From fd086cabe395dae954e29b20778d9e45324099da Mon Sep 17 00:00:00 2001
From: Igor Katson <igor_katson@symantec.com>
Date: Sat, 8 Dec 2018 00:42:30 -0800
Subject: [PATCH] Fix return path of NodePort traffic when using Calico network
 policy.

Previously, commit 2cce7de02bbfef66b12f0d61d3e9f7cb96d2c186 fixed the return path
of NodePort traffic when pods were on secondary ENIs.

However when using aws-vpc-cni together with Calico network policy, the fix that was introduced
in 2cce7de02bbfef66b12f0d61d3e9f7cb96d2c186 does not work, as Calico terminates the mangle table
rule traversal early and the CONNMARK rules put by AWS VPC CNI are never reached.

This PR configures Felix (part of calico) to RETURN inside iptables mangle table instead of ACCEPT, so that
the rules that existed in the mangle table after the calico ones get a chance to be executed.
---
 config/v1.2/calico.yaml | 8 ++++++++
 config/v1.3/calico.yaml | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/config/v1.2/calico.yaml b/config/v1.2/calico.yaml
index cdf3c86692..2697911072 100644
--- a/config/v1.2/calico.yaml
+++ b/config/v1.2/calico.yaml
@@ -63,6 +63,10 @@ spec:
             # Disable IPV6 on Kubernetes.
             - name: FELIX_IPV6SUPPORT
               value: "false"
+            # This will make Felix honor AWS VPC CNI's mangle table
+            # rules.
+            - name: FELIX_IPTABLESMANGLEALLOWACTION
+              value: Return
             # Wait for the datastore.
             - name: WAIT_FOR_DATASTORE
               value: "true"
@@ -393,6 +397,10 @@ spec:
             value: "1"
           - name: TYPHA_HEALTHENABLED
             value: "true"
+          # This will make Felix honor AWS VPC CNI's mangle table
+          # rules.
+          - name: FELIX_IPTABLESMANGLEALLOWACTION
+            value: Return
         volumeMounts:
         - mountPath: /etc/calico
           name: etc-calico
diff --git a/config/v1.3/calico.yaml b/config/v1.3/calico.yaml
index cdf3c86692..2c5be7b33c 100644
--- a/config/v1.3/calico.yaml
+++ b/config/v1.3/calico.yaml
@@ -60,6 +60,10 @@ spec:
             # Set Felix endpoint to host default action to ACCEPT.
             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
               value: "ACCEPT"
+            # This will make Felix honor AWS VPC CNI's mangle table
+            # rules.
+            - name: FELIX_IPTABLESMANGLEALLOWACTION
+              value: Return
             # Disable IPV6 on Kubernetes.
             - name: FELIX_IPV6SUPPORT
               value: "false"
@@ -393,6 +397,10 @@ spec:
             value: "1"
           - name: TYPHA_HEALTHENABLED
             value: "true"
+          # This will make Felix honor AWS VPC CNI's mangle table
+          # rules.
+          - name: FELIX_IPTABLESMANGLEALLOWACTION
+            value: Return
         volumeMounts:
         - mountPath: /etc/calico
           name: etc-calico