Skip to content

iptables: detect and validate nf_tables mode for all zero rules#43415

Merged
YutaroHayakawa merged 1 commit intocilium:mainfrom
liyihuang:pr/liyih/iptable_handle_all_zero
Jan 14, 2026
Merged

iptables: detect and validate nf_tables mode for all zero rules#43415
YutaroHayakawa merged 1 commit intocilium:mainfrom
liyihuang:pr/liyih/iptable_handle_all_zero

Conversation

@liyihuang
Copy link
Copy Markdown
Contributor

@liyihuang liyihuang commented Dec 17, 2025

see commit message

generate the proper logs when users put 0.0.0.0/0 as the native routing range for iptable nft mode

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 17, 2025
@liyihuang liyihuang force-pushed the pr/liyih/iptable_handle_all_zero branch 5 times, most recently from 1630952 to 173c317 Compare December 17, 2025 20:07
@liyihuang liyihuang added area/iptables Impacts how Cilium interacts with iptables. release-note/misc This PR makes changes that have no direct user impact. labels Dec 17, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 17, 2025
@liyihuang
Copy link
Copy Markdown
Contributor Author

liyihuang commented Dec 17, 2025

/test

@liyihuang liyihuang marked this pull request as ready for review December 17, 2025 22:54
@liyihuang liyihuang requested a review from a team as a code owner December 17, 2025 22:54
@joestringer joestringer added release-note/bug This PR fixes an issue in a previous release of Cilium. and removed release-note/misc This PR makes changes that have no direct user impact. labels Jan 9, 2026
@joestringer
Copy link
Copy Markdown
Member

joestringer commented Jan 9, 2026

I've tentatively shifted this to release-note/bug, from the perspective that it's possible to configure Cilium in a way that triggers this error condition (plus Cilium doesn't quite do what the user might expect it to). That said I'm not sure if it's eligible for any backports since it's just as much a way to improve usability for a very specific configuration of Cilium.

YutaroHayakawa
YutaroHayakawa requested changes Jan 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@YutaroHayakawa YutaroHayakawa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, one nit.

@liyihuang
pkg/iptables: reject all-zero CIDR in nf_tables mode
4bb7575 
if we have ipv4NativeRoutingCIDR: 0.0.0.0/0 configured though helm,
agent may have following complain

level=error msg="iptables rules full reconciliation failed, will retry
another one later" error="failed to install rules: cannot install
masquerade rules: unable to run 'iptables -t nat -A CILIUM_POST_nat ! -d
0.0.0.0/0 -s 10.0.2.0/24 ! -o cilium_+ -m comment --comment cilium
masquerade non-cluster -j MASQUERADE' iptables command: exit status 4
stderr=\"iptables v1.8.8 (nf_tables):  RULE_APPEND failed (Invalid
argument): rule in chain CILIUM_POST_nat\\n\"" subsys=iptables

That's because nf_tables doesn't allow 0.0.0.0/0 but iptable legacy and
our bpf masquerade can support it.

Here is the test from my laptop

root@kind-worker3:/# iptables -t nat -A POSTROUTING ! -d 0.0.0.0/0 -o
eth0 -j MASQUERADE
iptables v1.8.9 (nf_tables):  RULE_APPEND failed (Invalid argument):
rule in chain POSTROUTING
root@kind-worker3:/# iptables-legacy -t nat -A POSTROUTING ! -d
0.0.0.0/0 -o eth0 -j MASQUERADE
root@kind-worker3:/# iptables-legacy-save
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [10:592]
:POSTROUTING ACCEPT [10:592]
-A POSTROUTING ! -d 0.0.0.0/0 -o eth0 -j MASQUERADE

This PR will detect the iptable mode and tell users to use
enable-ipv4-masquerade or enable-ipv6-masquerade: false in nft mode

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
@liyihuang liyihuang force-pushed the pr/liyih/iptable_handle_all_zero branch from 173c317 to 4bb7575 Compare January 9, 2026 14:55
@liyihuang
Copy link
Copy Markdown
Contributor Author

liyihuang commented Jan 9, 2026

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 14, 2026
@YutaroHayakawa YutaroHayakawa added this pull request to the merge queue Jan 14, 2026
Merged via the queue into cilium:main with commit 77d1804 Jan 14, 2026
79 of 80 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YutaroHayakawa YutaroHayakawa YutaroHayakawa approved these changes

Assignees

No one assigned

Labels

area/iptables Impacts how Cilium interacts with iptables. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@liyihuang @joestringer @YutaroHayakawa @msune