maxlaverse · April 16, 2018 06:45
diff --git a/flannel-random-fully.diff b/flannel-random-fully.diff
 diff --git a/Makefile b/Makefile
 index 00730a98..28d23f11 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -39,7 +39,7 @@ GOARM=7
 
 # List images with gcloud alpha container images list-tags gcr.io/google_containers/kube-cross
 KUBE_CROSS_TAG=v1.8.3-1
 -IPTABLES_VERSION=1.4.21
 +IPTABLES_VERSION=1.6.1
 
 dist/flanneld: $(shell find . -type f  -name '*.go')
 	go build -o dist/flanneld \
 @@ -137,13 +137,15 @@ dist/iptables-$(ARCH):
                 --disable-nftables \
                 --enable-static \
                 --host=amd64 && \
 +						cp /go/src/github.com/coreos/flannel/iptables.patch ./ && \
 +						patch -p0 < iptables.patch && \
             make && \
             cp iptables/xtables-multi /go/src/github.com/coreos/flannel/dist/iptables-$(ARCH) && \
             cd /go/src/github.com/coreos/flannel && \
             file dist/iptables-$(ARCH)'
 
 ## Build a .tar.gz for the amd64 ppc64le arm arm64 flanneld binary
 -tar.gz:	
 +tar.gz:
 	ARCH=amd64 make dist/flanneld-amd64
 	tar --transform='flags=r;s|-amd64||' -zcvf dist/flannel-$(TAG)-linux-amd64.tar.gz -C dist flanneld-amd64 mk-docker-opts.sh ../README.md
 	tar -tvf dist/flannel-$(TAG)-linux-amd64.tar.gz
 @@ -242,4 +244,4 @@ run-local-kube-flannel-with-prereqs: run-etcd run-k8s-apiserver dist/flanneld
 
 run-local-kube-flannel:
 	# Currently this requires the netconf to be in /etc/kube-flannel/net-conf.json
 -	sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
 \ No newline at end of file
 +	sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
 diff --git a/dist/iptables-amd64 b/dist/iptables-amd64
 index a248b93c..bb3974e0 100755
 Binary files a/dist/iptables-amd64 and b/dist/iptables-amd64 differ
 diff --git a/iptables.patch b/iptables.patch
 new file mode 100644
 index 00000000..b5fecfa0
 --- /dev/null
 +++ b/iptables.patch
 @@ -0,0 +1,69 @@
 +--- extensions.o/libipt_MASQUERADE.c	2017-12-02 10:12:00.000000000 +0100
 ++++ extensions/libipt_MASQUERADE.c	2017-12-02 10:11:30.000000000 +0100
 +@@ -11,6 +11,7 @@
 + enum {
 + 	O_TO_PORTS = 0,
 + 	O_RANDOM,
 ++	O_RANDOM_FULLY,
 + };
 +
 + static void MASQUERADE_help(void)
 +@@ -20,12 +21,15 @@
 + " --to-ports <port>[-<port>]\n"
 + "				Port (range) to map to.\n"
 + " --random\n"
 +-"				Randomize source port.\n");
 ++"				Randomize source port.\n"
 ++" --random-fully\n"
 ++"				Fully randomize source port.\n");
 + }
 +
 + static const struct xt_option_entry MASQUERADE_opts[] = {
 + 	{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
 + 	{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
 ++	{.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
 + 	XTOPT_TABLEEND,
 + };
 +
 +@@ -97,7 +101,12 @@
 + 	case O_RANDOM:
 + 		mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM;
 + 		break;
 ++	case O_RANDOM_FULLY:
 ++		mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM_FULLY;
 ++		break;
 + 	}
 ++	// Force full randomization on MASQUERADE targets
 ++	mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM_FULLY;
 + }
 +
 + static void
 +@@ -116,6 +125,9 @@
 +
 + 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
 + 		printf(" random");
 ++
 ++	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
 ++		printf(" random-fully");
 + }
 +
 + static void
 +@@ -132,6 +144,9 @@
 +
 + 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
 + 		printf(" --random");
 ++
 ++	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
 ++		printf(" --random-fully");
 + }
 +
 + static int MASQUERADE_xlate(struct xt_xlate *xl,
 +@@ -153,6 +168,9 @@
 + 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
 + 		xt_xlate_add(xl, "random ");
 +
 ++	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
 ++		xt_xlate_add(xl, "random-fully ");
 ++
 + 	return 1;
 + }
 diff --git a/network/ipmasq.go b/network/ipmasq.go
 index 451eec0a..f21e5651 100644
 --- a/network/ipmasq.go
 +++ b/network/ipmasq.go
 @@ -38,11 +38,11 @@ func rules(ipn ip.IP4Net, lease *subnet.Lease) [][]string {
 		// This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0)
 		{"-s", n, "-d", n, "-j", "RETURN"},
 		// NAT if it's not multicast traffic
 -		{"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"},
 +		{"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "--random-fully"},
 		// Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
 		{"!", "-s", n, "-d", sn, "-j", "RETURN"},
 		// Masquerade anything headed towards flannel from the host
 -		{"!", "-s", n, "-d", n, "-j", "MASQUERADE"},
 +		{"!", "-s", n, "-d", n, "-j", "MASQUERADE", "--random-fully"},
 	}
 }
	diff --git a/Makefile b/Makefile
	index 00730a98..28d23f11 100644
	--- a/Makefile
	+++ b/Makefile
	@@ -39,7 +39,7 @@ GOARM=7

	# List images with gcloud alpha container images list-tags gcr.io/google_containers/kube-cross
	KUBE_CROSS_TAG=v1.8.3-1
	-IPTABLES_VERSION=1.4.21
	+IPTABLES_VERSION=1.6.1

	dist/flanneld: $(shell find . -type f -name '*.go')
	go build -o dist/flanneld \
	@@ -137,13 +137,15 @@ dist/iptables-$(ARCH):
	--disable-nftables \
	--enable-static \
	--host=amd64 && \
	+ cp /go/src/github.com/coreos/flannel/iptables.patch ./ && \
	+ patch -p0 < iptables.patch && \
	make && \
	cp iptables/xtables-multi /go/src/github.com/coreos/flannel/dist/iptables-$(ARCH) && \
	cd /go/src/github.com/coreos/flannel && \
	file dist/iptables-$(ARCH)'

	## Build a .tar.gz for the amd64 ppc64le arm arm64 flanneld binary
	-tar.gz:
	+tar.gz:
	ARCH=amd64 make dist/flanneld-amd64
	tar --transform='flags=r;s\|-amd64\|\|' -zcvf dist/flannel-$(TAG)-linux-amd64.tar.gz -C dist flanneld-amd64 mk-docker-opts.sh ../README.md
	tar -tvf dist/flannel-$(TAG)-linux-amd64.tar.gz
	@@ -242,4 +244,4 @@ run-local-kube-flannel-with-prereqs: run-etcd run-k8s-apiserver dist/flanneld

	run-local-kube-flannel:
	# Currently this requires the netconf to be in /etc/kube-flannel/net-conf.json
	- sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
	\ No newline at end of file
	+ sudo NODE_NAME=test dist/flanneld --kube-subnet-mgr --kube-api-url http://127.0.0.1:8080
	diff --git a/dist/iptables-amd64 b/dist/iptables-amd64
	index a248b93c..bb3974e0 100755
	Binary files a/dist/iptables-amd64 and b/dist/iptables-amd64 differ
	diff --git a/iptables.patch b/iptables.patch
	new file mode 100644
	index 00000000..b5fecfa0
	--- /dev/null
	+++ b/iptables.patch
	@@ -0,0 +1,69 @@
	+--- extensions.o/libipt_MASQUERADE.c 2017-12-02 10:12:00.000000000 +0100
	++++ extensions/libipt_MASQUERADE.c 2017-12-02 10:11:30.000000000 +0100
	+@@ -11,6 +11,7 @@
	+ enum {
	+ O_TO_PORTS = 0,
	+ O_RANDOM,
	++ O_RANDOM_FULLY,
	+ };
	+
	+ static void MASQUERADE_help(void)
	+@@ -20,12 +21,15 @@
	+ " --to-ports <port>[-<port>]\n"
	+ " Port (range) to map to.\n"
	+ " --random\n"
	+-" Randomize source port.\n");
	++" Randomize source port.\n"
	++" --random-fully\n"
	++" Fully randomize source port.\n");
	+ }
	+
	+ static const struct xt_option_entry MASQUERADE_opts[] = {
	+ {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
	+ {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
	++ {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
	+ XTOPT_TABLEEND,
	+ };
	+
	+@@ -97,7 +101,12 @@
	+ case O_RANDOM:
	+ mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM;
	+ break;
	++ case O_RANDOM_FULLY:
	++ mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
	++ break;
	+ }
	++ // Force full randomization on MASQUERADE targets
	++ mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
	+ }
	+
	+ static void
	+@@ -116,6 +125,9 @@
	+
	+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
	+ printf(" random");
	++
	++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
	++ printf(" random-fully");
	+ }
	+
	+ static void
	+@@ -132,6 +144,9 @@
	+
	+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
	+ printf(" --random");
	++
	++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
	++ printf(" --random-fully");
	+ }
	+
	+ static int MASQUERADE_xlate(struct xt_xlate *xl,
	+@@ -153,6 +168,9 @@
	+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
	+ xt_xlate_add(xl, "random ");
	+
	++ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
	++ xt_xlate_add(xl, "random-fully ");
	++
	+ return 1;
	+ }
	diff --git a/network/ipmasq.go b/network/ipmasq.go
	index 451eec0a..f21e5651 100644
	--- a/network/ipmasq.go
	+++ b/network/ipmasq.go
	@@ -38,11 +38,11 @@ func rules(ipn ip.IP4Net, lease *subnet.Lease) [][]string {
	// This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0)
	{"-s", n, "-d", n, "-j", "RETURN"},
	// NAT if it's not multicast traffic
	- {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"},
	+ {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "--random-fully"},
	// Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
	{"!", "-s", n, "-d", sn, "-j", "RETURN"},
	// Masquerade anything headed towards flannel from the host
	- {"!", "-s", n, "-d", n, "-j", "MASQUERADE"},
	+ {"!", "-s", n, "-d", n, "-j", "MASQUERADE", "--random-fully"},
	}
	}