From 6d877647e1966b314a9f88696d70d2e0fcadf591 Mon Sep 17 00:00:00 2001 From: Jana Radhakrishnan Date: Mon, 15 Aug 2016 15:38:14 -0700 Subject: [PATCH] Add a narrower SNAT rule for LB egress The SNAT rules added for LB egress is broader and breaks load balancing if the service is connected to multiple networks. Make it conditional based on the subnet to which the network belongs so that the right SNAT rule gets matched when egressing the corresponding network. Signed-off-by: Jana Radhakrishnan --- libnetwork/service_linux.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libnetwork/service_linux.go b/libnetwork/service_linux.go index 337d325207..9dc27f5578 100644 --- a/libnetwork/service_linux.go +++ b/libnetwork/service_linux.go @@ -647,7 +647,7 @@ func invokeFWMarker(path string, vip net.IP, fwMark uint32, ingressPorts []*Port cmd := &exec.Cmd{ Path: reexec.Self(), - Args: append([]string{"fwmarker"}, path, vip.String(), fmt.Sprintf("%d", fwMark), addDelOpt, ingressPortsFile, eIP.IP.String()), + Args: append([]string{"fwmarker"}, path, vip.String(), fmt.Sprintf("%d", fwMark), addDelOpt, ingressPortsFile, eIP.String()), Stdout: os.Stdout, Stderr: os.Stderr, } @@ -719,7 +719,13 @@ func fwMarker() { } if addDelOpt == "-A" { - ruleParams := strings.Fields(fmt.Sprintf("-m ipvs --ipvs -j SNAT --to-source %s", os.Args[6])) + eIP, subnet, err := net.ParseCIDR(os.Args[6]) + if err != nil { + logrus.Errorf("Failed to parse endpoint IP %s: %v", os.Args[6], err) + os.Exit(9) + } + + ruleParams := strings.Fields(fmt.Sprintf("-m ipvs --ipvs -d %s -j SNAT --to-source %s", subnet, eIP)) if !iptables.Exists("nat", "POSTROUTING", ruleParams...) { rule := append(strings.Fields("-t nat -A POSTROUTING"), ruleParams...) rules = append(rules, rule)