From aa7af87fc2cc6d339eaee6072695c856f0835e5f Mon Sep 17 00:00:00 2001
From: Håkon Hallingstad <hakon@oath.com>
Date: Thu, 13 Sep 2018 12:15:22 +0200
Subject: Document REDIRECT

---
 .../yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java    | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'node-admin')

diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
index 1febe070072..9259b522d17 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
@@ -52,6 +52,8 @@ public class AclMaintainer implements Runnable {
 
     private void applyRedirect(Container container, InetAddress address) {
         IPVersion ipVersion = IPVersion.get(address);
+        // Necessary to avoid the routing packets destined for the node's own public IP address
+        // via the bridge, which is illegal.
         String redirectRule = "-A OUTPUT -d " + InetAddresses.toAddrString(address) + ipVersion.singleHostCidr() + " -j REDIRECT";
         IPTablesEditor.editLogOnError(dockerOperations, container.name, ipVersion, "nat", NatTableLineEditor.from(redirectRule));
     }
-- 
cgit v1.2.3