diff --git a/felix/rules/nat.go b/felix/rules/nat.go index d3a0cc538c4..826c91791b5 100644 --- a/felix/rules/nat.go +++ b/felix/rules/nat.go @@ -52,11 +52,13 @@ func (r *DefaultRuleRenderer) makeNATOutgoingRuleBPF(version uint8, protocol str func (r *DefaultRuleRenderer) makeNATOutgoingRuleIPTables(ipVersion uint8, protocol string, action iptables.Action) iptables.Rule { ipConf := r.ipSetConfig(ipVersion) allIPsSetName := ipConf.NameForMainIPSet(IPSetIDNATOutgoingAllPools) + allHostsIPsSetName := ipConf.NameForMainIPSet(IPSetIDAllHostNets) masqIPsSetName := ipConf.NameForMainIPSet(IPSetIDNATOutgoingMasqPools) match := iptables.Match(). SourceIPSet(masqIPsSetName). - NotDestIPSet(allIPsSetName) + NotDestIPSet(allIPsSetName). + NotDestIPSet(allHostsIPsSetName) if protocol != "" { match = match.Protocol(protocol) diff --git a/felix/rules/nat_test.go b/felix/rules/nat_test.go index 5a280649fcb..f0b83c1f962 100644 --- a/felix/rules/nat_test.go +++ b/felix/rules/nat_test.go @@ -55,7 +55,8 @@ var _ = Describe("NAT", func() { Action: MasqAction{}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net"), }, }, })) @@ -73,7 +74,8 @@ var _ = Describe("NAT", func() { Action: SNATAction{ToAddr: snatAddress}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net"), }, }, })) @@ -92,31 +94,36 @@ var _ = Describe("NAT", func() { Action: MasqAction{ToPorts: "99-100"}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("tcp"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("tcp"), }, { Action: ReturnAction{}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("tcp"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("tcp"), }, { Action: MasqAction{ToPorts: "99-100"}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("udp"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("udp"), }, { Action: ReturnAction{}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("udp"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("udp"), }, { Action: MasqAction{}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net"), }, }, })) @@ -136,28 +143,32 @@ var _ = Describe("NAT", func() { Action: MasqAction{ToPorts: "99-100"}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("tcp"). + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("tcp"). OutInterface("cali-123"), }, { Action: ReturnAction{}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("tcp"). + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("tcp"). OutInterface("cali-123"), }, { Action: MasqAction{ToPorts: "99-100"}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("udp"). + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("udp"). OutInterface("cali-123"), }, { Action: ReturnAction{}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("udp"). + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("udp"). OutInterface("cali-123"), }, { @@ -165,6 +176,7 @@ var _ = Describe("NAT", func() { Match: Match(). SourceIPSet("cali40masq-ipam-pools"). NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net"). OutInterface("cali-123"), }, }, @@ -188,31 +200,36 @@ var _ = Describe("NAT", func() { Action: SNATAction{ToAddr: expectedAddress}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("tcp"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("tcp"), }, { Action: ReturnAction{}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("tcp"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("tcp"), }, { Action: SNATAction{ToAddr: expectedAddress}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("udp"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("udp"), }, { Action: ReturnAction{}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools").Protocol("udp"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net").Protocol("udp"), }, { Action: SNATAction{ToAddr: snatAddress}, Match: Match(). SourceIPSet("cali40masq-ipam-pools"). - NotDestIPSet("cali40all-ipam-pools"), + NotDestIPSet("cali40all-ipam-pools"). + NotDestIPSet("cali40all-hosts-net"), }, }, }))