What is the purpose of adding iptables to a non-gateway node?

[zcz-1020]

The SUBMARINER-POSTROUTING chain is added to the NAT table on non-gateway nodes. I do not understand that cross-cluster traffic between nodes in a cluster is established through vx-submariner, and NAT is not performed. What problem is the SUBMARINER-POSTROUTING chain added to the nat table to solve?

Chain POSTROUTING (policy ACCEPT 219 packets, 13342 bytes)
pkts bytes target prot opt in out source destination
1558K 95M cali-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:O3lYWMrLQYEMJtB5 /
1558K 95M SUBMARINER-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
1558K 95M KUBE-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 / kubernetes postrouting rules */
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0

[sridhargaddam]

Normally the SUBMARINER-POSTROUTING chain has two set of rules.
a. For traffic from pod with HostNetworking enabled (or from the host itself) to remote cluster - a rule to perform SNAT with the cniInterfaceIP of the node.
b. For traffic coming from regular pods scheduled on the node - Rules to allow traffic to remote CIDRs.

Sample output:

Chain SUBMARINER-POSTROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       10   600 SNAT       all  --  *      vx-submariner  240.0.0.0/8          0.0.0.0/0            to:10.131.0.1
2        0     0 ACCEPT     all  --  *      *       10.131.0.0/16        100.66.0.0/16
3        0     0 ACCEPT     all  --  *      *       100.66.0.0/16        10.131.0.0/16
4       12   720 ACCEPT     all  --  *      *       10.131.0.0/16        10.130.0.0/16
5        0     0 ACCEPT     all  --  *      *       10.130.0.0/16        10.131.0.0/16

In the above output entry number 1 supports the first use-case and the remaining entries support the second use-case.

Looking at the output you shared, I see that you are using Calico CNI. In case of Calico, some of the submariner chains may not be hit as we program Calico IPPools.

[zcz-1020]

Thank you for your answer. If you have time to check this problem,【 #2121 (comment) 】 ,I think the FORWARD chain of the filter table lacks rules.