microk8s icon indicating copy to clipboard operation
microk8s copied to clipboard
verified publisher icon canonical

Remove useless iptables rule

Open jungeonkim opened this issue 4 years ago • 2 comments

By default, traffic is handled by the iptables rule generated by calico. And this rule blocks working NetworkPolicy when FELIX_CHAININSERTMODE is Append.

jungeonkim avatar Jun 17 '21 03:06 jungeonkim

Hi @jungeonkim we put this rule there so packets can be forwarded properly. Can you give me a step by step setup or a script showing when this rule becomes a problem?

ktsakalozos avatar Jul 02 '21 09:07 ktsakalozos

@ktsakalozos As I said in the original article, traffic is forwarded by the iptables rule that calico is created by default. By default, packets are accepted or dropped by calico's rule before reaching this rule. So it's not a problem. However, if change FELIX_CHAININSERTMODE to Insert in order to apply the user-defined rule first, All packets are allowed by this rule before calico's rule is applied. So networkpolicy doesn't work properly.

jungeonkim avatar Jul 02 '21 09:07 jungeonkim

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 17 '23 11:06 stale[bot]