|
|
@@ -250,12 +250,12 @@ func (t *Topology) Rules(cni, iptablesForwardRule bool) []iptables.Rule {
|
|
|
if cni {
|
|
|
rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "nat", "POSTROUTING", "-s", t.subnet.String(), "-m", "comment", "--comment", "Kilo: jump to KILO-NAT chain", "-j", "KILO-NAT"))
|
|
|
// Some linux distros or docker will set forward DROP in the filter table.
|
|
|
- // To still be able to have pod to pod communication we need to ALLOW packages from and to pod CIDRs within a location.
|
|
|
- // Leader nodes will forward packages from all nodes within a location because they act as a gateway for them.
|
|
|
+ // To still be able to have pod to pod communication we need to ALLOW packets from and to pod CIDRs within a location.
|
|
|
+ // Leader nodes will forward packets from all nodes within a location because they act as a gateway for them.
|
|
|
// Non leader nodes only need to allow packages from and to their own pod CIDR.
|
|
|
if iptablesForwardRule && t.leader {
|
|
|
for _, s := range t.segments {
|
|
|
- if t.location == s.location {
|
|
|
+ if s.location == t.location {
|
|
|
// Make sure packets to and from pod cidrs are not dropped in the forward chain.
|
|
|
for _, c := range s.cidrs {
|
|
|
rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from the pod subnet", "-s", c.String(), "-j", "ACCEPT"))
|
leonnicolas