Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix return path of NodePort traffic when using Calico network policy. #263

Merged
merged 1 commit into from
Jan 9, 2019
Merged

Fix return path of NodePort traffic when using Calico network policy. #263

merged 1 commit into from
Jan 9, 2019

Commits on Dec 8, 2018

  1. Fix return path of NodePort traffic when using Calico network policy. 

    Previously, commit 2cce7de fixed the return path
of NodePort traffic when pods were on secondary ENIs.

However when using aws-vpc-cni together with Calico network policy, the fix that was introduced
in 2cce7de does not work, as Calico terminates the mangle table
rule traversal early and the CONNMARK rules put by AWS VPC CNI are never reached.

This PR configures Felix (part of calico) to RETURN inside iptables mangle table instead of ACCEPT, so that
the rules that existed in the mangle table after the calico ones get a chance to be executed.
    Igor Katson committed Dec 8, 2018
    Configuration menu
    Copy the full SHA
    fd086ca View commit details
    Browse the repository at this point in the history