fix(network_policy): mask mark reset on FW marks (#992)

Don't resent all marks, only the mark that we originally set as part of the firewall rules so that we don't affect other systems like hostPort and other elements of the nat chain that may apply their own marks.
cloudnativelabs · Sep 25, 2020 · 5a5e835 · 5a5e835
1 parent 824614d
commit 5a5e835
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pkg/controllers/netpol/network_policy_controller.go b/pkg/controllers/netpol/network_policy_controller.go
@@ -847,7 +847,7 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
 		}
 
 		// reset mark to let traffic pass through rest of the chains
-		args = []string{"-j", "MARK", "--set-mark", "0"}
+		args = []string{"-j", "MARK", "--set-mark", "0/0x10000"}
 		err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
 		if err != nil {
 			return fmt.Errorf("Failed to run iptables command: %s", err.Error())