[CNI] Bypassing POSTROUTING table for Swift POD traffic (#807)

vakalapa · web-flow · commit 377582791702 · 2021-03-01T19:37:32.000-08:00
* Bypassing POSTINGROUTING for Swift POD traffic

* Adding the comment to remove this rule after cleaning AGentBaker
diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go
@@ -150,9 +150,14 @@ func setHostOptions(nwCfg *cni.NetworkConfig, hostSubnetPrefix *net.IPNet, ncSub
 	}
 
 	azureDNSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureDNS, iptables.UDP, iptables.DNSPort)
+
+	// TODO remove this rule once we remove adding MASQUEARDE from AgentBaker, check below PR
+	// https://github.com/Azure/AgentBaker/pull/367/files
+	podTrafficAccept := fmt.Sprintf(" -m iprange  ! --dst-range 168.63.129.16-168.63.129.16  -s %s ", ncSubnetPrefix.String())
 	snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP)
 	options[network.IPTablesKey] = []iptables.IPTableEntry{
 		iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift),
+		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, podTrafficAccept, iptables.Accept),
 		iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift),
 		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSMatch, snatPrimaryIPJump),
 	}

Original file line number	Diff line number	Diff line change
`@@ -150,9 +150,14 @@ func setHostOptions(nwCfg cni.NetworkConfig, hostSubnetPrefix net.IPNet, ncSub`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`azureDNSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureDNS, iptables.UDP, iptables.DNSPort)`
	`153`	`+`
	`154`	`+ // TODO remove this rule once we remove adding MASQUEARDE from AgentBaker, check below PR`
	`155`	`+ // https://github.com/Azure/AgentBaker/pull/367/files`
	`156`	`+ podTrafficAccept := fmt.Sprintf(" -m iprange ! --dst-range 168.63.129.16-168.63.129.16 -s %s ", ncSubnetPrefix.String())`
`153`	`157`	`snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP)`
`154`	`158`	`options[network.IPTablesKey] = []iptables.IPTableEntry{`
`155`	`159`	`iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift),`
	`160`	`+ iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, podTrafficAccept, iptables.Accept),`
`156`	`161`	`iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift),`
`157`	`162`	`iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSMatch, snatPrimaryIPJump),`
`158`	`163`	`}`