Add --random-fully=true|false flag to ip-masq-agent

Defaults to true to keep the behavior added in 2.10.0 unchanged.
kubernetes-sigs · Feb 7, 2024 · 2a033a7 · 2a033a7
1 parent 60f495f
commit 2a033a7
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 9 deletions.
diff --git a/cmd/ip-masq-agent/ip-masq-agent.go b/cmd/ip-masq-agent/ip-masq-agent.go
@@ -51,6 +51,7 @@ var (
 	masqChainFlag                     = flag.String("masq-chain", "IP-MASQ-AGENT", `Name of nat chain for iptables masquerade rules.`)
 	noMasqueradeAllReservedRangesFlag = flag.Bool("nomasq-all-reserved-ranges", false, "Whether to disable masquerade for all IPv4 ranges reserved by RFCs.")
 	enableIPv6                        = flag.Bool("enable-ipv6", false, "Whether to enable IPv6.")
+	randomFully                       = flag.Bool("random-fully", true, "Whether to add --random-fully to the masquerade rule.")
 )
 
 // MasqConfig object
@@ -385,7 +386,11 @@ func writeNonMasqRule(lines *bytes.Buffer, cidr string) {
 const masqRuleComment = `-m comment --comment "ip-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)"`
 
 func writeMasqRule(lines *bytes.Buffer) {
-	writeRule(lines, utiliptables.Append, masqChain, masqRuleComment, "-j", "MASQUERADE", "--random-fully")
+	args := []string{masqRuleComment, "-j", "MASQUERADE"}
+	if *randomFully {
+		args = append(args, "--random-fully")
+	}
+	writeRule(lines, utiliptables.Append, masqChain, args...)
 }
 
 // Similar syntax to utiliptables.Interface.EnsureRule, except you don't pass a table

diff --git a/cmd/ip-masq-agent/ip-masq-agent_test.go b/cmd/ip-masq-agent/ip-masq-agent_test.go
@@ -31,11 +31,38 @@ import (
 	iptest "k8s.io/kubernetes/pkg/util/iptables/testing"
 )
 
+var wantRandomFully string
+
 // turn off glog logging during tests to avoid clutter in output
 func TestMain(m *testing.M) {
 	flag.Set("logtostderr", "false")
 	flag.Set("masq-chain", "IP-MASQ-AGENT")
-	ec := m.Run()
+
+	ec := 0
+	randomFully := " --random-fully"
+
+	for _, tc := range []struct{
+		arg string
+		want string
+	}{
+		{
+			want: randomFully,
+		},
+		{
+			arg: "false",
+		},
+		{
+			arg: "true",
+			want: randomFully,
+		},
+	} {
+		if tc.arg != "" {
+			flag.Set("random-fully", tc.arg)
+		}
+		wantRandomFully = tc.want
+
+		ec = max(ec, m.Run())
+	}
 	os.Exit(ec)
 }
 
@@ -283,7 +310,7 @@ func TestSyncMasqRules(t *testing.T) {
 -A ` + string(utiliptables.ChainPostrouting) + ` -m comment --comment ` +
 				fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + `
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 169.254.0.0/16 -j RETURN
--A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully
+-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + `
 COMMIT
 `,
 		},
@@ -299,7 +326,7 @@ COMMIT
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 10.0.0.0/8 -j RETURN
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 172.16.0.0/12 -j RETURN
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 192.168.0.0/16 -j RETURN
--A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully
+-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + `
 COMMIT
 `,
 		},
@@ -323,7 +350,7 @@ COMMIT
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 198.51.100.0/24 -j RETURN
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 203.0.113.0/24 -j RETURN
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 240.0.0.0/4 -j RETURN
--A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully
+-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + `
 COMMIT
 `,
 		},
@@ -342,7 +369,7 @@ COMMIT
 				fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + `
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 169.254.0.0/16 -j RETURN
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 10.244.0.0/16 -j RETURN
--A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully
+-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + `
 COMMIT
 `,
 		},
@@ -384,7 +411,7 @@ func TestSyncMasqRulesIPv6(t *testing.T) {
 -A ` + string(utiliptables.ChainPostrouting) + ` -m comment --comment ` +
 				fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + `
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d fe80::/10 -j RETURN
--A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully
+-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + `
 COMMIT
 `,
 		},
@@ -403,7 +430,7 @@ COMMIT
 				fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + `
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d fe80::/10 -j RETURN
 -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d fc00::/7 -j RETURN
--A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully
+-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + `
 COMMIT
 `,
 		},
@@ -415,7 +442,7 @@ COMMIT
 :` + string(masqChain) + ` - [0:0]
 -A ` + string(utiliptables.ChainPostrouting) + ` -m comment --comment ` +
 				fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + `
--A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully
+-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + `
 COMMIT
 `,
 		},