thanks for the PR and detailed bug report #692
I don't recall why (but very likely due docker changing default FORWRD policy as described in https://github.com/kubernetes/kubernetes/issues/39823) that rule was added as part of #120. Current rule is a bad solution. So it must be changed.
I need to test it to understand better. But here are the questions that are going through my mind
- Is ACCEPT for RELATED and ESTABLISHED is enough? Does IPVS<-->real-server traffic is considered RELATED to the client<-->IPVS
- Does the packet hit FORWARD chain, from http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.filter_rules.html it indicates packet may go through the POSTROUTING chain
Let me try the fix and revert back