diff --git a/cmd/ip-masq-agent/ip-masq-agent.go b/cmd/ip-masq-agent/ip-masq-agent.go index 4d1c9cfa..ce76eb99 100644 --- a/cmd/ip-masq-agent/ip-masq-agent.go +++ b/cmd/ip-masq-agent/ip-masq-agent.go @@ -51,6 +51,7 @@ var ( masqChainFlag = flag.String("masq-chain", "IP-MASQ-AGENT", `Name of nat chain for iptables masquerade rules.`) noMasqueradeAllReservedRangesFlag = flag.Bool("nomasq-all-reserved-ranges", false, "Whether to disable masquerade for all IPv4 ranges reserved by RFCs.") enableIPv6 = flag.Bool("enable-ipv6", false, "Whether to enable IPv6.") + randomFully = flag.Bool("random-fully", true, "Whether to add --random-fully to the masquerade rule.") ) // MasqConfig object @@ -385,7 +386,11 @@ func writeNonMasqRule(lines *bytes.Buffer, cidr string) { const masqRuleComment = `-m comment --comment "ip-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)"` func writeMasqRule(lines *bytes.Buffer) { - writeRule(lines, utiliptables.Append, masqChain, masqRuleComment, "-j", "MASQUERADE", "--random-fully") + args := []string{masqRuleComment, "-j", "MASQUERADE"} + if *randomFully { + args = append(args, "--random-fully") + } + writeRule(lines, utiliptables.Append, masqChain, args...) } // Similar syntax to utiliptables.Interface.EnsureRule, except you don't pass a table diff --git a/cmd/ip-masq-agent/ip-masq-agent_test.go b/cmd/ip-masq-agent/ip-masq-agent_test.go index 8edfd16b..3ef8c5ac 100644 --- a/cmd/ip-masq-agent/ip-masq-agent_test.go +++ b/cmd/ip-masq-agent/ip-masq-agent_test.go @@ -31,11 +31,38 @@ import ( iptest "k8s.io/kubernetes/pkg/util/iptables/testing" ) +var wantRandomFully string + // turn off glog logging during tests to avoid clutter in output func TestMain(m *testing.M) { flag.Set("logtostderr", "false") flag.Set("masq-chain", "IP-MASQ-AGENT") - ec := m.Run() + + ec := 0 + randomFully := " --random-fully" + + for _, tc := range []struct{ + arg string + want string + }{ + { + want: randomFully, + }, + { + arg: "false", + }, + { + arg: "true", + want: randomFully, + }, + } { + if tc.arg != "" { + flag.Set("random-fully", tc.arg) + } + wantRandomFully = tc.want + + ec = max(ec, m.Run()) + } os.Exit(ec) } @@ -283,7 +310,7 @@ func TestSyncMasqRules(t *testing.T) { -A ` + string(utiliptables.ChainPostrouting) + ` -m comment --comment ` + fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + ` -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 169.254.0.0/16 -j RETURN --A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully +-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + ` COMMIT `, }, @@ -299,7 +326,7 @@ COMMIT -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 10.0.0.0/8 -j RETURN -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 172.16.0.0/12 -j RETURN -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 192.168.0.0/16 -j RETURN --A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully +-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + ` COMMIT `, }, @@ -323,7 +350,7 @@ COMMIT -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 198.51.100.0/24 -j RETURN -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 203.0.113.0/24 -j RETURN -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 240.0.0.0/4 -j RETURN --A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully +-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + ` COMMIT `, }, @@ -342,7 +369,7 @@ COMMIT fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + ` -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 169.254.0.0/16 -j RETURN -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d 10.244.0.0/16 -j RETURN --A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully +-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + ` COMMIT `, }, @@ -384,7 +411,7 @@ func TestSyncMasqRulesIPv6(t *testing.T) { -A ` + string(utiliptables.ChainPostrouting) + ` -m comment --comment ` + fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + ` -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d fe80::/10 -j RETURN --A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully +-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + ` COMMIT `, }, @@ -403,7 +430,7 @@ COMMIT fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + ` -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d fe80::/10 -j RETURN -A ` + string(masqChain) + ` ` + nonMasqRuleComment + ` -d fc00::/7 -j RETURN --A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully +-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + ` COMMIT `, }, @@ -415,7 +442,7 @@ COMMIT :` + string(masqChain) + ` - [0:0] -A ` + string(utiliptables.ChainPostrouting) + ` -m comment --comment ` + fmt.Sprintf(postRoutingMasqChainCommentFormat, masqChain) + ` -m addrtype ! --dst-type LOCAL -j ` + string(masqChain) + ` --A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE --random-fully +-A ` + string(masqChain) + ` ` + masqRuleComment + ` -j MASQUERADE` + wantRandomFully + ` COMMIT `, },