Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Exec iptables from the host filesystem
Depends-On: submariner-io/submariner-charts#3 Both iptables and nftables use netfilter framework in the kernel for packet filtering. Many distributions are moving in the direction of using nftables over iptables. Although, nftables uses a new command line utility (named nft), starting from iptables >=1.8, it uses nftables under the hood while continuing to support the same iptables syntax from the user. Quoting from Dan's comment [#] "In iptables 1.8, the maintainers have "deprecated" the classic ip_tables: the iptables tool now does userspace translation from the legacy UI/UX, and uses nf_tables under the hood. So, the commands look and feel the same, but they're now programming a different kernel subsystem. The problem arises when you mix and match invocations of iptables 1.6 (the previous stable) and 1.8 on the same machine, because although they look identical, they're programming different kernel subsystems. Empirically, this causes weird and wonderful things to happen - things like if you trace a packet coming from a pod, you see it flowing through both ip_tables and nf_tables, but even if both accept the packet, it then vanishes entirely and never gets forwarded" So, as long as we are programming either nf_tables or iptables, we would not have any issues. Currently, there is no easy way to identify what type of rules are programmed on the host. This patch follows the same approach (as described here [*]) that is taken in OpenShift where the host file system is mounted inside the docker container and iptables utility on the host is exec'ed for programming any firewall rules. [#] kubernetes/kubernetes#71305 (comment) [*] kubernetes/kubernetes#71305 (comment)
- Loading branch information
1 parent
2da974b
commit fb40ae2