kube-cnc-router networking is broken when host has nf_tables #16
Assignees
Comments
|
Will update for nf-tables going ahead. As of now, it supports Iptables. |
|
@aroraharsh23 @subashd Hello, any progress on migrating to nftables ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I am no iptables nor Kubernetes guru but I think I've found a issue in the current Citrix Node Controller.
Citrix-node-controller 2.2.1 deploys kube-cnc-router in kube-system namespace.
image: quay.io/citrix/cnc-router:1.1.0
imagePullPolicy: IfNotPresent
However, cnc-router:1.1.0, has legacy iptables v1.6.1 which is used to create a rule that permits ingress VXLAN traffic.
I use cilium along with eBPF that has a more current nf_tables environment.
It seems that iptables rules crated within cnc-router image never gets applied.
pod# iptables --version
iptables v1.6.1
Kubernetes-host (I use udp/8500 for VxLAN)
iptables -L -n | wc -l
Warning: iptables-legacy tables present, use iptables-legacy to see them
82
iptables-legacy -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8500
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
bridge fdb add ${ingmac} dev routervxlan0 dst ${vtepip} iptables -D INPUT -p udp -m udp --dport ${vxlanPort} -j ACCEPT 2>nul iptables -I INPUT 1 -p udp --dport ${vxlanPort} -j ACCEPT if [[ ! -z ${dspiprange} ]] then iptables -D FORWARD -s ${dspiprange} -i ${ifName} -j ACCEPT 2>nul iptables -I FORWARD 1 -s ${dspiprange} -i ${ifName} -j ACCEPT echo "iptables -I FORWARD 1 -s ${dspiprange} -i ${ifName} -j ACCEPT" fi sleep 3dThanks
The text was updated successfully, but these errors were encountered: