Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Weave net can't work if iptables-nft 1.8.8 is used on host #3968

Open
Snorch opened this issue Dec 12, 2022 · 0 comments
Open

Weave net can't work if iptables-nft 1.8.8 is used on host #3968

Snorch opened this issue Dec 12, 2022 · 0 comments

Comments

@Snorch
Copy link

Snorch commented Dec 12, 2022
edited
Loading

The iptables-nft 1.8.8 is not forward-compatible with older iptables-nft, this can be illustrated by this example https://github.com/Snorch/iptables-problem on the setup unrelated to weavenet.

In weaveworks/weave-npc we have even older 1.8.3 iptables-nft. So then I try to setup Kubernetes with weavenet on Almalinux-9 (it has 1.8.8) I get:

kubectl  get pods -n system -A
NAMESPACE     NAME                                                  READY   STATUS              RESTARTS           AGE
kube-system   coredns-565d847f94-jhwth                              0/1     ContainerCreating   0                  6d12h
kube-system   coredns-565d847f94-q8xsh                              0/1     ContainerCreating   0                  6d12h
kube-system   etcd-master-c105a43f.localdomain                      1/1     Running             0                  6d12h
kube-system   kube-apiserver-master-c105a43f.localdomain            1/1     Running             0                  6d12h
kube-system   kube-controller-manager-master-c105a43f.localdomain   1/1     Running             0                  6d12h
kube-system   kube-proxy-bx2nd                                      1/1     Running             0                  6d12h
kube-system   kube-scheduler-master-c105a43f.localdomain            1/1     Running             0                  6d12h
kube-system   weave-net-mnmbf                                       0/2     CrashLoopBackOff    3664 (4m15s ago)   6d12h

kubectl logs weave-net-mnmbf weave -n kube-system
DEBU: 2022/12/05 07:00:34.716422 [kube-peers] Checking peer "aa:c3:fd:b0:26:69" against list &{[]}
Peer not in list; removing persisted data
INFO: 2022/12/05 07:00:34.775607 Command line options: map[conn-limit:200 datapath:datapath db-prefix:/weavedb/weave-net docker-api: expect-npc:true http-addr:127.0.0.1:6784 ipalloc-init:consensus=0 ipalloc-range:10.32.0.0/12 metrics-addr:0.0.0.0:6782 name:aa:c3:fd:b0:26:69 nickname:master-c105a43f.localdomain no-dns:true no-masq-local:true port:6783]
INFO: 2022/12/05 07:00:34.775655 weave git-34de0b10a69c
FATA: 2022/12/05 07:00:35.110327 configuring iptables: ipt.ListChains(filter): running [/sbin/iptables -t filter -S --wait]: exit status 1: iptables v1.8.3 (nf_tables): table `filter' is incompatible, use 'nft' tool.

Because firewalld on host is using --dport 30000:32767 rules, which after https://git.netfilter.org/iptables/commit/?id=6aba94ef5 commit in 1.8.8 creates rules which can't be handled by 1.8.3.

I understand that we can just disable firewalld or just remove those rules and weavenet would work, but it's not always an option.

I also see #3465 (comment) where we've switched to iptables-nft in weavenet container and that leads to my problem when iptables-nft on host is newer than in weavenet ct.

Maybe we can update iptables-nft to 1.8.8 in weavenet ct? Would also appreciate any other suggestions.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Snorch