From 06669325a770cbe8e63c3c50bdd92b2f5cdd08d6 Mon Sep 17 00:00:00 2001
From: Murali Reddy <muralimmreddy@gmail.com>
Date: Tue, 20 Nov 2018 13:34:10 +0530
Subject: [PATCH 1/2] add --physdev-is-bridged flag when using physdev module
 for iptables rules created by weave-npc to prevent warning in kernel logs

Fixes #3449
---
 prog/weave-npc/main.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/prog/weave-npc/main.go b/prog/weave-npc/main.go
index 12b5078f19..e49e564c30 100644
--- a/prog/weave-npc/main.go
+++ b/prog/weave-npc/main.go
@@ -128,7 +128,7 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error {
 
 	// If the destination address is not any of the local pods, let it through
 	if err := ipt.Append(npc.TableFilter, npc.MainChain,
-		"-m", "physdev", "--physdev-out="+bridgePortName, "-j", "ACCEPT"); err != nil {
+		"-m", "physdev", "--physdev-is-bridged", "--physdev-out="+bridgePortName, "-j", "ACCEPT"); err != nil {
 		return err
 	}
 
@@ -171,7 +171,7 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error {
 
 	ruleSpecs := [][]string{
 		{"-m", "state", "--state", "RELATED,ESTABLISHED", "-j", "ACCEPT"},
-		{"-m", "physdev", "--physdev-in=" + bridgePortName, "-j", "RETURN"},
+		{"-m", "physdev", "--physdev-is-bridged", "--physdev-in=" + bridgePortName, "-j", "RETURN"},
 	}
 	if allowMcast {
 		ruleSpecs = append(ruleSpecs, []string{"-d", "224.0.0.0/4", "-j", "RETURN"})

From 99e360ce3b2fb320abeeaa24cc0587d24009365d Mon Sep 17 00:00:00 2001
From: Murali Reddy <muralimmreddy@gmail.com>
Date: Tue, 4 Dec 2018 09:43:50 +0530
Subject: [PATCH 2/2] skip egress network policies for the traffic node->bridge
 ip

---
 prog/weave-npc/main.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/prog/weave-npc/main.go b/prog/weave-npc/main.go
index e49e564c30..a7407a3f58 100644
--- a/prog/weave-npc/main.go
+++ b/prog/weave-npc/main.go
@@ -150,8 +150,8 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error {
 	// Egress rules:
 	//
 	// -A WEAVE-NPC-EGRESS -m state --state RELATED,ESTABLISHED -j ACCEPT
-	// -A WEAVE-NPC-EGRESS -m physdev --physdev-in=vethwe-bridge -j RETURN
-	// -A WEAVE-NPC-EGRESS -d 224.0.0.0/4 -j RETURN
+	// -A WEAVE-NPC-EGRESS -m physdev --physdev-in vethwe-bridge --physdev-is-bridged -j RETURN
+	// -A WEAVE-NPC-EGRESS -m addrtype --dst-type LOCAL -j RETURN
 	// -A WEAVE-NPC-EGRESS -m state --state NEW -j WEAVE-NPC-EGRESS-DEFAULT
 	// -A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j WEAVE-NPC-EGRESS-CUSTOM
 	// -A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j NFLOG --nflog-group 86
@@ -171,7 +171,10 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error {
 
 	ruleSpecs := [][]string{
 		{"-m", "state", "--state", "RELATED,ESTABLISHED", "-j", "ACCEPT"},
+		// skip running through egress network policies for the traffic not coming from local pods
 		{"-m", "physdev", "--physdev-is-bridged", "--physdev-in=" + bridgePortName, "-j", "RETURN"},
+		// skip running through egress network policies for the traffic bound for IP address assigned for the bridge
+		{"-m", "addrtype", "--dst-type", "LOCAL", "-j", "RETURN"},
 	}
 	if allowMcast {
 		ruleSpecs = append(ruleSpecs, []string{"-d", "224.0.0.0/4", "-j", "RETURN"})