iptables: partial #13 revert, skip masq in chain #17
Conversation
openshift-ci-robot
added
size/XS
|
@danwinship PTAL. |
you mean #13 But the whole reason why we created our own separate chains in the first place was so that we didn't have to do complicated cleanup (openshift/origin#13465). We should revert that part of #13 and do this differently. Eg, if OPENSHIFT-MASQUERADE started with a "if marked then -j RETURN" rule, that would have the same effect, while leaving the toplevel rule unchanged from 4.1. |
You're right, that's a much cleverer solution. |
PR openshift#13 changed the source rule for OPENSHIFT-MASQUERADE. However, rolling out source-rule changes on a running system isn't clean. Easier to leave the source-rule unchanged, and just add a rule first in the chain that gets us where we want to be. So, -j RETURN for traffic that's already marked for MASQ.
openshift-ci-robot
added
size/S
squeed
changed the title
|
OK, updated (and fixed the commit message / title) |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, squeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
PR #13 changed the source rule for OPENSHIFT-MASQUERADE. However, rolling out source-rule changes on a running system isn't clean. Easier to leave the source-rule unchanged, and just add a rule first in the chain that gets us where we want to be.
So, -j RETURN for traffic that's already marked for MASQ.