Remove unnecessary kube-proxy double NAT workaround #340
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm not too sure if this is really unnecessary. |
|
Thank you for your comment @ymmt2005 I tested it without the checksum workaround and it works well. I confirmed that the server recieved a message from the client and the message's src IP is Egress's IP. The details are below. Test EnvironmentThe validation was performed under the following environment
Verification Steps# Check egress pods status
% kubectl get pods -n internet -l app.kubernetes.io/instance=egress-sport-auto -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
egress-sport-auto-6448576774-ps8mw 1/1 Running 0 3m46s 10.244.0.6 coil-2-control-plane <none> <none>
egress-sport-auto-6448576774-s5ldh 1/1 Running 0 3m48s 10.244.0.5 coil-2-control-plane <none> <none>
# Set up dummy interface on control plane node
% docker exec coil-2-control-plane bash -c '
ip link add dummy-fake type dummy && \
ip link set dummy-fake up && \
ip address add 9.9.9.9/32 dev dummy-fake'
# Deploy echotest utility
% docker cp echotest coil-2-control-plane:/usr/local/bin
Successfully copied 7.57MB to coil-2-control-plane:/usr/local/bin
# Start echo server
% docker exec coil-2-control-plane /usr/local/bin/echotest --reply-remote
# Test FoU tunnel connectivity
% kubectl exec nat-client-sport-auto -- curl -s http://9.9.9.9
10.244.0.5|% |
|
@Till0196 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Removes iptables mangle rules that were added to fix UDP checksum issues caused by kube-proxy's double NAT.
Background
While the egress functionality can be directly replaced from iptables to nftables, nftables doesn't have an equivalent rule for the iptables CHECKSUM target, which complicates the implementation. I'm planning to add nftables support for the egress implementation, but this workaround was blocking that effort.
Upon reviewing the code, I found that the use of the CHECKSUM target was intended as a temporary workaround, raising questions about whether it's still necessary. Therefore, I decided to remove the relevant code and conduct verification tests.