From 554c6e76a50c2fee91e79ef2a8f90d1c83019b87 Mon Sep 17 00:00:00 2001
From: vakr <vakr@microsoft.com>
Date: Mon, 1 Mar 2021 15:01:22 -0800
Subject: [PATCH 1/2] Bypassing POSTINGROUTING for Swift POD traffic

---
 cni/network/invoker_cns.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go
index 33ce14bcb4..ed680bc387 100644
--- a/cni/network/invoker_cns.go
+++ b/cni/network/invoker_cns.go
@@ -150,9 +150,11 @@ func setHostOptions(nwCfg *cni.NetworkConfig, hostSubnetPrefix *net.IPNet, ncSub
 	}
 
 	azureDNSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureDNS, iptables.UDP, iptables.DNSPort)
+	podTrafficAccept := fmt.Sprintf(" -m iprange  ! --dst-range 168.63.129.16-168.63.129.16  -s %s ", ncSubnetPrefix.String())
 	snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP)
 	options[network.IPTablesKey] = []iptables.IPTableEntry{
 		iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift),
+		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, podTrafficAccept, iptables.Accept),
 		iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift),
 		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSMatch, snatPrimaryIPJump),
 	}

From f1bdb3bd84ead732369a4bea55b6fb3bc7554123 Mon Sep 17 00:00:00 2001
From: vakr <vakr@microsoft.com>
Date: Mon, 1 Mar 2021 16:17:49 -0800
Subject: [PATCH 2/2] Adding the comment to remove this rule after cleaning
 AGentBaker

---
 cni/network/invoker_cns.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go
index ed680bc387..524ab3041c 100644
--- a/cni/network/invoker_cns.go
+++ b/cni/network/invoker_cns.go
@@ -150,6 +150,9 @@ func setHostOptions(nwCfg *cni.NetworkConfig, hostSubnetPrefix *net.IPNet, ncSub
 	}
 
 	azureDNSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureDNS, iptables.UDP, iptables.DNSPort)
+
+	// TODO remove this rule once we remove adding MASQUEARDE from AgentBaker, check below PR
+	// https://github.com/Azure/AgentBaker/pull/367/files
 	podTrafficAccept := fmt.Sprintf(" -m iprange  ! --dst-range 168.63.129.16-168.63.129.16  -s %s ", ncSubnetPrefix.String())
 	snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP)
 	options[network.IPTablesKey] = []iptables.IPTableEntry{