summaryrefslogtreecommitdiffhomepage
path: root/runsc/sandbox/BUILD
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2020-06-05 11:22:44 -0700
committerKevin Krakauer <krakauer@google.com>2020-07-22 16:49:11 -0700
commit89bd71c942146f9a77aabab8bc832ec5c3912d6b (patch)
tree2b5d6a1a00706f9f22bcb8994241da43ed7cbf57 /runsc/sandbox/BUILD
parentbd98f820141208d9f19b0e12dee93f6f6de3ac97 (diff)
iptables: don't NAT existing connections
Fixes a NAT bug that manifested as: - A SYN was sent from gVisor to another host, unaffected by iptables. - The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule despite being part of the existing connection. - The socket that sent the SYN never received the SYN/ACK and thus a connection could not be established. We handle this (as Linux does) by tracking all connections, inserting a no-op conntrack rule for new connections with no rules of their own. Needed for istio support (#170).
Diffstat (limited to 'runsc/sandbox/BUILD')
0 files changed, 0 insertions, 0 deletions