use symmetric return path for non-VPC traffic #1460
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Configure permissive rp_filter on the secondary ENIs and use symmetric
return path for non-VPC traffic ingress from the seconary ENIs.
What type of PR is this?
bug
Which issue does this PR fix:
Fixes #1392
What does this PR do / Why do we need it:
When external SNAT is disabled, this PR does the following
This fix is needed in order to support non-VPC traffic ingress from the secondary ENIs, for example in case of NLB with IP targets and preserve client IP enabled.
If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:
N/A
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
upgrading to new version on a running cluster works fine
Does this change require updates to the CNI daemonset config files to work?:
Added secondaryENIConnmark configuration in the file 10.aws.conflist for cni plugin to pickup the configured connmark.
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.