istio-iptables: Replace socket match with conntrack match #280
Conversation
Some kernels, like COS on GKE, are configured without the 'xt_socket' kernel module that implements the 'socket' match in iptables rules. Replace the 'socket' match with a 'conntrack' state match that diverts all established and related packets to the local stack. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
|
😊 Welcome @jrajahalme! This is either your first contribution to the Istio cni repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
istio-testing
added
the
size/XS
|
Hi @jrajahalme. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
googlebot
added
the
cla: yes
rlenglet
added
the
cherrypick/release-1.5
|
/ok-to-test |
istio-testing
added
ok-to-test
|
/cherrypick-release-1.5 |
|
/cherrypick release-1.5 |
|
@rlenglet: new pull request created: #281 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Some kernels, like COS on GKE, are configured without the 'xt_socket'
kernel module that implements the 'socket' match in iptables
rules. Replace the 'socket' match with a 'conntrack' state match that
diverts all established and related packets to the local stack.
Signed-off-by: Jarno Rajahalme jarno@covalent.io