maxlaverse/flannel-random-fully.diff

## flannel-random-fully.diff
diff --git a/Makefile b/Makefile
index 00730a98..28d23f11 100644
--- a/Makefile
+++ b/Makefile
@@ -39,7 +39,7 @@ GOARM=7

 # List images with gcloud alpha container images list-tags gcr.io/google_containers/kube-cross
 KUBE_CROSS_TAG=v1.8.3-1
-IPTABLES_VERSION=1.4.21
+IPTABLES_VERSION=1.6.1

 dist/flanneld: $(shell find . -type f  -name '*.go')
 	go build -o dist/flanneld \
@@ -137,13 +137,15 @@ dist/iptables-$(ARCH):
                 --disable-nftables \
                 --enable-static \
                 --host=amd64 && \
+						cp /go/src/github.com/coreos/flannel/iptables.patch ./ && \
+						patch -p0 < iptables.patch && \
             make && \
             cp iptables/xtables-multi /go/src/github.com/coreos/flannel/dist/iptables-$(ARCH) && \
             cd /go/src/github.com/coreos/flannel && \
             file dist/iptables-$(ARCH)'

 ## Build a .tar.gz for the amd64 ppc64le arm arm64 flanneld binary
-tar.gz:
+tar.gz:
 	ARCH=amd64 make dist/flanneld-amd64
 	tar --transform='flags=r;s|-amd64||' -zcvf dist/flannel-$(TAG)-linux-amd64.tar.gz -C dist flanneld-amd64 mk-docker-opts.sh ../README.md
 	tar -tvf dist/flannel-$(TAG)-linux-amd64.tar.gz
@@ -242,4 +244,4 @@ run-local-kube-flannel-with-prereqs: run-etcd run-k8s-apiserver dist/flanneld

 run-local-kube-flannel:
 	# Currently this requires the netconf to be in /etc/kube-flannel/net-conf.json
-	sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
\ No newline at end of file
+	sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
diff --git a/dist/iptables-amd64 b/dist/iptables-amd64
index a248b93c..bb3974e0 100755
Binary files a/dist/iptables-amd64 and b/dist/iptables-amd64 differ
diff --git a/iptables.patch b/iptables.patch
new file mode 100644
index 00000000..b5fecfa0
--- /dev/null
+++ b/iptables.patch
@@ -0,0 +1,69 @@
+--- extensions.o/libipt_MASQUERADE.c	2017-12-02 10:12:00.000000000 +0100
++++ extensions/libipt_MASQUERADE.c	2017-12-02 10:11:30.000000000 +0100
+@@ -11,6 +11,7 @@
+ enum {
+ 	O_TO_PORTS = 0,
+ 	O_RANDOM,
++	O_RANDOM_FULLY,
+ };
+
+ static void MASQUERADE_help(void)
+@@ -20,12 +21,15 @@
+ " --to-ports <port>[-<port>]\n"
+ "				Port (range) to map to.\n"
+ " --random\n"
+-"				Randomize source port.\n");
++"				Randomize source port.\n"
++" --random-fully\n"
++"				Fully randomize source port.\n");
+ }
+
+ static const struct xt_option_entry MASQUERADE_opts[] = {
+ 	{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
+ 	{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
++	{.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
+ 	XTOPT_TABLEEND,
+ };
+
+@@ -97,7 +101,12 @@
+ 	case O_RANDOM:
+ 		mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM;
+ 		break;
++	case O_RANDOM_FULLY:
++		mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM_FULLY;
++		break;
+ 	}
++	// Force full randomization on MASQUERADE targets
++	mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM_FULLY;
+ }
+
+ static void
+@@ -116,6 +125,9 @@
+
+ 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ 		printf(" random");
++
++	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
++		printf(" random-fully");
+ }
+
+ static void
+@@ -132,6 +144,9 @@
+
+ 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ 		printf(" --random");
++
++	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
++		printf(" --random-fully");
+ }
+
+ static int MASQUERADE_xlate(struct xt_xlate *xl,
+@@ -153,6 +168,9 @@
+ 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ 		xt_xlate_add(xl, "random ");
+
++	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
++		xt_xlate_add(xl, "random-fully ");
++
+ 	return 1;
+ }
diff --git a/network/ipmasq.go b/network/ipmasq.go
index 451eec0a..f21e5651 100644
--- a/network/ipmasq.go
+++ b/network/ipmasq.go
@@ -38,11 +38,11 @@ func rules(ipn ip.IP4Net, lease *subnet.Lease) [][]string {
 		// This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0)
 		{"-s", n, "-d", n, "-j", "RETURN"},
 		// NAT if it's not multicast traffic
-		{"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"},
+		{"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "--random-fully"},
 		// Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
 		{"!", "-s", n, "-d", sn, "-j", "RETURN"},
 		// Masquerade anything headed towards flannel from the host
-		{"!", "-s", n, "-d", n, "-j", "MASQUERADE"},
+		{"!", "-s", n, "-d", n, "-j", "MASQUERADE", "--random-fully"},
 	}
 }
	diff --git a/Makefile b/Makefile
	index 00730a98..28d23f11 100644
	--- a/Makefile
	+++ b/Makefile
	@@ -39,7 +39,7 @@ GOARM=7

	# List images with gcloud alpha container images list-tags gcr.io/google_containers/kube-cross
	KUBE_CROSS_TAG=v1.8.3-1
	-IPTABLES_VERSION=1.4.21
	+IPTABLES_VERSION=1.6.1

	dist/flanneld: $(shell find . -type f -name '*.go')
	go build -o dist/flanneld \
	@@ -137,13 +137,15 @@ dist/iptables-$(ARCH):
	--disable-nftables \
	--enable-static \
	--host=amd64 && \
	+ cp /go/src/github.com/coreos/flannel/iptables.patch ./ && \
	+ patch -p0 < iptables.patch && \
	make && \
	cp iptables/xtables-multi /go/src/github.com/coreos/flannel/dist/iptables-$(ARCH) && \
	cd /go/src/github.com/coreos/flannel && \
	file dist/iptables-$(ARCH)'

	## Build a .tar.gz for the amd64 ppc64le arm arm64 flanneld binary
	-tar.gz:
	+tar.gz:
	ARCH=amd64 make dist/flanneld-amd64
	tar --transform='flags=r;s\|-amd64\|\|' -zcvf dist/flannel-$(TAG)-linux-amd64.tar.gz -C dist flanneld-amd64 mk-docker-opts.sh ../README.md
	tar -tvf dist/flannel-$(TAG)-linux-amd64.tar.gz
	@@ -242,4 +244,4 @@ run-local-kube-flannel-with-prereqs: run-etcd run-k8s-apiserver dist/flanneld

	run-local-kube-flannel:
	# Currently this requires the netconf to be in /etc/kube-flannel/net-conf.json
	- sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
	\ No newline at end of file
	+ sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
	diff --git a/dist/iptables-amd64 b/dist/iptables-amd64
	index a248b93c..bb3974e0 100755
	Binary files a/dist/iptables-amd64 and b/dist/iptables-amd64 differ
	diff --git a/iptables.patch b/iptables.patch
	new file mode 100644
	index 00000000..b5fecfa0
	--- /dev/null
	+++ b/iptables.patch
	@@ -0,0 +1,69 @@
	+--- extensions.o/libipt_MASQUERADE.c 2017-12-02 10:12:00.000000000 +0100
	++++ extensions/libipt_MASQUERADE.c 2017-12-02 10:11:30.000000000 +0100
	+@@ -11,6 +11,7 @@
	+ enum {
	+ O_TO_PORTS = 0,
	+ O_RANDOM,
	++ O_RANDOM_FULLY,
	+ };
	+
	+ static void MASQUERADE_help(void)
	+@@ -20,12 +21,15 @@
	+ " --to-ports <port>[-<port>]\n"
	+ " Port (range) to map to.\n"
	+ " --random\n"
	+-" Randomize source port.\n");
	++" Randomize source port.\n"
	++" --random-fully\n"
	++" Fully randomize source port.\n");
	+ }
	+
	+ static const struct xt_option_entry MASQUERADE_opts[] = {
	+ {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
	+ {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
	++ {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
	+ XTOPT_TABLEEND,
	+ };
	+
	+@@ -97,7 +101,12 @@
	+ case O_RANDOM:
	+ mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM;
	+ break;
	++ case O_RANDOM_FULLY:
	++ mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
	++ break;
	+ }
	++ // Force full randomization on MASQUERADE targets
	++ mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
	+ }
	+
	+ static void
	+@@ -116,6 +125,9 @@
	+
	+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
	+ printf(" random");
	++
	++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
	++ printf(" random-fully");
	+ }
	+
	+ static void
	+@@ -132,6 +144,9 @@
	+
	+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
	+ printf(" --random");
	++
	++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
	++ printf(" --random-fully");
	+ }
	+
	+ static int MASQUERADE_xlate(struct xt_xlate *xl,
	+@@ -153,6 +168,9 @@
	+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
	+ xt_xlate_add(xl, "random ");
	+
	++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
	++ xt_xlate_add(xl, "random-fully ");
	++
	+ return 1;
	+ }
	diff --git a/network/ipmasq.go b/network/ipmasq.go
	index 451eec0a..f21e5651 100644
	--- a/network/ipmasq.go
	+++ b/network/ipmasq.go
	@@ -38,11 +38,11 @@ func rules(ipn ip.IP4Net, lease *subnet.Lease) [][]string {
	// This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0)
	{"-s", n, "-d", n, "-j", "RETURN"},
	// NAT if it's not multicast traffic
	- {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"},
	+ {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "--random-fully"},
	// Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
	{"!", "-s", n, "-d", sn, "-j", "RETURN"},
	// Masquerade anything headed towards flannel from the host
	- {"!", "-s", n, "-d", n, "-j", "MASQUERADE"},
	+ {"!", "-s", n, "-d", n, "-j", "MASQUERADE", "--random-fully"},
	}
	}