COS-2822: port gcp-routes to nftables #1562
Merged
Commits on Aug 8, 2024
-
Remove unnecessary gcp-routes rule
gcp-routes had a rule "so that existing flows (with an entry in conntrack) continue to be balanced, even if the DNAT entry is removed". The only way this iptables rule would actually be needed is if (a) your masters have an iptables-based firewall (which they shouldn't, on OCP), and (b) the firewall is so aggressive that it even drops packets from established connections (which no firewall should do anyway). At any rate, even if the rule *was* necessary in some clusters, it won't work in future nftables-only versions of RHCOS anyway, because nftables doesn't let "accept" rules in one table override "drop"/"reject" rules in another table; if your firewall is broken and dropping packets that it shouldn't, you have to actually fix your firewall rules, not hack around them somewhere else.
Commits on Aug 9, 2024
-
IPTables is going away in RHEL 10 so everything needs to be done with nftables. https://issues.redhat.com/browse/OCPSTRAT-940
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.