From 6bd6f5398bb9675bda15a2861ddfd09dc6107a45 Mon Sep 17 00:00:00 2001
From: Jingyuan Liang <jingyuanliang@google.com>
Date: Tue, 22 Oct 2024 04:29:39 +0000
Subject: [PATCH] Don't set --random-fully if it's not supported even if the
 flag is true

---
 cmd/ip-masq-agent/ip-masq-agent.go      |  8 ++++----
 cmd/ip-masq-agent/ip-masq-agent_test.go | 17 ++++++++++++++++-
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/cmd/ip-masq-agent/ip-masq-agent.go b/cmd/ip-masq-agent/ip-masq-agent.go
index 0d779f0..f16c7d5 100644
--- a/cmd/ip-masq-agent/ip-masq-agent.go
+++ b/cmd/ip-masq-agent/ip-masq-agent.go
@@ -315,7 +315,7 @@ func (m *MasqDaemon) syncMasqRules() error {
 	}
 
 	// masquerade all other traffic that is not bound for a --dst-type LOCAL destination
-	writeMasqRules(lines, toPorts)
+	writeMasqRules(lines, m.iptables.HasRandomFully(), toPorts)
 
 	writeLine(lines, "COMMIT")
 	klog.V(2).Infof("IPv4 masquerading rules: %q", lines)
@@ -359,7 +359,7 @@ func (m *MasqDaemon) syncMasqRulesIPv6() error {
 	}
 
 	// masquerade all other traffic that is not bound for a --dst-type LOCAL destination
-	writeMasqRules(lines6, toPorts)
+	writeMasqRules(lines6, m.ip6tables.HasRandomFully(), toPorts)
 
 	writeLine(lines6, "COMMIT")
 	klog.V(2).Infof("IPv6 masquerading rules: %q", lines6)
@@ -406,9 +406,9 @@ func writeNonMasqRule(lines *bytes.Buffer, cidr string) {
 
 const masqRuleComment = `-m comment --comment "ip-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)"`
 
-func writeMasqRules(lines *bytes.Buffer, toPorts interval.Intervals) {
+func writeMasqRules(lines *bytes.Buffer, hasRandomFully bool, toPorts interval.Intervals) {
 	args := []string{masqRuleComment, "-j", "MASQUERADE"}
-	if *randomFully {
+	if hasRandomFully && *randomFully {
 		args = append(args, "--random-fully")
 	}
 
diff --git a/cmd/ip-masq-agent/ip-masq-agent_test.go b/cmd/ip-masq-agent/ip-masq-agent_test.go
index e04cdea..223eb9d 100644
--- a/cmd/ip-masq-agent/ip-masq-agent_test.go
+++ b/cmd/ip-masq-agent/ip-masq-agent_test.go
@@ -32,6 +32,7 @@ import (
 	iptest "k8s.io/kubernetes/pkg/util/iptables/testing"
 )
 
+var hasRandomFully bool
 var wantRandomFully string
 
 // turn off glog logging during tests to avoid clutter in output
@@ -44,22 +45,34 @@ func TestMain(m *testing.M) {
 
 	for _, tc := range []struct {
 		arg  string
+		has  bool
 		want string
 	}{
+		{},
 		{
+			arg: "false",
+		},
+		{
+			arg: "true",
+		},
+		{
+			has:  true,
 			want: randomFully,
 		},
 		{
 			arg: "false",
+			has: true,
 		},
 		{
 			arg:  "true",
+			has:  true,
 			want: randomFully,
 		},
 	} {
 		if tc.arg != "" {
 			flag.Set("random-fully", tc.arg)
 		}
+		hasRandomFully = tc.has
 		wantRandomFully = tc.want
 
 		ec = max(ec, m.Run())
@@ -71,6 +84,7 @@ func TestMain(m *testing.M) {
 func NewFakeMasqDaemon() *MasqDaemon {
 	masqChain = "IP-MASQ-AGENT"
 	iptables := iptest.NewFake()
+	iptables.SetHasRandomFully(hasRandomFully)
 	iptables.Dump = &iptest.IPTablesDump{
 		Tables: []iptest.Table{
 			{
@@ -82,6 +96,7 @@ func NewFakeMasqDaemon() *MasqDaemon {
 		},
 	}
 	ip6tables := iptest.NewIPv6Fake()
+	ip6tables.SetHasRandomFully(hasRandomFully)
 	ip6tables.Dump = &iptest.IPTablesDump{
 		Tables: []iptest.Table{
 			{
@@ -575,7 +590,7 @@ func TestWriteMasqRules(t *testing.T) {
 			}
 
 			lines := bytes.NewBuffer(nil)
-			writeMasqRules(lines, toPorts)
+			writeMasqRules(lines, hasRandomFully, toPorts)
 
 			s := lines.String()
 			if s != tt.want {