From 709c1ec6c004867ff1a382734192296607da8747 Mon Sep 17 00:00:00 2001
From: Ben Grabham <git@chillichef.com>
Date: Mon, 15 Feb 2021 12:00:25 +0000
Subject: [PATCH] Don't add generic ACCEPT rules to the filter chain

---
 pkg/mesh/routes.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkg/mesh/routes.go b/pkg/mesh/routes.go
index 37565b5..1ebfd7a 100644
--- a/pkg/mesh/routes.go
+++ b/pkg/mesh/routes.go
@@ -226,8 +226,6 @@ func (t *Topology) Rules(cni bool) []iptables.Rule {
 	rules = append(rules, iptables.NewIPv6Chain("nat", "KILO-NAT"))
 	if cni {
 		rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "nat", "POSTROUTING", "-m", "comment", "--comment", "Kilo: jump to KILO-NAT chain", "-s", t.subnet.String(), "-j", "KILO-NAT"))
-		rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from the pod subnet", "-s", t.subnet.String(), "-j", "ACCEPT"))
-		rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets to the pod subnet", "-d", t.subnet.String(), "-j", "ACCEPT"))
 	}
 	for _, s := range t.segments {
 		rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(s.wireGuardIP)), "nat", "KILO-NAT", "-m", "comment", "--comment", "Kilo: do not NAT packets destined for WireGuared IPs", "-d", s.wireGuardIP.String(), "-j", "RETURN"))