How to debug the iptables added by calico and k8s

[xfyan0408]

calico add too many iptbale chains and so does K8S

Expected Behavior

My purpous is to steer my own traffic into pod, it seems like this iptable chain block the self-defined pakcet

Current Behavior

I can ping successfully in the cluster but the packet defined by myself can not get in and out from the node.

Possible Solution

add some iptable rules to let traffic in and out of the pod

Steps to Reproduce (for bugs)

1. kubeadm init --apiserver-advertise-address=3001:1::238 --pod-network-cidr 3001:1::1/120 --service-cidr 3001:1::1/120 --kubernetes-version 1.21.14 --v=5 --image-repository=registry.aliyuncs.com/google_containers

2. kubectl apply -f calico.yaml

3. kubectl apply -f deploy_vnf.yaml

Context

I can ping successfully in the cluster, but the packet defined by myself can not get in and out from the node, a packet can go in to the physic interface, but it cannot be forwarded to cali-abcd veth, I think the ip table chain block it

Your Environment

• Calico version 3.22.6
• Orchestrator version (e.g. kubernetes, mesos, rkt): k8s 1.21.14
• Operating System and version: Ubuntu16
• Link to your project (optional):

[xfyan0408]

Could someone help me out? I debug it for a long time, too many thanks!

[caseydavenport]

It's not clear to me what you're trying to do. What do you mean by self-defined traffic?

[xfyan0408]

It's not clear to me what you're trying to do. What do you mean by self-defined traffic?

I just want the inbound packet of veth(eth0) get out of the namespace of a container through the same veth(etho), could I achieve this function? too many thanks!

[tomastigera]

you can set chainInsertMode=Append in Felixconfig and then use a TRACE rule to see how the packets traverse the iptables https://projectcalico.docs.tigera.io/reference/resources/felixconfig#spec

[tomastigera]

Closing as stale unless there is new info.