Required br_netfilter module, not mentioned.

[pat-sre]

There is no mention of requirement for br_netfilter module for flannel to work.
It perhaps wasn't needed in the past as kubeadm would check for it during kubeadm init and give:
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
If module wasn't on.
However this check was removed since kubeadm v1.30 as mentioned in this github issue:
kubernetes/kubernetes#127593

Expected Behavior

Perhaps flannel containers could exit with an error saying "required br_netfilter module is not enabled".
But at least this module should be mentioned in the docs.

Current Behavior

Services aren't reachable within the network.

Possible Solution

flannel containers could exit with an error saying "required br_netfilter module is not enabled" or docs entry

Steps to Reproduce (for bugs)

1. modprobe -r br_netfilter
2. kubeadm init --pod-cidr-range=10.244.0.0/16
3. kubectl apply -f <flannel-24.2 or 25.4 i only tested on them>
4. kubectl run -it dns-test --image=busybox --rm -- nslookup kubernetes.default.svc.cluster.local (or ping any service)

Context

I spent around 2 days trying to find an issue with the cluster.
I created a in issue in kubernetes github and I got an information that currently CNI probivers should take care of this over requiring kubeadm to enforce this module enable.
This is the issue:
kubernetes/kubernetes#127593

Your Environment

• Flannel version: 24.2 25.4
• Backend used (e.g. vxlan or udp): vxlan
• Etcd version:
• Kubernetes version (if used): 1.29 (has the check and wont init without module), 1.30.5 and 1.31.1 (will init without module the bug will appear)
• Operating System and version: Debian 12
• Link to your project (optional):

[pat-sre]

Check by kubeadm for this module was removed here: kubernetes/kubernetes#123464

[rbrtbnfgl]

Ok we could add the check before flannel starts.

[tanvp112]

Hi @rbrtbnfgl, does flannel also required br_netfilter when when using ipvs or nftables mode?

[rbrtbnfgl]

I'll check it

[rbrtbnfgl]

are you referring to ipvs on kube-proxy? Flannel is working always with the bridge and iptables even when ipvs is enabled.
For nftables the module will be deprecated when nft will substitute iptables but some os could require it even when using nft so I suggest to still using it.

[tanvp112]

@rbrtbnfgl, appreciate the input, many thanks to your hard work!

[HarimbolaSantatra]

Maybe we can add the error and solution from #2166 to the troubleshooting guide.

[rbrtbnfgl]

It's specified on the README https://github.com/flannel-io/flannel/blob/master/README.md?plain=1#L73

[ttc0419]

@rbrtbnfgl Is it required for host-gw? Meanwhile, RHEL like distributions removed this module support in version 10:

# modprobe br_netfilter
modprobe: FATAL: Module br_netfilter not found in directory /lib/modules/6.12.0-55.18.1.el10_0.aarch64