Skip to content

[CNI] Bypassing POSTROUTING table for Swift POD traffic #807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 2, 2021
Merged

[CNI] Bypassing POSTROUTING table for Swift POD traffic #807

merged 2 commits into from
Mar 2, 2021

Conversation

@vakalapa
Copy link
Contributor

@vakalapa vakalapa commented Mar 1, 2021

Adding a new rule in POSTROUTING table to accept pod traffic going to internet

Chain POSTROUTING (policy ACCEPT 37 packets, 2743 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.241.0.0/16 0.0.0.0/0 destination IP range ! 168.63.129.16-168.63.129.16

@vakalapa vakalapa changed the title [CNI] Bypassing POSTINGROUTING for Swift POD traffic [CNI] Bypassing POSTROUTING table for Swift POD traffic Mar 1, 2021
@codecov
Copy link

codecov bot commented Mar 1, 2021
edited
Loading

Codecov Report

Merging #807 (f1bdb3b) into master (08f0006) will decrease coverage by 0.06%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master     #807      +/-   ##
==========================================
- Coverage   42.17%   42.10%   -0.07%     
==========================================
  Files         143      143              
  Lines       13936    13938       +2     
==========================================
- Hits         5877     5869       -8     
- Misses       7356     7367      +11     
+ Partials      703      702       -1

@vakalapa vakalapa requested review from matmerr and tamilmani1989 and removed request for tamilmani1989 March 1, 2021 23:19
@vakalapa vakalapa added the cni Related to CNI. label Mar 1, 2021
matmerr
matmerr reviewed Mar 2, 2021
View reviewed changes
cni/network/invoker_cns.go

// TODO remove this rule once we remove adding MASQUEARDE from AgentBaker, check below PR
// https://github.com/Azure/AgentBaker/pull/367/files
podTrafficAccept := fmt.Sprintf(" -m iprange ! --dst-range 168.63.129.16-168.63.129.16 -s %s ", ncSubnetPrefix.String())
Copy link
Member

@matmerr matmerr Mar 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since dst is a single ip, can we say --dst instead of --dst-range ?

neaggarwMS
neaggarwMS approved these changes Mar 2, 2021
View reviewed changes
Copy link
Member

@neaggarwMS neaggarwMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@vakalapa vakalapa merged commit 3775827 into master Mar 2, 2021
@vakalapa vakalapa deleted the vakr/masqruleswift branch March 2, 2021 03:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matmerr matmerr matmerr left review comments

@neaggarwMS neaggarwMS neaggarwMS approved these changes

@tamilmani1989 tamilmani1989 Awaiting requested review from tamilmani1989

Assignees

No one assigned

Labels

cni Related to CNI.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vakalapa @matmerr @neaggarwMS