nftables monitor disable flag

cmd/fabric/main.go

@@ -160,7 +160,7 @@ func run(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("unable to create firewall configuration reconciler: %w", err)
 	}
 
-	if err := fwcr.SetupWithManager(cmd.Context(), mgr); err != nil {
+	if err := fwcr.SetupWithManager(cmd.Context(), mgr, options.EnableNftMonitor); err != nil {
 		return fmt.Errorf("unable to setup firewall configuration reconciler: %w", err)
 	}
 

cmd/gateway/main.go

@@ -201,7 +201,7 @@ func run(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("unable to create firewall configuration reconciler: %w", err)
 	}
 
-	if err := fwcr.SetupWithManager(cmd.Context(), mgr); err != nil {
+	if err := fwcr.SetupWithManager(cmd.Context(), mgr, true); err != nil {
 		return fmt.Errorf("unable to setup firewall configuration reconciler: %w", err)
 	}
 

deployments/liqo/README.md

@@ -81,6 +81,7 @@
 | networking.enabled | bool | `true` | Use the default Liqo networking module. |
 | networking.fabric.config.fullMasquerade | bool | `false` | Enabe/Disable the full masquerade mode for the fabric pod. It means that all traffic will be masquerade using the first external cidr IP, instead of using the pod IP. Full masquerade is useful when the cluster nodeports uses a PodCIDR IP to masqerade the incoming traffic. IMPORTANT: Please consider that enabling this feature will masquerade the source IP of traffic towards a remote cluster,  making impossible for a pod that receives the traffic to know the original source IP.  |
 | networking.fabric.config.gatewayMasqueradeBypass | bool | `false` | Enable/Disable the masquerade bypass for the gateway pods. It means that the packets from gateway pods will not be masqueraded from the host where the pod is scheduled. This is useful in scenarios where CNIs masquerade the traffic from pod to nodes. For example this is required when using the Azure CNI or Kindnet. |
+| networking.fabric.config.nftablesMonitor | bool | `true` | Enable/Disable the nftables monitor for the fabric pod. It means that the fabric pod will monitor the nftables rules and will restore them in case of changes. In some cases (like K3S), this monitor can cause a huge amount of CPU usage. If you are experiencing high CPU usage, you can disable this feature. |
 | networking.fabric.image.name | string | `"ghcr.io/liqotech/fabric"` | Image repository for the fabric pod. |
 | networking.fabric.image.version | string | `""` | Custom version for the fabric image. If not specified, the global tag is used. |
 | networking.fabric.pod.annotations | object | `{}` | Annotations for the fabric pod. |

deployments/liqo/templates/liqo-fabric-daemonset.yaml

@@ -48,6 +48,7 @@ spec:
           {{- if .Values.requirements.kernel.disabled }}
           - --disable-kernel-version-check
           {{- end }}
+          - --enable-nft-monitor={{ .Values.networking.fabric.config.nftablesMonitor }}
           {{- if .Values.common.extraArgs }}
           {{- toYaml .Values.common.extraArgs | nindent 10 }}
           {{- end }}

deployments/liqo/values.yaml

@@ -130,6 +130,11 @@ networking:
       # This is useful in scenarios where CNIs masquerade the traffic from pod to nodes.
       # For example this is required when using the Azure CNI or Kindnet.
       gatewayMasqueradeBypass: false
+      # -- Enable/Disable the nftables monitor for the fabric pod.
+      # It means that the fabric pod will monitor the nftables rules and will restore them in case of changes.
+      # In some cases (like K3S), this monitor can cause a huge amount of CPU usage.
+      # If you are experiencing high CPU usage, you can disable this feature.
+      nftablesMonitor: true
 
 authentication:
   # -- Enable/Disable the authentication module.

docs/contributing/contributing.md

@@ -137,4 +137,4 @@ When executing the unit tests from the *liqo-test* container, it is possible to
       --accept-multiclient ./path/to/test/directory
    ```
 
-4. From the host, connect to *localhost:2345* with your remote debugging client of choice (e.g. [GoLand](https://www.jetbrains.com/help/go/attach-to-running-go-processes-with-debugger.html#step-3-create-the-remote-run-debug-configuration-on-the-client-computer)), and enjoy!
+4. From the host, connect to *localhost:2345* with your remote debugging client of choice, and enjoy!

pkg/fabric/flags.go

@@ -40,6 +40,9 @@ const (
 	// FlagNameDisableARP is the flag to enable ARP.
 	FlagNameDisableARP FlagName = "disable-arp"
 
+	// FlagNameEnableNftMonitor is the flag to enable the nftables monitor.
+	FlagNameEnableNftMonitor FlagName = "enable-nft-monitor"
+
 	// FlagNameDisableKernelVersionCheck is the flag to enable the kernel version check.
 	FlagNameDisableKernelVersionCheck FlagName = "disable-kernel-version-check"
 	// FlagNameMinimumKernelVersion is the minimum kernel version required to run the wireguard interface.
@@ -63,6 +66,7 @@ func InitFlags(flagset *pflag.FlagSet, opts *Options) {
 	flagset.StringVar(&opts.ProbeAddr, FlagNameProbeAddr.String(), ":8081", "Address for the health probe endpoint")
 
 	flagset.BoolVar(&opts.DisableARP, FlagNameDisableARP.String(), false, "Disable ARP")
+	flagset.BoolVar(&opts.EnableNftMonitor, FlagNameEnableNftMonitor.String(), true, "Enable nftables monitor")
 
 	flagset.BoolVar(&opts.DisableKernelVersionCheck, FlagNameDisableKernelVersionCheck.String(), false, "Disable the kernel version check")
 	flagset.Var(&opts.MinimumKernelVersion, string(FlagNameMinimumKernelVersion), "Minimum kernel version required to run the wireguard interface")

pkg/fabric/options.go

@@ -26,7 +26,8 @@ type Options struct {
 	MetricsAddress string
 	ProbeAddr      string
 
-	DisableARP bool
+	DisableARP       bool
+	EnableNftMonitor bool
 
 	DisableKernelVersionCheck bool
 	MinimumKernelVersion      kernelversion.KernelVersion

pkg/firewall/firewallconfiguration_controller.go

@@ -162,17 +162,19 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr
 }
 
 // SetupWithManager register the FirewallConfigurationReconciler to the manager.
-func (r *FirewallConfigurationReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
+func (r *FirewallConfigurationReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, enableNftMonitor bool) error {
 	klog.Infof("Starting FirewallConfiguration controller with labels %v", r.LabelsSets)
 	filterByLabelsPredicate, err := forgeLabelsPredicate(r.LabelsSets)
 	if err != nil {
 		return err
 	}
 
 	src := make(chan event.GenericEvent)
-	go func() {
-		utilruntime.Must(netmonitor.InterfacesMonitoring(ctx, src, &netmonitor.Options{Nftables: &netmonitor.OptionsNftables{Delete: true}}))
-	}()
+	if enableNftMonitor {
+		go func() {
+			utilruntime.Must(netmonitor.InterfacesMonitoring(ctx, src, &netmonitor.Options{Nftables: &netmonitor.OptionsNftables{Delete: true}}))
+		}()
+	}
 	return ctrl.NewControllerManagedBy(mgr).Named(consts.CtrlFirewallConfiguration).
 		For(&networkingv1beta1.FirewallConfiguration{}, builder.WithPredicates(filterByLabelsPredicate)).
 		WatchesRawSource(NewFirewallWatchSource(src, NewFirewallWatchEventHandler(r.Client, r.LabelsSets))).

pkg/liqoctl/install/k3s/provider.go

@@ -67,5 +67,13 @@ func (o *Options) Initialize(_ context.Context) error {
 
 // Values returns the customized provider-specifc values file parameters.
 func (o *Options) Values() map[string]interface{} {
-	return map[string]interface{}{}
+	return map[string]interface{}{
+		"networking": map[string]interface{}{
+			"fabric": map[string]interface{}{
+				"config": map[string]interface{}{
+					"nftablesMonitor": false,
+				},
+			},
+		},
+	}
 }