daemon: require BPF masq to enable --install-no-conntrack-iptables-rules #16085
Conversation
It's currently possible to enable the no CT Iptables rules together with Iptables masquerading, which results in Iptables failing to masquerade traffic. With this commit, when this setup is detected, we return a fatal error. Fixes: #16046 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>
jibi
added
area/daemon
|
test-me-please |
|
Per the issue this is fixing, this is considered a subfeature that can be addressed after v1.10.0, so removing release-blocker: If you really think this should be a release blocker, please respond with a description why and create a thread in the Slack #launchpad channel to bring attention to it so we can reconsider its blocking status. |
|
I marked as a release blocker for 1.10 because it's a fairly trivial (so going to land soon) and will break masquerading in a non-obvious way for users running with KPR enabled and BPF masquerading disabled. But honestly, I'm not sure why we're spending time discussing that label when this PR is ready to merge anyway. k8s-1.16-kernel-netnext failed with a clearly unrelated issue (I filed #16127 for it), other tests are passing, and reviews are in. Marking appropriately. |
pchaigno
added
the
ready-to-merge
aanm
moved this from Needs backport from master
to Backport done to v1.10
in 1.10.0-rc3
It's currently possible to enable the no CT Iptables rules together with
Iptables masquerading, which results in Iptables failing to masquerade
traffic.
With this commit, when this setup is detected, we return a fatal error.
Fixes: #16046
Signed-off-by: Gilberto Bertin gilberto@isovalent.com