Calico Daemonset Iptables Issue in RHEL 8

[HenryXie1]

We have upgrade the worker node to RHEL 8. it has iptables-nft enabled
iptables -V --> iptables-nft in the OS

We are currently using the Calico daemonset version 3.24, and according to the documentation, it should automatically detect the version of iptables on RHEL 8. We have verified this information through the following links: #2322, and #4322.

However, when we run the command "kubectl exec -it calico-nodes-*** -- iptables -V," it shows that the version being used is iptables v1.8.4 (legacy). Even when we added the environment variable FELIX_IPTABLESBACKEND with the value "Auto" and rolled the pods, the legacy version of iptables was still being used.

. We are confused because despite this information, when we run the "iptables -V" command on the Calico node, it still shows the legacy version of iptables. Could you please provide clarification on this matter?

Meanwhile I found #7111 is still open (not merged)
seems the issue is not fixed,so I wonder how Calico implemented iptables automatic detection feature. or did I miss sth?
Thank you

@caseydavenport Thank you

Expected Behavior

When work nodes upgrade to RHEL 8,
kubectl exec -it calico-nodes-*** -- iptables -V --> iptables-nft

Current Behavior

with calico 3.24 and RHEL 8
we run the command "kubectl exec -it calico-nodes-*** -- iptables -V," it shows that the version being used is iptables v1.8.4 (legacy)

Possible Solution

no

Steps to Reproduce (for bugs)

Context

Your Environment

• Calico version 3.24
• Orchestrator version kubernetes
• Operating System and version: RHEL 8 kernel 4.18 with iptables-nft
• Link to your project (optional):

[yankay]

We have the same issue .
Welcome to help to review the #7111 :-)

[MichalFupso]

Hi @HenryXie1, #7111 has been merged into Calico v3.25, which fixes this issue

[yankay]

Hi @HenryXie1, #7111 has been merged into Calico v3.25, which fixes this issue

HI @MichalFupso ,
The #7111 is merged into the Calico v3.26.
And the Cherry-Pick #7460 is for the Calico v3.25.

[HenryXie1]

Hi, @yankay Thanks for your input
I happen to notice this PR #4322
https://www.tigera.io/blog/whats-new-in-calico-v3-12/
It seems the fix was included in 3.12,
not sure how that works with your PR #7460

[yankay]

HI @HenryXie1

Follow the description of the issue, The issue is the same as the: #2322. The auto-detect logic in the RHEL/Centos 8 is to detect auto as a legacy instead of NFT. So that causes the issue.

There is a blog article about the issue: https://mihail-milev.medium.com/no-pod-to-pod-communication-on-centos-8-kubernetes-with-calico-56d694d2a6f4

The #7111 and #7460 are to fix the issue.

[HenryXie1]

Thanks @yankay
I read the blog and implement Calico version 3.24 with RHEL 8 iptables-nft. I discovered that the issue mentioned in #2322 had been resolved, as new iptables nft rules were created. However, when I checked the calico-node by running the command iptables -V, it still showed iptables legacy.

I am not sure how this works in version 3.24 without the PRs mentioned in #7111 and #7460.

[tangkelu]

env: RHEL 8.10, iptables v1.8.5 (nf_tables), kube-proxy v1.23.4,Calico v3.25.2, calico-node daemonset env added FELIX_IPTABLESBACKEND value to Auto
if i run command [ kubectl exec -it calico-node-xxx -- iptables -V ] still shows [ iptables v1.8.4 (legacy) ]

maybe related with this: #8025 ?