Closed sstrk closed 3 years ago
@ComradeOgilvy Could you please add the diff which is logged by the operator so that it’s clear where the error comes from?
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: I0422 06:37:55.990373 1757 agent.go:201] configuration diff for /var/lib/ch-k8s-lbaas-agent/nftables/lbaas.conf:
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: --- /var/lib/ch-k8s-lbaas-agent/nftables/.bak-765999954 2021-04-22 06:37:55.984736510 +0000
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +++ /var/lib/ch-k8s-lbaas-agent/nftables/.tmp-675798527 2021-04-22 06:37:55.984736510 +0000
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: @@ -9,6 +9,10 @@
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: table ip nat {
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: chain prerouting {
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: + ip daddr 172.30.154.11 tcp dport 80 mark set 0x1 and 0x1 ct mark set meta mark dnat to numgen inc mod 10 map {0 : 172.30.154.10, 1 : 172.30.154.15, 2 : 172.30.154.22, 3 : 172.30.154.28, 4 : 172.30.154.5, 5 : 172.30.154.7, 6 : fd00::11, 7 : fd00::14, 8 : fd00::15, 9 : fd00::6, } : 30681;
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: }
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: chain postrouting {
Apr 22 06:37:55 managed-k8s-gw-az1 sudo[22853]: ch-k8s-lbaas-agent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/systemctl reload nftables
Apr 22 06:37:56 managed-k8s-gw-az1 sudo[22853]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 22 06:37:56 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: Job for nftables.service failed.
The controller does not distinguish between IPv4 and IPv6 addresses. This breaks the appliance of nftables rules if the host nodes have an IPv4 and an IPv6 address (DualStack).
The controller tries to use IPv6 addresses in an IPv4 nftables rule. This leads to the failure of nftables when trying to apply the generated config: