From ae226e33c4a33d698e5b129cf9b4e5614cb636b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= Date: Tue, 23 May 2023 15:39:03 +0800 Subject: [PATCH] iptables: always do SNAT for access from other nodes to nodeport with external traffic policy set to Local (#2844) --- pkg/daemon/gateway_linux.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/pkg/daemon/gateway_linux.go b/pkg/daemon/gateway_linux.go index 67b03f97bf0..b29581979b0 100644 --- a/pkg/daemon/gateway_linux.go +++ b/pkg/daemon/gateway_linux.go @@ -486,14 +486,14 @@ func (c *Controller) setIptables() error { continue } - var kubeProxyIpsetProtocol, matchset string + var kubeProxyIpsetProtocol, matchset, nodeMatchSet string var obsoleteRules, iptablesRules []util.IPTableRule if protocol == kubeovnv1.ProtocolIPv4 { iptablesRules = v4Rules - matchset = "ovn40subnets" + matchset, nodeMatchSet = "ovn40subnets", "ovn40"+OtherNodeSet } else { iptablesRules = v6Rules - kubeProxyIpsetProtocol, matchset = "6-", "ovn60subnets" + kubeProxyIpsetProtocol, matchset, nodeMatchSet = "6-", "ovn60subnets", "ovn60"+OtherNodeSet } if nodeIP := nodeIPs[protocol]; nodeIP != "" { @@ -515,8 +515,12 @@ func (c *Controller) setIptables() error { continue } rule := fmt.Sprintf("-p %s -m addrtype --dst-type LOCAL -m set --match-set %s dst -j MARK --set-xmark 0x80000/0x80000", p, ipset) + rule2 := fmt.Sprintf("-p %s -m set --match-set %s src -m set --match-set %s dst -j MARK --set-xmark 0x4000/0x4000", p, nodeMatchSet, ipset) obsoleteRules = append(obsoleteRules, util.IPTableRule{Table: NAT, Chain: Prerouting, Rule: strings.Fields(rule)}) - iptablesRules = append(iptablesRules, util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule)}) + iptablesRules = append(iptablesRules, + util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule)}, + util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule2)}, + ) } }