This has been replaced by `//build:...` for a long time now.
Removal of the old build tag was automated with:
for i in $(git grep -l '^// +build' | grep -v -e '^vendor/'); do if ! grep -q '^// Code generated' "$i"; then sed -i -e '/^\/\/ +build/d' "$i"; fi; done
Dual-stack clusters exist; ServiceChangeTracker does not need to log
messages (even at V(4)) when it sees dual-stack Services, and
EndpointsChangeTracker does not need to emit Events(!) when it sees
EndpointSlices of the wrong AddressType.
(Though in most cases the EndpointsChangeTracker Events would not get
emitted anyway, since the MetaProxier would ensure that only the v4
tracker saw v4 slices, and only the v6 tracker saw v6 slices.)
Also remove a nil check labeled "This should never happen" which, in
fact, we know *didn't* happen, since the function has already
dereferenced the value before it checking it against nil.
nfacct is netfilter's accounting subsystem. This utility allows
interactions with the subsystem using lower level netlink API.
Signed-off-by: Daman Arora <aroradaman@gmail.com>
The constructors only return an error if you pass them invalid data,
but we only ever pass them data which has already been validated,
making the error checking just annoying. Just make them return garbage
output if you give them garbage input.
All of the LocalTrafficDetector implementations were essentially
identical after construction time, so just reduce them to a single
implementation with multiple constructors.
Also, improve the comments.
This reverts commit 8bccf4873b, except
for the nftables unit test changes, since we still want the "new"
results (not to mention the bugfixes), just for a different reason
now.
getLocalDetector() used to pass a utiliptables.Interface to
NewDetectLocalByCIDR() so that NewDetectLocalByCIDR() could verify
that the passed-in CIDR was of the same family as the iptables
interface. It would make more sense for getLocalDetector() to verify
this itself and just *not call NewDetectLocalByCIDR* if the families
don't match, and that's what the code does now. So there's no longer
any need to pass the utiliptables.Interface to the local detector.
These don't belong in pkg/proxy/util; they involve a completely
unrelated definition of proxying.
Since each is only used from one place, just inline them at the
callers.
Rather than having GetNodeAddresses() return a special magic value
indicating that it matches all IPs, add a separate method to check
that. (And have GetNodeAddresses() just return the IPs as expected
instead.)
Both proxies handle IPv4 and IPv6 nodeport addresses separately, but
GetNodeAddresses went out of its way to make that difficult. Fix that.
This commit does not change any externally-visible semantics, but it
makes the existing weird semantics more obvious. Specifically, if you
say "--nodeport-addresses 10.0.0.0/8,192.168.0.0/16", then the
dual-stack proxy code would have split that into a list of IPv4 CIDRs
(["10.0.0.0/8", "192.168.0.0/16"]) to pass to the IPv4 proxier, and a
list of IPv6 CIDRs ([]) to pass to the IPv6 proxier, and then the IPv6
proxier would say "well since the list of nodeport addresses is empty,
I'll listen on all IPv6 addresses", which probably isn't what you
meant, but that's what it did.
