vendor files

vendor/k8s.io/kubernetes/pkg/proxy/util/BUILD

@@ -0,0 +1,53 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "conntrack.go",
+        "endpoints.go",
+        "port.go",
+        "utils.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/proxy/util",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/apis/core:go_default_library",
+        "//pkg/apis/core/helper:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
+        "//vendor/k8s.io/utils/exec:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = [
+        "conntrack_test.go",
+        "endpoints_test.go",
+        "port_test.go",
+        "utils_test.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/proxy/util",
+    library = ":go_default_library",
+    deps = [
+        "//pkg/apis/core:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
+        "//vendor/k8s.io/utils/exec:go_default_library",
+        "//vendor/k8s.io/utils/exec/testing:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/k8s.io/kubernetes/pkg/proxy/util/conntrack.go

@@ -0,0 +1,105 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"k8s.io/utils/exec"
+)
+
+// Utilities for dealing with conntrack
+
+const NoConnectionToDelete = "0 flow entries have been deleted"
+
+func IsIPv6(netIP net.IP) bool {
+	return netIP != nil && netIP.To4() == nil
+}
+
+func IsIPv6String(ip string) bool {
+	netIP := net.ParseIP(ip)
+	return IsIPv6(netIP)
+}
+
+func parametersWithFamily(isIPv6 bool, parameters ...string) []string {
+	if isIPv6 {
+		parameters = append(parameters, "-f", "ipv6")
+	}
+	return parameters
+}
+
+// ClearUDPConntrackForIP uses the conntrack tool to delete the conntrack entries
+// for the UDP connections specified by the given service IP
+func ClearUDPConntrackForIP(execer exec.Interface, ip string) error {
+	parameters := parametersWithFamily(IsIPv6String(ip), "-D", "--orig-dst", ip, "-p", "udp")
+	err := ExecConntrackTool(execer, parameters...)
+	if err != nil && !strings.Contains(err.Error(), NoConnectionToDelete) {
+		// TODO: Better handling for deletion failure. When failure occur, stale udp connection may not get flushed.
+		// These stale udp connection will keep black hole traffic. Making this a best effort operation for now, since it
+		// is expensive to baby-sit all udp connections to kubernetes services.
+		return fmt.Errorf("error deleting connection tracking state for UDP service IP: %s, error: %v", ip, err)
+	}
+	return nil
+}
+
+// ExecConntrackTool executes the conntrack tool using the given parameters
+func ExecConntrackTool(execer exec.Interface, parameters ...string) error {
+	conntrackPath, err := execer.LookPath("conntrack")
+	if err != nil {
+		return fmt.Errorf("error looking for path of conntrack: %v", err)
+	}
+	output, err := execer.Command(conntrackPath, parameters...).CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("conntrack command returned: %q, error message: %s", string(output), err)
+	}
+	return nil
+}
+
+// ClearUDPConntrackForPort uses the conntrack tool to delete the conntrack entries
+// for the UDP connections specified by the port.
+// When a packet arrives, it will not go through NAT table again, because it is not "the first" packet.
+// The solution is clearing the conntrack. Known issues:
+// https://github.com/docker/docker/issues/8795
+// https://github.com/kubernetes/kubernetes/issues/31983
+func ClearUDPConntrackForPort(execer exec.Interface, port int, isIPv6 bool) error {
+	if port <= 0 {
+		return fmt.Errorf("Wrong port number. The port number must be greater than zero")
+	}
+	parameters := parametersWithFamily(isIPv6, "-D", "-p", "udp", "--dport", strconv.Itoa(port))
+	err := ExecConntrackTool(execer, parameters...)
+	if err != nil && !strings.Contains(err.Error(), NoConnectionToDelete) {
+		return fmt.Errorf("error deleting conntrack entries for UDP port: %d, error: %v", port, err)
+	}
+	return nil
+}
+
+// ClearUDPConntrackForPeers uses the conntrack tool to delete the conntrack entries
+// for the UDP connections specified by the {origin, dest} IP pair.
+func ClearUDPConntrackForPeers(execer exec.Interface, origin, dest string) error {
+	parameters := parametersWithFamily(IsIPv6String(origin), "-D", "--orig-dst", origin, "--dst-nat", dest, "-p", "udp")
+	err := ExecConntrackTool(execer, parameters...)
+	if err != nil && !strings.Contains(err.Error(), NoConnectionToDelete) {
+		// TODO: Better handling for deletion failure. When failure occur, stale udp connection may not get flushed.
+		// These stale udp connection will keep black hole traffic. Making this a best effort operation for now, since it
+		// is expensive to baby sit all udp connections to kubernetes services.
+		return fmt.Errorf("error deleting conntrack entries for UDP peer {%s, %s}, error: %v", origin, dest, err)
+	}
+	return nil
+}

vendor/k8s.io/kubernetes/pkg/proxy/util/conntrack_test.go

@@ -0,0 +1,331 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"testing"
+
+	"k8s.io/utils/exec"
+	fakeexec "k8s.io/utils/exec/testing"
+)
+
+func familyParamStr(isIPv6 bool) string {
+	if isIPv6 {
+		return " -f ipv6"
+	}
+	return ""
+}
+
+func TestExecConntrackTool(t *testing.T) {
+	fcmd := fakeexec.FakeCmd{
+		CombinedOutputScript: []fakeexec.FakeCombinedOutputAction{
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+			func() ([]byte, error) {
+				return []byte(""), fmt.Errorf("conntrack v1.4.2 (conntrack-tools): 0 flow entries have been deleted")
+			},
+		},
+	}
+	fexec := fakeexec.FakeExec{
+		CommandScript: []fakeexec.FakeCommandAction{
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+		},
+		LookPathFunc: func(cmd string) (string, error) { return cmd, nil },
+	}
+
+	testCases := [][]string{
+		{"-L", "-p", "udp"},
+		{"-D", "-p", "udp", "-d", "10.0.240.1"},
+		{"-D", "-p", "udp", "--orig-dst", "10.240.0.2", "--dst-nat", "10.0.10.2"},
+	}
+
+	expectErr := []bool{false, false, true}
+
+	for i := range testCases {
+		err := ExecConntrackTool(&fexec, testCases[i]...)
+
+		if expectErr[i] {
+			if err == nil {
+				t.Errorf("expected err, got %v", err)
+			}
+		} else {
+			if err != nil {
+				t.Errorf("expected success, got %v", err)
+			}
+		}
+
+		execCmd := strings.Join(fcmd.CombinedOutputLog[i], " ")
+		expectCmd := fmt.Sprintf("%s %s", "conntrack", strings.Join(testCases[i], " "))
+
+		if execCmd != expectCmd {
+			t.Errorf("expect execute command: %s, but got: %s", expectCmd, execCmd)
+		}
+	}
+}
+
+func TestClearUDPConntrackForIP(t *testing.T) {
+	fcmd := fakeexec.FakeCmd{
+		CombinedOutputScript: []fakeexec.FakeCombinedOutputAction{
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+			func() ([]byte, error) {
+				return []byte(""), fmt.Errorf("conntrack v1.4.2 (conntrack-tools): 0 flow entries have been deleted")
+			},
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+		},
+	}
+	fexec := fakeexec.FakeExec{
+		CommandScript: []fakeexec.FakeCommandAction{
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+		},
+		LookPathFunc: func(cmd string) (string, error) { return cmd, nil },
+	}
+
+	testCases := []struct {
+		name string
+		ip   string
+	}{
+		{"IPv4 success", "10.240.0.3"},
+		{"IPv4 success", "10.240.0.5"},
+		{"IPv4 simulated error", "10.240.0.4"},
+		{"IPv6 success", "2001:db8::10"},
+	}
+
+	svcCount := 0
+	for _, tc := range testCases {
+		if err := ClearUDPConntrackForIP(&fexec, tc.ip); err != nil {
+			t.Errorf("%s test case:, Unexpected error: %v", tc.name, err)
+		}
+		expectCommand := fmt.Sprintf("conntrack -D --orig-dst %s -p udp", tc.ip) + familyParamStr(IsIPv6String(tc.ip))
+		execCommand := strings.Join(fcmd.CombinedOutputLog[svcCount], " ")
+		if expectCommand != execCommand {
+			t.Errorf("%s test case: Expect command: %s, but executed %s", tc.name, expectCommand, execCommand)
+		}
+		svcCount++
+	}
+	if svcCount != fexec.CommandCalls {
+		t.Errorf("Expect command executed %d times, but got %d", svcCount, fexec.CommandCalls)
+	}
+}
+
+func TestClearUDPConntrackForPort(t *testing.T) {
+	fcmd := fakeexec.FakeCmd{
+		CombinedOutputScript: []fakeexec.FakeCombinedOutputAction{
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+			func() ([]byte, error) {
+				return []byte(""), fmt.Errorf("conntrack v1.4.2 (conntrack-tools): 0 flow entries have been deleted")
+			},
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+		},
+	}
+	fexec := fakeexec.FakeExec{
+		CommandScript: []fakeexec.FakeCommandAction{
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+		},
+		LookPathFunc: func(cmd string) (string, error) { return cmd, nil },
+	}
+
+	testCases := []struct {
+		name   string
+		port   int
+		isIPv6 bool
+	}{
+		{"IPv4, no error", 8080, false},
+		{"IPv4, simulated error", 9090, false},
+		{"IPv6, no error", 6666, true},
+	}
+	svcCount := 0
+	for _, tc := range testCases {
+		err := ClearUDPConntrackForPort(&fexec, tc.port, tc.isIPv6)
+		if err != nil {
+			t.Errorf("%s test case: Unexpected error: %v", tc.name, err)
+		}
+		expectCommand := fmt.Sprintf("conntrack -D -p udp --dport %d", tc.port) + familyParamStr(tc.isIPv6)
+		execCommand := strings.Join(fcmd.CombinedOutputLog[svcCount], " ")
+		if expectCommand != execCommand {
+			t.Errorf("%s test case: Expect command: %s, but executed %s", tc.name, expectCommand, execCommand)
+		}
+		svcCount++
+	}
+	if svcCount != fexec.CommandCalls {
+		t.Errorf("Expect command executed %d times, but got %d", svcCount, fexec.CommandCalls)
+	}
+}
+
+func TestDeleteUDPConnections(t *testing.T) {
+	fcmd := fakeexec.FakeCmd{
+		CombinedOutputScript: []fakeexec.FakeCombinedOutputAction{
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+			func() ([]byte, error) {
+				return []byte(""), fmt.Errorf("conntrack v1.4.2 (conntrack-tools): 0 flow entries have been deleted")
+			},
+			func() ([]byte, error) { return []byte("1 flow entries have been deleted"), nil },
+		},
+	}
+	fexec := fakeexec.FakeExec{
+		CommandScript: []fakeexec.FakeCommandAction{
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
+		},
+		LookPathFunc: func(cmd string) (string, error) { return cmd, nil },
+	}
+
+	testCases := []struct {
+		name   string
+		origin string
+		dest   string
+	}{
+		{
+			name:   "IPv4 success",
+			origin: "1.2.3.4",
+			dest:   "10.20.30.40",
+		},
+		{
+			name:   "IPv4 simulated failure",
+			origin: "2.3.4.5",
+			dest:   "20.30.40.50",
+		},
+		{
+			name:   "IPv6 success",
+			origin: "fd00::600d:f00d",
+			dest:   "2001:db8::5",
+		},
+	}
+	svcCount := 0
+	for i, tc := range testCases {
+		err := ClearUDPConntrackForPeers(&fexec, tc.origin, tc.dest)
+		if err != nil {
+			t.Errorf("%s test case: unexpected error: %v", tc.name, err)
+		}
+		expectCommand := fmt.Sprintf("conntrack -D --orig-dst %s --dst-nat %s -p udp", tc.origin, tc.dest) + familyParamStr(IsIPv6String(tc.origin))
+		execCommand := strings.Join(fcmd.CombinedOutputLog[i], " ")
+		if expectCommand != execCommand {
+			t.Errorf("%s test case: Expect command: %s, but executed %s", tc.name, expectCommand, execCommand)
+		}
+		svcCount++
+	}
+	if svcCount != fexec.CommandCalls {
+		t.Errorf("Expect command executed %d times, but got %d", svcCount, fexec.CommandCalls)
+	}
+}
+
+func TestIsIPv6String(t *testing.T) {
+	testCases := []struct {
+		ip         string
+		expectIPv6 bool
+	}{
+		{
+			ip:         "127.0.0.1",
+			expectIPv6: false,
+		},
+		{
+			ip:         "192.168.0.0",
+			expectIPv6: false,
+		},
+		{
+			ip:         "1.2.3.4",
+			expectIPv6: false,
+		},
+		{
+			ip:         "bad ip",
+			expectIPv6: false,
+		},
+		{
+			ip:         "::1",
+			expectIPv6: true,
+		},
+		{
+			ip:         "fd00::600d:f00d",
+			expectIPv6: true,
+		},
+		{
+			ip:         "2001:db8::5",
+			expectIPv6: true,
+		},
+	}
+	for i := range testCases {
+		isIPv6 := IsIPv6String(testCases[i].ip)
+		if isIPv6 != testCases[i].expectIPv6 {
+			t.Errorf("[%d] Expect ipv6 %v, got %v", i+1, testCases[i].expectIPv6, isIPv6)
+		}
+	}
+}
+
+func TestIsIPv6(t *testing.T) {
+	testCases := []struct {
+		ip         net.IP
+		expectIPv6 bool
+	}{
+		{
+			ip:         net.IPv4zero,
+			expectIPv6: false,
+		},
+		{
+			ip:         net.IPv4bcast,
+			expectIPv6: false,
+		},
+		{
+			ip:         net.ParseIP("127.0.0.1"),
+			expectIPv6: false,
+		},
+		{
+			ip:         net.ParseIP("10.20.40.40"),
+			expectIPv6: false,
+		},
+		{
+			ip:         net.ParseIP("172.17.3.0"),
+			expectIPv6: false,
+		},
+		{
+			ip:         nil,
+			expectIPv6: false,
+		},
+		{
+			ip:         net.IPv6loopback,
+			expectIPv6: true,
+		},
+		{
+			ip:         net.IPv6zero,
+			expectIPv6: true,
+		},
+		{
+			ip:         net.ParseIP("fd00::600d:f00d"),
+			expectIPv6: true,
+		},
+		{
+			ip:         net.ParseIP("2001:db8::5"),
+			expectIPv6: true,
+		},
+	}
+	for i := range testCases {
+		isIPv6 := IsIPv6(testCases[i].ip)
+		if isIPv6 != testCases[i].expectIPv6 {
+			t.Errorf("[%d] Expect ipv6 %v, got %v", i+1, testCases[i].expectIPv6, isIPv6)
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/proxy/util/endpoints.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/golang/glog"
+)
+
+// IPPart returns just the IP part of an IP or IP:port or endpoint string. If the IP
+// part is an IPv6 address enclosed in brackets (e.g. "[fd00:1::5]:9999"),
+// then the brackets are stripped as well.
+func IPPart(s string) string {
+	if ip := net.ParseIP(s); ip != nil {
+		// IP address without port
+		return s
+	}
+	// Must be IP:port
+	host, _, err := net.SplitHostPort(s)
+	if err != nil {
+		glog.Errorf("Error parsing '%s': %v", s, err)
+		return ""
+	}
+	// Check if host string is a valid IP address
+	if ip := net.ParseIP(host); ip != nil {
+		return ip.String()
+	} else {
+		glog.Errorf("invalid IP part '%s'", host)
+	}
+	return ""
+}
+
+func PortPart(s string) (int, error) {
+	// Must be IP:port
+	_, port, err := net.SplitHostPort(s)
+	if err != nil {
+		glog.Errorf("Error parsing '%s': %v", s, err)
+		return -1, err
+	}
+	portNumber, err := strconv.Atoi(port)
+	if err != nil {
+		glog.Errorf("Error parsing '%s': %v", port, err)
+		return -1, err
+	}
+	return portNumber, nil
+}
+
+// ToCIDR returns a host address of the form <ip-address>/32 for
+// IPv4 and <ip-address>/128 for IPv6
+func ToCIDR(ip net.IP) string {
+	len := 32
+	if ip.To4() == nil {
+		len = 128
+	}
+	return fmt.Sprintf("%s/%d", ip.String(), len)
+}

vendor/k8s.io/kubernetes/pkg/proxy/util/endpoints_test.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"net"
+	"testing"
+)
+
+func TestIPPart(t *testing.T) {
+	const noError = ""
+
+	testCases := []struct {
+		endpoint      string
+		expectedIP    string
+		expectedError string
+	}{
+		{"1.2.3.4", "1.2.3.4", noError},
+		{"1.2.3.4:9999", "1.2.3.4", noError},
+		{"2001:db8::1:1", "2001:db8::1:1", noError},
+		{"[2001:db8::2:2]:9999", "2001:db8::2:2", noError},
+		{"1.2.3.4::9999", "", "too many colons"},
+		{"1.2.3.4:[0]", "", "unexpected '[' in address"},
+		{"1.2.3:8080", "", "invalid ip part"},
+	}
+
+	for _, tc := range testCases {
+		ip := IPPart(tc.endpoint)
+		if tc.expectedError == noError {
+			if ip != tc.expectedIP {
+				t.Errorf("Unexpected IP for %s: Expected: %s, Got %s", tc.endpoint, tc.expectedIP, ip)
+			}
+		} else if ip != "" {
+			t.Errorf("Error did not occur for %s, expected: '%s' error", tc.endpoint, tc.expectedError)
+		}
+	}
+}
+
+func TestToCIDR(t *testing.T) {
+	testCases := []struct {
+		ip           string
+		expectedAddr string
+	}{
+		{"1.2.3.4", "1.2.3.4/32"},
+		{"2001:db8::1:1", "2001:db8::1:1/128"},
+	}
+
+	for _, tc := range testCases {
+		ip := net.ParseIP(tc.ip)
+		addr := ToCIDR(ip)
+		if addr != tc.expectedAddr {
+			t.Errorf("Unexpected host address for %s: Expected: %s, Got %s", tc.ip, tc.expectedAddr, addr)
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/proxy/util/port.go

@@ -0,0 +1,67 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/golang/glog"
+)
+
+// LocalPort describes a port on specific IP address and protocol
+type LocalPort struct {
+	// Description is the identity message of a given local port.
+	Description string
+	// IP is the IP address part of a given local port.
+	// If this string is empty, the port binds to all local IP addresses.
+	IP string
+	// Port is the port part of a given local port.
+	Port int
+	// Protocol is the protocol part of a given local port.
+	// The value is assumed to be lower-case. For example, "udp" not "UDP", "tcp" not "TCP".
+	Protocol string
+}
+
+func (lp *LocalPort) String() string {
+	ipPort := net.JoinHostPort(lp.IP, strconv.Itoa(lp.Port))
+	return fmt.Sprintf("%q (%s/%s)", lp.Description, ipPort, lp.Protocol)
+}
+
+// Closeable is an interface around closing an port.
+type Closeable interface {
+	Close() error
+}
+
+// PortOpener is an interface around port opening/closing.
+// Abstracted out for testing.
+type PortOpener interface {
+	OpenLocalPort(lp *LocalPort) (Closeable, error)
+}
+
+// RevertPorts is closing ports in replacementPortsMap but not in originalPortsMap. In other words, it only
+// closes the ports opened in this sync.
+func RevertPorts(replacementPortsMap, originalPortsMap map[LocalPort]Closeable) {
+	for k, v := range replacementPortsMap {
+		// Only close newly opened local ports - leave ones that were open before this update
+		if originalPortsMap[k] == nil {
+			glog.V(2).Infof("Closing local port %s", k.String())
+			v.Close()
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/proxy/util/port_test.go

@@ -0,0 +1,143 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import "testing"
+
+type fakeClosable struct {
+	closed bool
+}
+
+func (c *fakeClosable) Close() error {
+	c.closed = true
+	return nil
+}
+
+func TestLocalPortString(t *testing.T) {
+	testCases := []struct {
+		description string
+		ip          string
+		port        int
+		protocol    string
+		expectedStr string
+	}{
+		{"IPv4 UDP", "1.2.3.4", 9999, "udp", "\"IPv4 UDP\" (1.2.3.4:9999/udp)"},
+		{"IPv4 TCP", "5.6.7.8", 1053, "tcp", "\"IPv4 TCP\" (5.6.7.8:1053/tcp)"},
+		{"IPv6 TCP", "2001:db8::1", 80, "tcp", "\"IPv6 TCP\" ([2001:db8::1]:80/tcp)"},
+	}
+
+	for _, tc := range testCases {
+		lp := &LocalPort{
+			Description: tc.description,
+			IP:          tc.ip,
+			Port:        tc.port,
+			Protocol:    tc.protocol,
+		}
+		str := lp.String()
+		if str != tc.expectedStr {
+			t.Errorf("Unexpected output for %s, expected: %s, got: %s", tc.description, tc.expectedStr, str)
+		}
+	}
+}
+
+func TestRevertPorts(t *testing.T) {
+	testCases := []struct {
+		replacementPorts []LocalPort
+		existingPorts    []LocalPort
+		expectToBeClose  []bool
+	}{
+		{
+			replacementPorts: []LocalPort{
+				{Port: 5001},
+				{Port: 5002},
+				{Port: 5003},
+			},
+			existingPorts:   []LocalPort{},
+			expectToBeClose: []bool{true, true, true},
+		},
+		{
+			replacementPorts: []LocalPort{},
+			existingPorts: []LocalPort{
+				{Port: 5001},
+				{Port: 5002},
+				{Port: 5003},
+			},
+			expectToBeClose: []bool{},
+		},
+		{
+			replacementPorts: []LocalPort{
+				{Port: 5001},
+				{Port: 5002},
+				{Port: 5003},
+			},
+			existingPorts: []LocalPort{
+				{Port: 5001},
+				{Port: 5002},
+				{Port: 5003},
+			},
+			expectToBeClose: []bool{false, false, false},
+		},
+		{
+			replacementPorts: []LocalPort{
+				{Port: 5001},
+				{Port: 5002},
+				{Port: 5003},
+			},
+			existingPorts: []LocalPort{
+				{Port: 5001},
+				{Port: 5003},
+			},
+			expectToBeClose: []bool{false, true, false},
+		},
+		{
+			replacementPorts: []LocalPort{
+				{Port: 5001},
+				{Port: 5002},
+				{Port: 5003},
+			},
+			existingPorts: []LocalPort{
+				{Port: 5001},
+				{Port: 5002},
+				{Port: 5003},
+				{Port: 5004},
+			},
+			expectToBeClose: []bool{false, false, false},
+		},
+	}
+
+	for i, tc := range testCases {
+		replacementPortsMap := make(map[LocalPort]Closeable)
+		for _, lp := range tc.replacementPorts {
+			replacementPortsMap[lp] = &fakeClosable{}
+		}
+		existingPortsMap := make(map[LocalPort]Closeable)
+		for _, lp := range tc.existingPorts {
+			existingPortsMap[lp] = &fakeClosable{}
+		}
+		RevertPorts(replacementPortsMap, existingPortsMap)
+		for j, expectation := range tc.expectToBeClose {
+			if replacementPortsMap[tc.replacementPorts[j]].(*fakeClosable).closed != expectation {
+				t.Errorf("Expect replacement localport %v to be %v in test case %v", tc.replacementPorts[j], expectation, i)
+			}
+		}
+		for _, lp := range tc.existingPorts {
+			if existingPortsMap[lp].(*fakeClosable).closed == true {
+				t.Errorf("Expect existing localport %v to be false in test case %v", lp, i)
+			}
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/proxy/util/utils.go

@@ -0,0 +1,58 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"net"
+
+	"k8s.io/apimachinery/pkg/types"
+	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/core/helper"
+
+	"github.com/golang/glog"
+)
+
+func IsLocalIP(ip string) (bool, error) {
+	addrs, err := net.InterfaceAddrs()
+	if err != nil {
+		return false, err
+	}
+	for i := range addrs {
+		intf, _, err := net.ParseCIDR(addrs[i].String())
+		if err != nil {
+			return false, err
+		}
+		if net.ParseIP(ip).Equal(intf) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func ShouldSkipService(svcName types.NamespacedName, service *api.Service) bool {
+	// if ClusterIP is "None" or empty, skip proxying
+	if !helper.IsServiceIPSet(service) {
+		glog.V(3).Infof("Skipping service %s due to clusterIP = %q", svcName, service.Spec.ClusterIP)
+		return true
+	}
+	// Even if ClusterIP is set, ServiceTypeExternalName services don't get proxied
+	if service.Spec.Type == api.ServiceTypeExternalName {
+		glog.V(3).Infof("Skipping service %s due to Type=ExternalName", svcName)
+		return true
+	}
+	return false
+}

vendor/k8s.io/kubernetes/pkg/proxy/util/utils_test.go

@@ -0,0 +1,111 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	api "k8s.io/kubernetes/pkg/apis/core"
+)
+
+func TestShouldSkipService(t *testing.T) {
+	testCases := []struct {
+		service    *api.Service
+		svcName    types.NamespacedName
+		shouldSkip bool
+	}{
+		{
+			// Cluster IP is None
+			service: &api.Service{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"},
+				Spec: api.ServiceSpec{
+					ClusterIP: api.ClusterIPNone,
+				},
+			},
+			svcName:    types.NamespacedName{Namespace: "foo", Name: "bar"},
+			shouldSkip: true,
+		},
+		{
+			// Cluster IP is empty
+			service: &api.Service{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"},
+				Spec: api.ServiceSpec{
+					ClusterIP: "",
+				},
+			},
+			svcName:    types.NamespacedName{Namespace: "foo", Name: "bar"},
+			shouldSkip: true,
+		},
+		{
+			// ExternalName type service
+			service: &api.Service{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"},
+				Spec: api.ServiceSpec{
+					ClusterIP: "1.2.3.4",
+					Type:      api.ServiceTypeExternalName,
+				},
+			},
+			svcName:    types.NamespacedName{Namespace: "foo", Name: "bar"},
+			shouldSkip: true,
+		},
+		{
+			// ClusterIP type service with ClusterIP set
+			service: &api.Service{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"},
+				Spec: api.ServiceSpec{
+					ClusterIP: "1.2.3.4",
+					Type:      api.ServiceTypeClusterIP,
+				},
+			},
+			svcName:    types.NamespacedName{Namespace: "foo", Name: "bar"},
+			shouldSkip: false,
+		},
+		{
+			// NodePort type service with ClusterIP set
+			service: &api.Service{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"},
+				Spec: api.ServiceSpec{
+					ClusterIP: "1.2.3.4",
+					Type:      api.ServiceTypeNodePort,
+				},
+			},
+			svcName:    types.NamespacedName{Namespace: "foo", Name: "bar"},
+			shouldSkip: false,
+		},
+		{
+			// LoadBalancer type service with ClusterIP set
+			service: &api.Service{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "foo", Name: "bar"},
+				Spec: api.ServiceSpec{
+					ClusterIP: "1.2.3.4",
+					Type:      api.ServiceTypeLoadBalancer,
+				},
+			},
+			svcName:    types.NamespacedName{Namespace: "foo", Name: "bar"},
+			shouldSkip: false,
+		},
+	}
+
+	for i := range testCases {
+		skip := ShouldSkipService(testCases[i].svcName, testCases[i].service)
+		if skip != testCases[i].shouldSkip {
+			t.Errorf("case %d: expect %v, got %v", i, testCases[i].shouldSkip, skip)
+		}
+	}
+}