+int
+cnat_snat_policy_k8s (vlib_buffer_t *b, cnat_session_t *session)
+{
+ cnat_snat_policy_main_t *cpm = &cnat_snat_policy_main;
+ ip_address_family_t af = session->key.cs_af;
+
+ ip46_address_t *src_addr = &session->key.cs_ip[VLIB_RX];
+ ip46_address_t *dst_addr = &session->key.cs_ip[VLIB_TX];
+ u32 in_if = vnet_buffer (b)->sw_if_index[VLIB_RX];
+ u32 out_if = vnet_buffer (b)->sw_if_index[VLIB_TX];
+
+ /* source nat for outgoing connections */
+ if (cnat_snat_policy_interface_enabled (in_if, af))
+ if (cnat_search_snat_prefix (dst_addr, af))
+ /* Destination is not in the prefixes that don't require snat */
+ return 1;
+
+ /* source nat for translations that come from the outside:
+ src not not a pod interface, dst not a pod interface */
+ if (!clib_bitmap_get (cpm->interface_maps[CNAT_SNAT_IF_MAP_INCLUDE_POD],
+ in_if) &&
+ !clib_bitmap_get (cpm->interface_maps[CNAT_SNAT_IF_MAP_INCLUDE_POD],
+ out_if))
+ {
+ if (AF_IP6 == af &&
+ ip6_address_is_equal (&src_addr->ip6,
+ &ip_addr_v6 (&cpm->snat_ip6.ce_ip)))
+ return 0;
+ if (AF_IP4 == af &&
+ ip4_address_is_equal (&src_addr->ip4,
+ &ip_addr_v4 (&cpm->snat_ip4.ce_ip)))
+ return 0;
+ return 1;
+ }
+
+ /* handle the case where a container is connecting to itself via a service */
+ if (ip46_address_is_equal (src_addr, dst_addr))
+ return 1;
+
+ return 0;
+}
+