-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Host firewall doesn't work with portmap CNI chaining #12541
Copy link
Copy link
Open
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.Impacts bpf/ or low-level forwarding details, including map management and monitor messages.area/host-firewallImpacts the host firewall or the host endpoint.Impacts the host firewall or the host endpoint.kind/bugThis is a bug in the Cilium logic.This is a bug in the Cilium logic.pinnedThese issues are not marked stale by our issue bot.These issues are not marked stale by our issue bot.
Description
Metadata
Metadata
Assignees
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.Impacts bpf/ or low-level forwarding details, including map management and monitor messages.area/host-firewallImpacts the host firewall or the host endpoint.Impacts the host firewall or the host endpoint.kind/bugThis is a bug in the Cilium logic.This is a bug in the Cilium logic.pinnedThese issues are not marked stale by our issue bot.These issues are not marked stale by our issue bot.
The host firewall currently doesn't work with portmap chaining when using kube-proxy. This limitation is related to the fact that we redirect traffic from pods to remote nodes through a tunnel when the host firewall is enabled.
Setting both
global.hostFirewall=trueandglobal.cni.chainingMode=portmapresults in connection breakage, probably due to some masquerading issue. Packets are not dropped by the host firewall itself (i.e., it fails even with an allow-all policy).To reproduce the bug, one can comment the following line in e2e tests:
cilium/test/k8sT/Conformance.go
Line 79 in f55ec90
Related: #12345.