process packets only on POSTROUTING

kubernetes-sigs · Jul 19, 2024 · 05bc040 · 05bc040
1 parent f05c26e
commit 05bc040
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
@@ -674,8 +674,11 @@ func (c *Controller) syncNFTablesRules(ctx context.Context) error {
 			})
 		}
 	}
-
-	for _, hook := range []knftables.BaseChainHook{knftables.ForwardHook} {
+	// Process the packets that are, usually on the FORWARD hook, but
+	// IPVS packets follow a different path in netfilter, so we process
+	// everything in the POSTROUTING hook before SNAT happens.
+	// Ref: https://github.com/kubernetes-sigs/kube-network-policies/issues/46
+	for _, hook := range []knftables.BaseChainHook{knftables.PostroutingHook} {
 		chainName := string(hook)
 		tx.Add(&knftables.Chain{
 			Name:     chainName,