Use symmetric return path for non-VPC traffic - alternate solution #1475
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kishorj
changed the title
anguslees
approved these changes
May 27, 2021
This was referenced May 28, 2021
jayanthvn
approved these changes
May 28, 2021
kishorj
commented
May 28, 2021
kishorj
added a commit
that referenced
this pull request
May 28, 2021
Recent changes in PR #1475 removes the VPC CIDR ranges from the ip route rules. Modify the pod networking agent for compatibility with the new changes introduced for symmetric return path.
achevuru
reviewed
Jun 1, 2021
achevuru
reviewed
Jun 1, 2021
achevuru
approved these changes
Jun 2, 2021
|
Lets wait for the integration tests to finish. |
M00nF1sh
pushed a commit
to M00nF1sh/amazon-vpc-cni-k8s
that referenced
this pull request
Jun 7, 2021
Recent changes in PR aws#1475 removes the VPC CIDR ranges from the ip route rules. Modify the pod networking agent for compatibility with the new changes introduced for symmetric return path.
M00nF1sh
pushed a commit
to M00nF1sh/amazon-vpc-cni-k8s
that referenced
this pull request
Jun 7, 2021
…ws#1475) * use symmetric return path for non-VPC traffic * account for custom veth prefix configuration * update host iptables rules on VPC CIDR change * update integration tests to recognize new changes * new integration test: reset aws-node config * update README
M00nF1sh
pushed a commit
to M00nF1sh/amazon-vpc-cni-k8s
that referenced
this pull request
Jun 7, 2021
…ws#1475) * use symmetric return path for non-VPC traffic * account for custom veth prefix configuration * update host iptables rules on VPC CIDR change * update integration tests to recognize new changes * new integration test: reset aws-node config * update README
M00nF1sh
added a commit
that referenced
this pull request
Jun 7, 2021
Recent changes in PR #1475 removes the VPC CIDR ranges from the ip route rules. Modify the pod networking agent for compatibility with the new changes introduced for symmetric return path. Co-authored-by: Kishor Joshi <joshikis@amazon.com>
M00nF1sh
added a commit
that referenced
this pull request
Jun 7, 2021
…1475) (#1494) * use symmetric return path for non-VPC traffic * account for custom veth prefix configuration * update host iptables rules on VPC CIDR change * update integration tests to recognize new changes * new integration test: reset aws-node config * update README Co-authored-by: Kishor Joshi <joshikis@amazon.com>
This was referenced Jun 10, 2021
a2ush
added a commit
to a2ush/amazon-vpc-cni-k8s
that referenced
this pull request
Mar 12, 2022
From v1.8.0, amazon-vpc-cni-k8s no longer sets VPC CIDR to the from-pod rule. aws#1475 Ex) 0: from all lookup local 512: from all to 192.168.13.238 lookup main 512: from all to 192.168.16.73 lookup main 512: from all to 192.168.17.61 lookup main 512: from all to 192.168.23.14 lookup main 512: from all to 192.168.25.98 lookup main 512: from all to 192.168.31.149 lookup main 512: from all to 192.168.12.92 lookup main 512: from all to 192.168.9.146 lookup main 512: from all to 192.168.5.21 lookup main 512: from all to 192.168.25.41 lookup main 512: from all to 192.168.26.54 lookup main 512: from all to 192.168.2.30 lookup main 512: from all to 192.168.27.246 lookup main 512: from all to 192.168.21.133 lookup main 1024: from all fwmark 0x80/0x80 lookup main 1536: from 192.168.31.149 lookup 2 1536: from 192.168.12.92 lookup 2 1536: from 192.168.9.146 lookup 2 1536: from 192.168.5.21 lookup 2 1536: from 192.168.25.41 lookup 3 1536: from 192.168.26.54 lookup 3 1536: from 192.168.2.30 lookup 3 1536: from 192.168.27.246 lookup 3 1536: from 192.168.21.133 lookup 3 1536: from 20.0.49.215 lookup 2 32766: from all lookup main 32767: from all lookup default
a2ush
added a commit
to a2ush/amazon-vpc-cni-k8s
that referenced
this pull request
Mar 12, 2022
From v1.8.0, amazon-vpc-cni-k8s no longer sets VPC CIDR to the from-pod rule. aws#1475 Ex) 0: from all lookup local 512: from all to 192.168.13.238 lookup main 512: from all to 192.168.16.73 lookup main 512: from all to 192.168.17.61 lookup main 512: from all to 192.168.23.14 lookup main 512: from all to 192.168.25.98 lookup main 512: from all to 192.168.31.149 lookup main 512: from all to 192.168.12.92 lookup main 512: from all to 192.168.9.146 lookup main 512: from all to 192.168.5.21 lookup main 512: from all to 192.168.25.41 lookup main 512: from all to 192.168.26.54 lookup main 512: from all to 192.168.2.30 lookup main 512: from all to 192.168.27.246 lookup main 512: from all to 192.168.21.133 lookup main 1024: from all fwmark 0x80/0x80 lookup main 1536: from 192.168.31.149 lookup 2 1536: from 192.168.12.92 lookup 2 1536: from 192.168.9.146 lookup 2 1536: from 192.168.5.21 lookup 2 1536: from 192.168.25.41 lookup 3 1536: from 192.168.26.54 lookup 3 1536: from 192.168.2.30 lookup 3 1536: from 192.168.27.246 lookup 3 1536: from 192.168.21.133 lookup 3 32766: from all lookup main 32767: from all lookup default
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
bug
Which issue does this PR fix:
Fixes #1392, #1423
What does this PR do / Why do we need it:
When external SNAT is disabled, this PR does the following
This is an alternate fix. It doesn't require permissive rp filter configuration on the secondary ENIs, or a new connmark.
If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:
N/A
Testing done on this change:
When external SNAT is enabled, the iptables conmark rules added to the nat table get cleaned up
With External SNAT disabled
With External SNAT enabled
New integration tests pass after some modification
Automation added to e2e:
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No impact on upgrade/downgrade. On, downgrade conn mark rules in the nat table remain until node is rebooted, but there is no impact on the functionality.
Does this change require updates to the CNI daemonset config files to work?:
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.