From 0599a27e9a68904f95c15ff58cd9abb5c6c1e3d7 Mon Sep 17 00:00:00 2001
From: bazuchan <baz@irc.msk.ru>
Date: Thu, 24 Jan 2019 10:27:12 +0300
Subject: [PATCH] Add iptables INPUT rules for tunneled services (#610)

---
 .../proxy/network_services_controller.go      | 35 ++++++++++++++++---
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
index e905da35..cabe3837 100644
--- a/pkg/controllers/proxy/network_services_controller.go
+++ b/pkg/controllers/proxy/network_services_controller.go
@@ -387,6 +387,19 @@ func (nsc *NetworkServicesController) sync() error {
 	return nil
 }
 
+// Lookup service ip, protocol, port by given fwmark value (reverse of generateFwmark)
+func (nsc *NetworkServicesController) lookupServiceByFWMark(FWMark uint32) (string, string, int) {
+	for _, svc := range nsc.serviceMap {
+		for _, externalIP := range svc.externalIPs {
+			gfwmark := generateFwmark(externalIP, svc.protocol, fmt.Sprint(svc.port))
+			if FWMark == gfwmark {
+				return externalIP, svc.protocol, svc.port
+			}
+		}
+	}
+	return "", "", 0
+}
+
 func getIpvsFirewallInputChainRule() []string {
 	// The iptables rule for use in {setup,cleanup}IpvsFirewall.
 	return []string{
@@ -579,15 +592,27 @@ func (nsc *NetworkServicesController) syncIpvsFirewall() error {
 	ipvsServicesSets := make([]string, 0, len(ipvsServices))
 
 	for _, ipvsService := range ipvsServices {
-		protocol := "udp"
-		if ipvsService.Protocol == syscall.IPPROTO_TCP {
-			protocol = "tcp"
+		var address, protocol string
+		var port int
+		if ipvsService.Address != nil {
+			address = ipvsService.Address.String()
+			if ipvsService.Protocol == syscall.IPPROTO_TCP {
+				protocol = "tcp"
+			} else {
+				protocol = "udp"
+			}
+			port = int(ipvsService.Port)
+		} else if ipvsService.FWMark != 0 {
+			address, protocol, port = nsc.lookupServiceByFWMark(ipvsService.FWMark)
+			if address == "" {
+				continue
+			}
 		}
 
-		serviceIPsSet := ipvsService.Address.String()
+		serviceIPsSet := address
 		serviceIPsSets = append(serviceIPsSets, serviceIPsSet)
 
-		ipvsServicesSet := fmt.Sprintf("%s,%s:%d", ipvsService.Address.String(), protocol, ipvsService.Port)
+		ipvsServicesSet := fmt.Sprintf("%s,%s:%d", address, protocol, port)
 		ipvsServicesSets = append(ipvsServicesSets, ipvsServicesSet)
 
 	}