tables.SetHasRandomFully(hasRandomFully)
ip6tables.Dump = &iptest.IPTablesDump{
Tables: []iptest.Table{
{
Expand Down Expand Up @@ -577,7 +592,7 @@ func TestWriteMasqRules(t *testing.T) {
}

lines := bytes.NewBuffer(nil)
writeMasqRules(lines, toPorts)
writeMasqRules(lines, hasRandomFully, toPorts)

s := lines.String()
if s != tt.want {
Expand Down

0 comments on commit b2fb01e

Please sign in to comment.