Document REDIRECT

author: Håkon Hallingstad <hakon@oath.com> 2018-09-13 12:15:22 +0200
committer: Håkon Hallingstad <hakon@oath.com> 2018-09-13 12:15:22 +0200
commit: aa7af87fc2cc6d339eaee6072695c856f0835e5f (patch)
tree: 6153b137a55e4423321137e65026e4ee368c0cd4 /node-admin
parent: d6a8223e91b50e181ba09cab0cf1030fddc87d66 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
index 1febe070072..9259b522d17 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
@@ -52,6 +52,8 @@ public class AclMaintainer implements Runnable {
 
     private void applyRedirect(Container container, InetAddress address) {
         IPVersion ipVersion = IPVersion.get(address);
+        // Necessary to avoid the routing packets destined for the node's own public IP address
+        // via the bridge, which is illegal.
         String redirectRule = "-A OUTPUT -d " + InetAddresses.toAddrString(address) + ipVersion.singleHostCidr() + " -j REDIRECT";
         IPTablesEditor.editLogOnError(dockerOperations, container.name, ipVersion, "nat", NatTableLineEditor.from(redirectRule));
     }
author	Håkon Hallingstad <hakon@oath.com>	2018-09-13 12:15:22 +0200
committer	Håkon Hallingstad <hakon@oath.com>	2018-09-13 12:15:22 +0200
commit	aa7af87fc2cc6d339eaee6072695c856f0835e5f (patch)
tree	6153b137a55e4423321137e65026e4ee368c0cd4 /node-admin
parent	d6a8223e91b50e181ba09cab0cf1030fddc87d66 (diff)