github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kubelet, kube-proxy: unmark packets before masquerading them

Browse Source 
It seems that if you set the packet mark on a packet and then route
that packet through a kernel VXLAN interface, the VXLAN-encapsulated
packet will still have the mark from the original packet. Since our
NAT rules are based on the packet mark, this was causing us to
double-NAT some packets, which then triggered a kernel checksumming
bug. But even without the checksum bug, there are reasons to avoid
double-NATting, so fix the rules to unmark the packets before
masquerading them.
This commit is contained in:
Dan Winship
2020-06-11 09:11:03 -04:00
parent 2930723a25
commit c12534d8b4
5 changed files with 56 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/kubelet/kubelet_network_test.go
View File

@@ -31,11 +31,11 @@ func TestGetIPTablesMark(t *testing.T) {
}{
{
14,
"0x00004000/0x00004000",
"0x00004000",
},
{
15,
"0x00008000/0x00008000",
"0x00008000",
},
}
for _, tc := range tests {