Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

POSTROUTING rules are not maintained during runtime #3155

Open
sylphid8 opened this issue Oct 26, 2017 · 2 comments
Open

POSTROUTING rules are not maintained during runtime #3155

sylphid8 opened this issue Oct 26, 2017 · 2 comments
Labels
bug [component/kube]

Comments

@sylphid8
Copy link

sylphid8 commented Oct 26, 2017
edited
Loading

What you expected to happen?

When iptables is restarted, weave should ensure that the proper rules are reinstalled in the nat table postrouting chain.

What happened?

After an iptables restart the nat tables postrouting chain is incomplete and causes node routing issues.

How to reproduce it?

systemctl restart iptables
iptables -t nat -L POSTROUTING

Anything else we need to know?

This is a self hosted kubernetes cluster

Versions:

$ weave version
weave script 2.0.4

$ docker version
Client:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
 Go version:      go1.7.4
 Git commit:      88a4867/1.12.6
 Built:           Mon Jul  3 16:02:02 2017
 OS/Arch:         linux/amd64

Server:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
 Go version:      go1.7.4
 Git commit:      88a4867/1.12.6
 Built:           Mon Jul  3 16:02:02 2017
 OS/Arch:         linux/amd64

$ uname -a
3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 22:26:13 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.5", GitCommit:"17d7182a7ccbb167074be7a87f0a68bd00d58d97", GitTreeState:"clean", BuildDate:"2017-08-31T09:14:02Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.4", GitCommit:"793658f2d7ca7f064d2bdf606519f9fe1229c381", GitTreeState:"clean", BuildDate:"2017-08-17T08:30:51Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Network:

echo "before:"; iptables-save -t nat | grep -e '[: ]POSTROUTING' -e '[: ]WEAVE'; systemctl restart iptables; sleep 30; echo -e "\nafter:"; iptables-save -t nat | grep -e '[: ]POSTROUTING' -e '[: ]WEAVE'
before:
:POSTROUTING ACCEPT [32:2122]
:WEAVE - [0:0]
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -j WEAVE
-A WEAVE -s 172.20.0.0/16 -d 224.0.0.0/4 -j RETURN
-A WEAVE ! -s 172.20.0.0/16 -d 172.20.0.0/16 -j MASQUERADE
-A WEAVE -s 172.20.0.0/16 ! -d 172.20.0.0/16 -j MASQUERADE

after:
:POSTROUTING ACCEPT [28:1874]
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
@brb
Copy link
Contributor

brb commented Nov 8, 2017

Weave Net is running as a DaemonSet and it does not depend on iptables.service. Thus, the rules are not restored after the restart.

I'm wondering how the k8s rules got restored. Mind listing /etc/iptables/iptables.rules?

@sylphid8
Copy link
Author

iptables.rules does not contain any nat rules to be restored.

@brb brb mentioned this issue Feb 1, 2018
Open
@rade rade added the bug label Mar 20, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug [component/kube]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rade @brb @sylphid8