|
|
@@ -422,7 +422,7 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
|
|
|
// Filter table rules to allow a published service to be accessible in the local node from..
|
|
|
// 1) service tasks attached to other networks
|
|
|
// 2) unmanaged containers on bridge networks
|
|
|
- rule := []string{addDelOpt, ingressChain, "-m", "state", "-p", protocol, "--sport", publishedPort, "--state", "ESTABLISHED,RELATED", "-j", "ACCEPT"}
|
|
|
+ rule := []string{addDelOpt, ingressChain, "-p", protocol, "--sport", publishedPort, "-m", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "-j", "ACCEPT"}
|
|
|
if portErr = iptable.RawCombinedOutput(rule...); portErr != nil {
|
|
|
err := fmt.Errorf("set up rule failed, %v: %v", rule, portErr)
|
|
|
if !isDelete {
|
|
|
@@ -430,7 +430,7 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
|
|
|
}
|
|
|
log.G(context.TODO()).Warn(err)
|
|
|
}
|
|
|
- rollbackRule := []string{rollbackAddDelOpt, ingressChain, "-m", "state", "-p", protocol, "--sport", publishedPort, "--state", "ESTABLISHED,RELATED", "-j", "ACCEPT"}
|
|
|
+ rollbackRule := []string{rollbackAddDelOpt, ingressChain, "-p", protocol, "--sport", publishedPort, "-m", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "-j", "ACCEPT"}
|
|
|
rollbackRules = append(rollbackRules, rollbackRule)
|
|
|
|
|
|
rule = []string{addDelOpt, ingressChain, "-p", protocol, "--dport", publishedPort, "-j", "ACCEPT"}
|
Bjorn Neergaard