Hello Phil,
Started working on nat portion and here is iptables rule which is a bit concerning.
-A KUBE-SERVICES -d 192.168.80.104/32 -p tcp -m comment --comment "default/portal:portal external IP" -m tcp --dport 8989 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-MUPXPVK4XAZHSWAR
I can address " addrtype" with nftables "fib" and " iif type local" but I am not sure about "physdev", appreciate any suggestions.
Thank you
Serguei
On 2019-11-29, 7:04 PM, "n0-1@xxxxxxxxxxxxx on behalf of Phil Sutter" <n0-1@xxxxxxxxxxxxx on behalf of phil@xxxxxx> wrote:
Hi Serguei,
On Fri, Nov 29, 2019 at 08:13:21PM +0000, Serguei Bezverkhi (sbezverk) wrote:
> @Phil, thanks so much for Concat suggestion. Any more points for optimization? If no, then I will move to nat portion of k8s iptables.
Looks fine to me. I don't like the mark-based verdicts, but to validate
those we need to see where the marks are set.
Cheers, Phil
