add felixConfiguration attr: DisableHostSubnetNATExclusion

api/pkg/apis/projectcalico/v3/felixconfig.go

@@ -436,6 +436,10 @@ type FelixConfigurationSpec struct {
 	// (ie it uses the iptables MASQUERADE target)
 	NATOutgoingAddress string `json:"natOutgoingAddress,omitempty"`
 
+	// When set to true and ip pool setting `natOutgoing` is true, packets sent from Calico networked containers in this pool
+	// to cluster host subnet will not be excluded from being masqueraded.  [Default: false]
+	DisableHostSubnetNATExclusion bool `json:"disableHostSubnetNATExclusion,omitempty"`
+
 	// This is the IPv4 source address to use on programmed device routes. By default the source address is left blank,
 	// leaving the kernel to choose the source address used.
 	DeviceRouteSourceAddress string `json:"deviceRouteSourceAddress,omitempty"`

felix/config/config_params.go

@@ -359,9 +359,10 @@ type Config struct {
 	FailsafeInboundHostPorts  []ProtoPort `config:"port-list;tcp:22,udp:68,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667;die-on-fail"`
 	FailsafeOutboundHostPorts []ProtoPort `config:"port-list;udp:53,udp:67,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667;die-on-fail"`
 
-	KubeNodePortRanges []numorstring.Port `config:"portrange-list;30000:32767"`
-	NATPortRange       numorstring.Port   `config:"portrange;"`
-	NATOutgoingAddress net.IP             `config:"ipv4;"`
+	KubeNodePortRanges            []numorstring.Port `config:"portrange-list;30000:32767"`
+	NATPortRange                  numorstring.Port   `config:"portrange;"`
+	NATOutgoingAddress            net.IP             `config:"ipv4;"`
+	DisableHostSubnetNATExclusion bool               `config:"bool;false"`
 
 	UsageReportingEnabled          bool          `config:"bool;true"`
 	UsageReportingInitialDelaySecs time.Duration `config:"seconds;300"`

felix/dataplane/driver.go

@@ -277,6 +277,7 @@ func StartDataplaneDriver(configParams *config.Config,
 				NATPortRange:                       configParams.NATPortRange,
 				IptablesNATOutgoingInterfaceFilter: configParams.IptablesNATOutgoingInterfaceFilter,
 				NATOutgoingAddress:                 configParams.NATOutgoingAddress,
+				DisableHostSubnetNATExclusion:      configParams.DisableHostSubnetNATExclusion,
 				BPFEnabled:                         configParams.BPFEnabled,
 				BPFForceTrackPacketsFromIfaces:     replaceWildcards(configParams.NFTablesMode == "Enabled", configParams.BPFForceTrackPacketsFromIfaces),
 				ServiceLoopPrevention:              configParams.ServiceLoopPrevention,

felix/rules/nat.go

@@ -52,13 +52,16 @@ func (r *DefaultRuleRenderer) makeNATOutgoingRuleBPF(version uint8, protocol str
 func (r *DefaultRuleRenderer) makeNATOutgoingRuleIPTables(ipVersion uint8, protocol string, action Action) Rule {
 	ipConf := r.ipSetConfig(ipVersion)
 	allIPsSetName := ipConf.NameForMainIPSet(IPSetIDNATOutgoingAllPools)
-	allHostsIPsSetName := ipConf.NameForMainIPSet(IPSetIDAllHostNets)
 	masqIPsSetName := ipConf.NameForMainIPSet(IPSetIDNATOutgoingMasqPools)
 
 	match := r.NewMatch().
 		SourceIPSet(masqIPsSetName).
-		NotDestIPSet(allIPsSetName).
-		NotDestIPSet(allHostsIPsSetName)
+		NotDestIPSet(allIPsSetName)
+
+	if !r.Config.DisableHostSubnetNATExclusion {
+		allHostsIPsSetName := ipConf.NameForMainIPSet(IPSetIDAllHostNets)
+		match = match.NotDestIPSet(allHostsIPsSetName)
+	}
 
 	if protocol != "" {
 		match = match.Protocol(protocol)

felix/rules/rule_defs.go

@@ -355,6 +355,7 @@ type Config struct {
 	IptablesNATOutgoingInterfaceFilter string
 
 	NATOutgoingAddress             net.IP
+	DisableHostSubnetNATExclusion  bool
 	BPFEnabled                     bool
 	BPFForceTrackPacketsFromIfaces []string
 	ServiceLoopPrevention          string