Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Persist the bridge-nf-call-iptables across rke2 restart #884

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Persist the bridge-nf-call-iptables across rke2 restart #884

wants to merge 1 commit into from

Conversation

mingshuoqiu
Copy link
Contributor

The bridge-nf-call-iptables should be disabled by network-controller. But rke2 will toggle it back to enable. Need to make sure it stays at disabled.

Problem:
harvester/harvester#7041

Solution:
persist the bridge-nf-call-iptables across rke2 restart

Related Issue:
harvester/harvester#3960

Test plan:

@mingshuoqiu @mschiu77
files: persist the bridge-nf-call-iptables across rke2 restart
853e4e3 
The bridge-nf-call-iptables should be disabled by network-controller.
But rke2 will toggle it back to enable. Need to make sure it stays
at disabled.

Signed-off-by: Chris Chiu <[email protected]>
@mingshuoqiu mingshuoqiu mentioned this pull request Nov 27, 2024
Closed
w13915984028
w13915984028 reviewed Nov 27, 2024
View reviewed changes
Copy link
Member

@w13915984028 w13915984028 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about another 2 options? thanks.

sysctl -a | grep bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 0

https://wiki.libvirt.org/Net.bridge.bridge-nf-call_and_sysctl.conf.html

starbops
starbops approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@starbops starbops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is the only way to cope with the issue right now. The kernel tunable is hardcoded to 1 in k3s: https://github.com/k3s-io/k3s/blob/55cda2200e0f3e670970b044871f9ea09134cff6/pkg/agent/syssetup/setup.go#L48

LGTM, thank you.

@mingshuoqiu
Copy link
Contributor Author

How about another 2 options? thanks.

sysctl -a | grep bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 0

https://wiki.libvirt.org/Net.bridge.bridge-nf-call_and_sysctl.conf.html

The ip6tables doesn't take effect since we support IPv4 only now.
the arptables is for ARP packet which won't affect the HTTP(s) traffic in this case.
I'll leave them as-is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@w13915984028 w13915984028 w13915984028 left review comments

@starbops starbops starbops approved these changes

@bk201 bk201 bk201 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mingshuoqiu @bk201 @starbops @w13915984028