Merge pull request #570 from 2rs2ts/iptables-comments

Add comments to iptables rules generated by node-cache app
kubernetes · Feb 13, 2023 · eba8508 · eba8508
2 parents 40f69d3 + 30a22e2
commit eba8508
Showing 1 changed file with 17 additions and 12 deletions.
diff --git a/cmd/node-cache/app/cache_app.go b/cmd/node-cache/app/cache_app.go
@@ -30,6 +30,11 @@ import (
 	utilnet "k8s.io/utils/net"
 )
 
+var (
+	iptablesCommentSkipConntrack = "NodeLocal DNS Cache: skip conntrack"
+	iptablesCommentAllowTraffic  = "NodeLocal DNS Cache: allow DNS traffic"
+)
+
 // ConfigParams lists the configuration options that can be provided to node-cache
 type ConfigParams struct {
 	LocalIPStr           string        // comma separated listen ips for the local cache agent
@@ -108,35 +113,35 @@ func (c *CacheApp) initIptables() {
 		c.iptablesRules = append(c.iptablesRules, []iptablesRule{
 			// Match traffic destined for localIp:localPort and set the flows to be NOTRACKED, this skips connection tracking
 			{utiliptables.Table("raw"), utiliptables.ChainPrerouting, []string{"-p", "tcp", "-d", localIP,
-				"--dport", c.params.LocalPort, "-j", "NOTRACK"}},
+				"--dport", c.params.LocalPort, "-j", "NOTRACK", "-m", "comment", "--comment", iptablesCommentSkipConntrack}},
 			{utiliptables.Table("raw"), utiliptables.ChainPrerouting, []string{"-p", "udp", "-d", localIP,
-				"--dport", c.params.LocalPort, "-j", "NOTRACK"}},
+				"--dport", c.params.LocalPort, "-j", "NOTRACK", "-m", "comment", "--comment", iptablesCommentSkipConntrack}},
 			// There are rules in filter table to allow tracked connections to be accepted. Since we skipped connection tracking,
 			// need these additional filter table rules.
 			{utiliptables.TableFilter, utiliptables.ChainInput, []string{"-p", "tcp", "-d", localIP,
-				"--dport", c.params.LocalPort, "-j", "ACCEPT"}},
+				"--dport", c.params.LocalPort, "-j", "ACCEPT", "-m", "comment", "--comment", iptablesCommentAllowTraffic}},
 			{utiliptables.TableFilter, utiliptables.ChainInput, []string{"-p", "udp", "-d", localIP,
-				"--dport", c.params.LocalPort, "-j", "ACCEPT"}},
+				"--dport", c.params.LocalPort, "-j", "ACCEPT", "-m", "comment", "--comment", iptablesCommentAllowTraffic}},
 			// Match traffic from localIp:localPort and set the flows to be NOTRACKED, this skips connection tracking
 			{utiliptables.Table("raw"), utiliptables.ChainOutput, []string{"-p", "tcp", "-s", localIP,
-				"--sport", c.params.LocalPort, "-j", "NOTRACK"}},
+				"--sport", c.params.LocalPort, "-j", "NOTRACK", "-m", "comment", "--comment", iptablesCommentSkipConntrack}},
 			{utiliptables.Table("raw"), utiliptables.ChainOutput, []string{"-p", "udp", "-s", localIP,
-				"--sport", c.params.LocalPort, "-j", "NOTRACK"}},
+				"--sport", c.params.LocalPort, "-j", "NOTRACK", "-m", "comment", "--comment", iptablesCommentSkipConntrack}},
 			// Additional filter table rules for traffic frpm localIp:localPort
 			{utiliptables.TableFilter, utiliptables.ChainOutput, []string{"-p", "tcp", "-s", localIP,
-				"--sport", c.params.LocalPort, "-j", "ACCEPT"}},
+				"--sport", c.params.LocalPort, "-j", "ACCEPT", "-m", "comment", "--comment", iptablesCommentAllowTraffic}},
 			{utiliptables.TableFilter, utiliptables.ChainOutput, []string{"-p", "udp", "-s", localIP,
-				"--sport", c.params.LocalPort, "-j", "ACCEPT"}},
+				"--sport", c.params.LocalPort, "-j", "ACCEPT", "-m", "comment", "--comment", iptablesCommentAllowTraffic}},
 			// Skip connection tracking for requests to nodelocalDNS that are locally generated, example - by hostNetwork pods
 			{utiliptables.Table("raw"), utiliptables.ChainOutput, []string{"-p", "tcp", "-d", localIP,
-				"--dport", c.params.LocalPort, "-j", "NOTRACK"}},
+				"--dport", c.params.LocalPort, "-j", "NOTRACK", "-m", "comment", "--comment", iptablesCommentSkipConntrack}},
 			{utiliptables.Table("raw"), utiliptables.ChainOutput, []string{"-p", "udp", "-d", localIP,
-				"--dport", c.params.LocalPort, "-j", "NOTRACK"}},
+				"--dport", c.params.LocalPort, "-j", "NOTRACK", "-m", "comment", "--comment", iptablesCommentSkipConntrack}},
 			// skip connection tracking for healthcheck requests generated by liveness probe to health plugin
 			{utiliptables.Table("raw"), utiliptables.ChainOutput, []string{"-p", "tcp", "-d", localIP,
-				"--dport", c.params.HealthPort, "-j", "NOTRACK"}},
+				"--dport", c.params.HealthPort, "-j", "NOTRACK", "-m", "comment", "--comment", iptablesCommentSkipConntrack}},
 			{utiliptables.Table("raw"), utiliptables.ChainOutput, []string{"-p", "tcp", "-s", localIP,
-				"--sport", c.params.HealthPort, "-j", "NOTRACK"}},
+				"--sport", c.params.HealthPort, "-j", "NOTRACK", "-m", "comment", "--comment", iptablesCommentSkipConntrack}},
 		}...)
 	}
 	c.iptables = newIPTables(c.isIPv6())