pkg/mesh: enable outgoing NAT to WAN

This commit enables NAT-ing packets outgoing to the WAN from both the Pod subnet as well as from peers. This means that Pods can access the Internet and that peers can use the Kilo mesh as a gateway to the Internet. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 18:42:42 +01:00
parent 8908cf19cb
commit 7051b9fe29
3 changed files with 30 additions and 16 deletions
--- a/pkg/mesh/mesh.go
+++ b/pkg/mesh/mesh.go
@@ -588,7 +588,10 @@ func (m *Mesh) applyTopology() {
 		m.errorCounter.WithLabelValues("apply").Inc()
 		return
 	}
-	ipRules := iptables.ForwardRules(m.subnet)
+	var ipRules []iptables.Rule
+	if m.cni {
+		ipRules = append(ipRules, t.Rules(m.cni)...)
+	}
 	// If we are handling local routes, ensure the local
 	// tunnel has an IP address and IPIP traffic is allowed.
 	if m.enc.Strategy() != encapsulation.Never && m.local {