From 84741b6a5eaa9a29846b9b7fdf1e56e07faba4c2 Mon Sep 17 00:00:00 2001 From: Murali Reddy Date: Mon, 16 Oct 2017 02:06:54 +0530 Subject: [PATCH] network policy: use 'addrtype' module and --src-type=LOCAL to match local traffic --- app/controllers/network_policy_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/network_policy_controller.go b/app/controllers/network_policy_controller.go index fac55419..794ff490 100644 --- a/app/controllers/network_policy_controller.go +++ b/app/controllers/network_policy_controller.go @@ -605,7 +605,7 @@ func (npc *NetworkPolicyController) syncPodFirewallChains() (map[string]bool, er activePodFwChains[podFwChainName] = true comment := "rule to permit the traffic traffic to pods when source is the pod's local node" - args := []string{"-m", "comment", "--comment", comment, "-s", npc.nodeIP.String(), "-d", pod.ip, "-j", "ACCEPT"} + args := []string{"-m", "comment", "--comment", comment, "-m", "addrtype", "--src-type", "LOCAL", "-d", pod.ip, "-j", "ACCEPT"} exists, err := iptablesCmdHandler.Exists("filter", podFwChainName, args...) if err != nil { return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())