Skip to content
This repository was archived by the owner on Jun 20, 2024. It is now read-only.
This repository was archived by the owner on Jun 20, 2024. It is now read-only.

Weave net can't work if iptables-nft 1.8.8 is used on host #3968

Open
Open
Weave net can't work if iptables-nft 1.8.8 is used on host#3968
@Snorch

Description

@Snorch
Snorch
opened on Dec 12, 2022

The iptables-nft 1.8.8 is not forward-compatible with older iptables-nft, this can be illustrated by this example https://github.com/Snorch/iptables-problem on the setup unrelated to weavenet.

In weaveworks/weave-npc we have even older 1.8.3 iptables-nft. So then I try to setup Kubernetes with weavenet on Almalinux-9 (it has 1.8.8) I get:

kubectl  get pods -n system -A
NAMESPACE     NAME                                                  READY   STATUS              RESTARTS           AGE
kube-system   coredns-565d847f94-jhwth                              0/1     ContainerCreating   0                  6d12h
kube-system   coredns-565d847f94-q8xsh                              0/1     ContainerCreating   0                  6d12h
kube-system   etcd-master-c105a43f.localdomain                      1/1     Running             0                  6d12h
kube-system   kube-apiserver-master-c105a43f.localdomain            1/1     Running             0                  6d12h
kube-system   kube-controller-manager-master-c105a43f.localdomain   1/1     Running             0                  6d12h
kube-system   kube-proxy-bx2nd                                      1/1     Running             0                  6d12h
kube-system   kube-scheduler-master-c105a43f.localdomain            1/1     Running             0                  6d12h
kube-system   weave-net-mnmbf                                       0/2     CrashLoopBackOff    3664 (4m15s ago)   6d12h

kubectl logs weave-net-mnmbf weave -n kube-system
DEBU: 2022/12/05 07:00:34.716422 [kube-peers] Checking peer "aa:c3:fd:b0:26:69" against list &{[]}
Peer not in list; removing persisted data
INFO: 2022/12/05 07:00:34.775607 Command line options: map[conn-limit:200 datapath:datapath db-prefix:/weavedb/weave-net docker-api: expect-npc:true http-addr:127.0.0.1:6784 ipalloc-init:consensus=0 ipalloc-range:10.32.0.0/12 metrics-addr:0.0.0.0:6782 name:aa:c3:fd:b0:26:69 nickname:master-c105a43f.localdomain no-dns:true no-masq-local:true port:6783]
INFO: 2022/12/05 07:00:34.775655 weave git-34de0b10a69c
FATA: 2022/12/05 07:00:35.110327 configuring iptables: ipt.ListChains(filter): running [/sbin/iptables -t filter -S --wait]: exit status 1: iptables v1.8.3 (nf_tables): table `filter' is incompatible, use 'nft' tool.

Because firewalld on host is using --dport 30000:32767 rules, which after https://git.netfilter.org/iptables/commit/?id=6aba94ef5 commit in 1.8.8 creates rules which can't be handled by 1.8.3.

I understand that we can just disable firewalld or just remove those rules and weavenet would work, but it's not always an option.

I also see #3465 (comment) where we've switched to iptables-nft in weavenet container and that leads to my problem when iptables-nft on host is newer than in weavenet ct.

Maybe we can update iptables-nft to 1.8.8 in weavenet ct? Would also appreciate any other suggestions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions