Skip to content
This repository was archived by the owner on Jun 20, 2024. It is now read-only.

Fix subnet isolation and bump build-tools to latest #3224

Merged
merged 4 commits into from
Jan 29, 2018
Merged

Fix subnet isolation and bump build-tools to latest #3224

merged 4 commits into from
Jan 29, 2018
+14 −22

Conversation

brb
Copy link
Contributor

@brb brb commented Jan 20, 2018
edited by bboreham
Loading

  • The "-i docker0 -o weave -j DROP" filter/FORWARD rule used to be inserted after the "-j WEAVE-EXPOSE" rule, so the subnet isolation has been broken for exposed subnets. This was the reason for the 130 smoke test failure.
  • Add comment to note the importance of the order of the "-j WEAVE-NPC" rule.
  • Improve naming of ensureRules function.
  • Update k8s to 1.9.2 in CI.
  • Update build tools fix flaky tests due to the defunct process.

brb added 3 commits January 20, 2018 12:47
@brb
Bring the weave bridge isolation iptables rule to the top
9a9c069 
Make the rule creation to use the same mechanism (via ensureRules)
as other rules from filter/FORWARD. Otherwise, the rule is preceded
by "-j WEAVE-EXPOSE" rule which can break the subnet isolation.
@brb
Improve naming of ensureRulesAtTop function
439b4ad
@brb
Add comment about the FORWARD rule order
9a5514f 
Should help debugging.
@brb brb added this to the 2.2 milestone Jan 20, 2018
@brb brb force-pushed the fix-ipt-rules-order branch 6 times, most recently from 0aa3517 to 7e2972a Compare January 23, 2018 20:11
@brb brb force-pushed the fix-ipt-rules-order branch from 7e2972a to e257b17 Compare January 29, 2018 14:14
@brb brb changed the title Fix subnet isolation Fix subnet isolation and bump Kubernetes to 1.9.2 in CI Jan 29, 2018
@brb
Copy link
Contributor Author

brb commented Jan 29, 2018

PTAL.

If you mind bumping k8s and build-tools to be part of this PR, I can create a separate one.

@brb brb force-pushed the fix-ipt-rules-order branch from e257b17 to 0da2cbf Compare January 29, 2018 14:56
@brb
Copy link
Contributor Author

brb commented Jan 29, 2018

Updated.

@bboreham bboreham changed the title Fix subnet isolation and bump Kubernetes to 1.9.2 in CI Fix subnet isolation and bump build-tools to latest Jan 29, 2018
@bboreham bboreham merged commit d528196 into master Jan 29, 2018
@bboreham bboreham deleted the fix-ipt-rules-order branch December 24, 2018 12:05
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bboreham bboreham bboreham approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.2
Development

Successfully merging this pull request may close these issues.
2 participants
@brb @bboreham