flannel-random-fully.diff

April 16, 2018 · View on GitHub

diff --git a/Makefile b/Makefile index 00730a98..28d23f11 100644 --- a/Makefile +++ b/Makefile @@ -39,7 +39,7 @@ GOARM=7

List images with gcloud alpha container images list-tags gcr.io/google_containers/kube-cross

KUBE_CROSS_TAG=v1.8.3-1 -IPTABLES_VERSION=1.4.21 +IPTABLES_VERSION=1.6.1

dist/flanneld: (shellfind.typefname.go)gobuildodist/flanneld @@137,13+137,15@@dist/iptables(shell find . -type f -name '*.go') go build -o dist/flanneld \ @@ -137,13 +137,15 @@ dist/iptables-(ARCH): --disable-nftables
--enable-static
--host=amd64 && \

  •   				cp /go/src/github.com/coreos/flannel/iptables.patch ./ && \

  •   				patch -p0 < iptables.patch && \
       make && \
       cp iptables/xtables-multi /go/src/github.com/coreos/flannel/dist/iptables-$(ARCH) && \
       cd /go/src/github.com/coreos/flannel && \
       file dist/iptables-$(ARCH)'

Build a .tar.gz for the amd64 ppc64le arm arm64 flanneld binary

-tar.gz: +tar.gz: ARCH=amd64 make dist/flanneld-amd64 tar --transform='flags=r;s|-amd64||' -zcvf dist/flannel-(TAG)linuxamd64.tar.gzCdistflanneldamd64mkdockeropts.sh../README.mdtartvfdist/flannel(TAG)-linux-amd64.tar.gz -C dist flanneld-amd64 mk-docker-opts.sh ../README.md tar -tvf dist/flannel-(TAG)-linux-amd64.tar.gz @@ -242,4 +244,4 @@ run-local-kube-flannel-with-prereqs: run-etcd run-k8s-apiserver dist/flanneld

run-local-kube-flannel: # Currently this requires the netconf to be in /etc/kube-flannel/net-conf.json

  • sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080 \ No newline at end of file
  • sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080 diff --git a/dist/iptables-amd64 b/dist/iptables-amd64 index a248b93c..bb3974e0 100755 Binary files a/dist/iptables-amd64 and b/dist/iptables-amd64 differ diff --git a/iptables.patch b/iptables.patch new file mode 100644 index 00000000..b5fecfa0 --- /dev/null +++ b/iptables.patch @@ -0,0 +1,69 @@ +--- extensions.o/libipt_MASQUERADE.c 2017-12-02 10:12:00.000000000 +0100 ++++ extensions/libipt_MASQUERADE.c 2017-12-02 10:11:30.000000000 +0100 +@@ -11,6 +11,7 @@
  • enum {
  • O_TO_PORTS = 0,
  • O_RANDOM, ++ O_RANDOM_FULLY,
  • };
  • static void MASQUERADE_help(void) +@@ -20,12 +21,15 @@
  • " --to-ports [-]\n"
  • " Port (range) to map to.\n"
  • " --random\n" +-" Randomize source port.\n"); ++" Randomize source port.\n" ++" --random-fully\n" ++" Fully randomize source port.\n");
  • }
  • static const struct xt_option_entry MASQUERADE_opts[] = {
  • {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
  • {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, ++ {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
  • XTOPT_TABLEEND,
  • };

+@@ -97,7 +101,12 @@

  • case O_RANDOM:
  •   mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM;

  •   break;

++ case O_RANDOM_FULLY: ++ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; ++ break;

  • } ++ // Force full randomization on MASQUERADE targets ++ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
  • }
  • static void +@@ -116,6 +125,9 @@
  • if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
  •   printf(" random");

++ ++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) ++ printf(" random-fully");

  • }
  • static void +@@ -132,6 +144,9 @@
  • if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
  •   printf(" --random");

++ ++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) ++ printf(" --random-fully");

  • }
  • static int MASQUERADE_xlate(struct xt_xlate *xl, +@@ -153,6 +168,9 @@
  • if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
  •   xt_xlate_add(xl, "random ");

++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) ++ xt_xlate_add(xl, "random-fully "); ++

  • return 1;
  • } diff --git a/network/ipmasq.go b/network/ipmasq.go index 451eec0a..f21e5651 100644 --- a/network/ipmasq.go +++ b/network/ipmasq.go @@ -38,11 +38,11 @@ func rules(ipn ip.IP4Net, lease *subnet.Lease) [][]string { // This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0) {"-s", n, "-d", n, "-j", "RETURN"}, // NAT if it's not multicast traffic
  •   {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"},

  •   {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "--random-fully"},
  // Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
  {"!", "-s", n, "-d", sn, "-j", "RETURN"},
  // Masquerade anything headed towards flannel from the host

  •   {"!", "-s", n, "-d", n, "-j", "MASQUERADE"},

  •   {"!", "-s", n, "-d", n, "-j", "MASQUERADE", "--random-fully"},
    } }