Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix inability to access NodePort in specific case
When a Service NodePort and an Egress CRD has the same backend Pod, assumed that the backend Pod is on Node A and the external IP of Egress is on Node B. If an external client (not any K8s Nodes) accesses the NodePort through the IP of the Node A in which the backend Pod is running, the access will fail. The root cause is that the reply packets of NodePort is incorrectly matched by the flow installed by Egress which is used to match the packets sourced from local Pods and destined for tunneling to Node B. This PR fixes the issue in two steps: - Add match condition ct_state=-rpl+trk to the flow which matches the Egress packets sourced from local Pods and destined for external in L3Forwarding. The priority of this flow is 190. - Lower the priority (from 190 to 180) of the default flow to match Service packets in table L3Forwarding. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
- Loading branch information
1 parent
57ef15c
commit bf86baf
Showing
3 changed files
with
106 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters