fix: nat traffic that from host to svc

kubeovn · Nov 5, 2020 · 2cf855e · 2cf855e
1 parent 08c187e
commit 2cf855e
Showing 1 changed file with 0 additions and 4 deletions.
diff --git a/pkg/daemon/gateway.go b/pkg/daemon/gateway.go
@@ -25,8 +25,6 @@ const (
 
 var (
 	v4Rules = []util.IPTableRule{
-		// This rule makes sure we don't NAT traffic within overlay network
-		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j RETURN`, " ")},
 		// Prevent performing Masquerade on external traffic which arrives from a Node that owns the Pod/Subnet IP
 		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn40local-pod-ip-nat dst -j RETURN`, " ")},
 		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn40subnets-nat dst -j RETURN`, " ")},
@@ -41,8 +39,6 @@ var (
 		{Table: "filter", Chain: "INPUT", Rule: strings.Split(`-m set --match-set ovn40subnets dst -j ACCEPT`, " ")},
 	}
 	v6Rules = []util.IPTableRule{
-		// This rule makes sure we don't NAT traffic within overlay network
-		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j RETURN`, " ")},
 		// Prevent performing Masquerade on external traffic which arrives from a Node that owns the Pod/Subnet IP
 		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn60local-pod-ip-nat dst -j RETURN`, " ")},
 		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn60subnets-nat dst -j RETURN`, " ")},