Skip to content

Instantly share code, notes, and snippets.

@maxlaverse
Created April 16, 2018 06:45
Show Gist options
  • Save maxlaverse/1fb3bfdd2509e317194280f530158c98 to your computer and use it in GitHub Desktop.
Save maxlaverse/1fb3bfdd2509e317194280f530158c98 to your computer and use it in GitHub Desktop.
diff --git a/Makefile b/Makefile
index 00730a98..28d23f11 100644
--- a/Makefile
+++ b/Makefile
@@ -39,7 +39,7 @@ GOARM=7
# List images with gcloud alpha container images list-tags gcr.io/google_containers/kube-cross
KUBE_CROSS_TAG=v1.8.3-1
-IPTABLES_VERSION=1.4.21
+IPTABLES_VERSION=1.6.1
dist/flanneld: $(shell find . -type f -name '*.go')
go build -o dist/flanneld \
@@ -137,13 +137,15 @@ dist/iptables-$(ARCH):
--disable-nftables \
--enable-static \
--host=amd64 && \
+ cp /go/src/github.com/coreos/flannel/iptables.patch ./ && \
+ patch -p0 < iptables.patch && \
make && \
cp iptables/xtables-multi /go/src/github.com/coreos/flannel/dist/iptables-$(ARCH) && \
cd /go/src/github.com/coreos/flannel && \
file dist/iptables-$(ARCH)'
## Build a .tar.gz for the amd64 ppc64le arm arm64 flanneld binary
-tar.gz:
+tar.gz:
ARCH=amd64 make dist/flanneld-amd64
tar --transform='flags=r;s|-amd64||' -zcvf dist/flannel-$(TAG)-linux-amd64.tar.gz -C dist flanneld-amd64 mk-docker-opts.sh ../README.md
tar -tvf dist/flannel-$(TAG)-linux-amd64.tar.gz
@@ -242,4 +244,4 @@ run-local-kube-flannel-with-prereqs: run-etcd run-k8s-apiserver dist/flanneld
run-local-kube-flannel:
# Currently this requires the netconf to be in /etc/kube-flannel/net-conf.json
- sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
\ No newline at end of file
+ sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
diff --git a/dist/iptables-amd64 b/dist/iptables-amd64
index a248b93c..bb3974e0 100755
Binary files a/dist/iptables-amd64 and b/dist/iptables-amd64 differ
diff --git a/iptables.patch b/iptables.patch
new file mode 100644
index 00000000..b5fecfa0
--- /dev/null
+++ b/iptables.patch
@@ -0,0 +1,69 @@
+--- extensions.o/libipt_MASQUERADE.c 2017-12-02 10:12:00.000000000 +0100
++++ extensions/libipt_MASQUERADE.c 2017-12-02 10:11:30.000000000 +0100
+@@ -11,6 +11,7 @@
+ enum {
+ O_TO_PORTS = 0,
+ O_RANDOM,
++ O_RANDOM_FULLY,
+ };
+
+ static void MASQUERADE_help(void)
+@@ -20,12 +21,15 @@
+ " --to-ports <port>[-<port>]\n"
+ " Port (range) to map to.\n"
+ " --random\n"
+-" Randomize source port.\n");
++" Randomize source port.\n"
++" --random-fully\n"
++" Fully randomize source port.\n");
+ }
+
+ static const struct xt_option_entry MASQUERADE_opts[] = {
+ {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
+ {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
++ {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
+ XTOPT_TABLEEND,
+ };
+
+@@ -97,7 +101,12 @@
+ case O_RANDOM:
+ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM;
+ break;
++ case O_RANDOM_FULLY:
++ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
++ break;
+ }
++ // Force full randomization on MASQUERADE targets
++ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
+ }
+
+ static void
+@@ -116,6 +125,9 @@
+
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" random");
++
++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
++ printf(" random-fully");
+ }
+
+ static void
+@@ -132,6 +144,9 @@
+
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" --random");
++
++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
++ printf(" --random-fully");
+ }
+
+ static int MASQUERADE_xlate(struct xt_xlate *xl,
+@@ -153,6 +168,9 @@
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ xt_xlate_add(xl, "random ");
+
++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
++ xt_xlate_add(xl, "random-fully ");
++
+ return 1;
+ }
diff --git a/network/ipmasq.go b/network/ipmasq.go
index 451eec0a..f21e5651 100644
--- a/network/ipmasq.go
+++ b/network/ipmasq.go
@@ -38,11 +38,11 @@ func rules(ipn ip.IP4Net, lease *subnet.Lease) [][]string {
// This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0)
{"-s", n, "-d", n, "-j", "RETURN"},
// NAT if it's not multicast traffic
- {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"},
+ {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "--random-fully"},
// Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
{"!", "-s", n, "-d", sn, "-j", "RETURN"},
// Masquerade anything headed towards flannel from the host
- {"!", "-s", n, "-d", n, "-j", "MASQUERADE"},
+ {"!", "-s", n, "-d", n, "-j", "MASQUERADE", "--random-fully"},
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment