network-controller-harvester icon indicating copy to clipboard operation
network-controller-harvester copied to clipboard

Published 20 hours ago verified publisher icon harvester

Disable iptables bridge forwarding on initialization

Open yaocw2020 opened this issue 1 year ago • 1 comments

Problem:

In the Harvester cluster whose management network has a VLAN ID, the VM will be unable to access the host port or node port with the host IP where the VM is running.

Solution:

Disable net.bridge.bridge-nf-call-iptables to avoid iptables rules affecting bridge forwarding on vlan.init().

We could not disable net.bridge.bridge-nf-call-iptables in the harvester-installer because RKE2 will enable it after harvester-installer.

Related Issue: https://github.com/harvester/harvester/issues/3960

Test plan:

  • Spin up a Harvester whose management network has a VLAN ID
  • Create a VM with VLAN network whose VLAN ID is same with the management network.
  • Curl nodeIP:443 in the VM.

yaocw2020 avatar May 23 '23 08:05 yaocw2020

Isn't disabling net.bridge.bridge-nf-call-iptables a security risk?

iosifnicolae2 avatar Aug 22 '23 19:08 iosifnicolae2

@mergifyio backport v0.5.x

bk201 avatar Sep 19 '24 03:09 bk201

backport v0.5.x

✅ Backports have been created

mergify[bot] avatar Sep 19 '24 03:09 mergify[bot]