Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Replace weave-local-pods ipset with physdev iptables rule #3423

Merged
merged 5 commits into from
Oct 17, 2018
Merged

Replace weave-local-pods ipset with physdev iptables rule #3423

merged 5 commits into from
Oct 17, 2018

Conversation

murali-reddy
Copy link
Contributor

by-pass ingress network policy chains and accept the packet if
destination is not one of the local pods

return the packets so the egress network policy chains are skipped
in case packet's source is not one of the local pods

Fixes #3344

@murali-reddy
Replace weave-local-pods ipset with physdev iptables rule
4f9f0df 
by-pass ingress network policy chains and accept the packet if
destination is not one of the local pods

return the packets so the egress network policy chains are skipped
in case packet's source is not one of the local pods

Fixes #3344
@murali-reddy murali-reddy requested a review from brb October 2, 2018 06:35
bboreham
bboreham reviewed Oct 5, 2018
View reviewed changes
prog/weave-npc/main.go Outdated
if err := ipt.Append(npc.TableFilter, npc.MainChain,
"-m", "state", "--state", "NEW", "-j", string(npc.DefaultChain)); err != nil {
"-m", "physdev", "--physdev-out=vethwe-bridge", "-j", "ACCEPT"); err != nil {

This comment was marked as abuse.

Sign in to view

This comment was marked as abuse.

Sign in to view

This comment was marked as abuse.

Sign in to view

prog/weave-npc/main.go Outdated
@@ -179,7 +170,7 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error {

ruleSpecs := [][]string{
{"-m", "state", "--state", "RELATED,ESTABLISHED", "-j", "ACCEPT"},
{"-m", "state", "--state", "NEW", "-m", "set", "!", "--match-set", npc.LocalIpset, "src", "-j", "RETURN"},
{"-m", "physdev", "--physdev-in=vethwe-bridge", "-j", "RETURN"},

This comment was marked as abuse.

Sign in to view

brb
brb reviewed Oct 9, 2018
View reviewed changes
prog/weave-npc/main.go Outdated
@@ -127,7 +128,7 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error {

// If the destination address is not any of the local pods, let it through
if err := ipt.Append(npc.TableFilter, npc.MainChain,
"-m", "physdev", "--physdev-out=vethwe-bridge", "-j", "ACCEPT"); err != nil {
"-m", "physdev", "--physdev-out="+bridgeName, "-j", "ACCEPT"); err != nil {

This comment was marked as abuse.

Sign in to view

@murali-reddy
Copy link
Contributor Author

Addressed all comments. PTAL

bboreham
bboreham approved these changes Oct 17, 2018
View reviewed changes
Copy link
Contributor

@bboreham bboreham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. One small niggle about the error message.

prog/weave-npc/main.go Outdated
// delete `weave-local-pods` ipset which is no longer used by weave-npc
weaveLocalPodExist, err := ipsetExist(ips, npc.LocalIpset)
if err != nil {
common.Log.Errorf("Failed to destroy ipset '%s'", npc.LocalIpset)

This comment was marked as abuse.

Sign in to view

@bboreham bboreham merged commit bf9985b into master Oct 17, 2018
@bboreham bboreham deleted the issue-3344 branch October 17, 2018 17:03
@bboreham bboreham added this to the 2.5 milestone Nov 1, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@brb brb brb left review comments

@bboreham bboreham bboreham approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.5
Development

Successfully merging this pull request may close these issues.
3 participants
@murali-reddy @brb @bboreham