network-controller-harvester icon indicating copy to clipboard operation
network-controller-harvester copied to clipboard

Published 20 hours ago verified publisher icon harvester

backport: Disable iptables bridge forwarding on initialization

Open mingshuoqiu opened this issue 5 months ago • 4 comments

(cherry picked from commit 652162909d48f81d2759c49538e2ac42ecd75eb9) Signed-off-by: Chris Chiu [email protected]

Problem: In the Harvester cluster whose management network has a VLAN ID, the VM will be unable to access the host port or node port with the host IP where the VM is running.

Solution: Disable net.bridge.bridge-nf-call-iptables to avoid iptables rules affecting bridge forwarding on vlan.init().

We could not disable net.bridge.bridge-nf-call-iptables in the harvester-installer because RKE2 will enable it after harvester-installer.

Related Issue: https://github.com/harvester/harvester/issues/3960

Test plan:

  • Spin up a Harvester whose management network has a VLAN ID
  • Create a VM with VLAN network whose VLAN ID is same with the management network.
  • Curl nodeIP:443 in the VM.

mingshuoqiu avatar Sep 19 '24 02:09 mingshuoqiu