New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
daemon: require BPF masq to enable --install-no-conntrack-iptables-rules #16085
daemon: require BPF masq to enable --install-no-conntrack-iptables-rules #16085
Conversation
It's currently possible to enable the no CT Iptables rules together with Iptables masquerading, which results in Iptables failing to masquerade traffic. With this commit, when this setup is detected, we return a fatal error. Fixes: #16046 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>
test-me-please |
Per the issue this is fixing, this is considered a subfeature that can be addressed after v1.10.0, so removing release-blocker: If you really think this should be a release blocker, please respond with a description why and create a thread in the Slack #launchpad channel to bring attention to it so we can reconsider its blocking status. |
I marked as a release blocker for 1.10 because it's a fairly trivial (so going to land soon) and will break masquerading in a non-obvious way for users running with KPR enabled and BPF masquerading disabled. But honestly, I'm not sure why we're spending time discussing that label when this PR is ready to merge anyway. k8s-1.16-kernel-netnext failed with a clearly unrelated issue (I filed #16127 for it), other tests are passing, and reviews are in. Marking appropriately. |
It's currently possible to enable the no CT Iptables rules together with
Iptables masquerading, which results in Iptables failing to masquerade
traffic.
With this commit, when this setup is detected, we return a fatal error.
Fixes: #16046
Signed-off-by: Gilberto Bertin gilberto@isovalent.com