v2.6.0-rc2: In Advanced policy tutorial, Preventing outgoing connection from pods blocked all outgoing traffic

tmjd commented 7 years ago

With the pre-release version of Calico v2.6.0 when testing the Advanced policy tutorial, the step "Prevent outgoing connections from pods" blocked all outgoing traffic from my access pod. https://docs.projectcalico.org/v2.6/getting-started/kubernetes/tutorials/advanced-policy#prevent-outgoing-connections-from-pods

Expected Behavior

All steps of the tutorial should work.

Current Behavior

The step attempting to block outgoing DNS traffic blocked all outgoing traffic. I even attempted to use the service IP for nginx and the IP of the nginx pod that lived on the same host as the access pod.

Possible Solution

Fix it :smile:

Steps to Reproduce (for bugs)

Set up cluster with the v2.6.0-rc2 images
Run through advanced tutorial

Context

I saw this when using my Vagrant cluster set up with etcd TLS that I had previously upgraded from v2.5.1. I don't believe the upgrade impacted this but wanted to mention it incase it did.

Your Environment

Calico version:

$ ./calicoctl version
Client Version:    v1.6.0-rc2
Build date:        2017-09-25T03:08:37+0000
Git commit:        243007ca
Cluster Version:   v2.6.0-rc2
Cluster Type:      k8s,bgp

Orchestrator version (e.g. kubernetes, mesos, rkt): K8s v1.7.5
Operating System and version: Container Linux 1465.7.0

tmjd commented 7 years ago

$ ./calicoctl get policy -o yaml
- apiVersion: v1
  kind: policy
  metadata:
    name: advanced-policy-demo.allow-dns
  spec:
    egress:
    - action: allow
      destination:
        ports:
        - 53
        selector: calico/k8s_ns == 'kube-system' && k8s-app == 'kube-dns'
      protocol: udp
      source: {}
    order: 400
    selector: calico/k8s_ns == 'advanced-policy-demo'
    types:
    - egress
- apiVersion: v1
  kind: policy
  metadata:
    name: advanced-policy-demo.deny-egress
  spec:
    egress:
    - action: deny
      destination:
        notSelector: calico/k8s_ns == 'advanced-policy-demo'
      source: {}
    order: 500
    selector: calico/k8s_ns == 'advanced-policy-demo'
    types:
    - egress
- apiVersion: v1
  kind: policy
  metadata:
    name: knp.default.advanced-policy-demo.access-nginx
  spec:
    egress:
    - action: allow
      destination: {}
      source: {}
    ingress:
    - action: allow
      destination: {}
      source:
        selector: calico/k8s_ns == 'advanced-policy-demo'
    order: 1000
    selector: calico/k8s_ns == 'advanced-policy-demo' && run == 'nginx'
    types:
    - ingress
- apiVersion: v1
  kind: policy
  metadata:
    name: knp.default.advanced-policy-demo.default-deny
  spec:
    egress:
    - action: allow
      destination: {}
      source: {}
    order: 1000
    selector: calico/k8s_ns == 'advanced-policy-demo'
    types:
    - ingress
- apiVersion: v1
  kind: policy
  metadata:
    name: knp.default.policy-demo.access-nginx
  spec:
    egress:
    - action: allow
      destination: {}
      source: {}
    ingress:
    - action: allow
      destination: {}
      source:
        selector: calico/k8s_ns == 'policy-demo' && run == 'access'
    order: 1000
    selector: calico/k8s_ns == 'policy-demo' && run == 'nginx'
    types:
    - ingress
- apiVersion: v1
  kind: policy
  metadata:
    name: knp.default.policy-demo.default-deny
  spec:
    egress:
    - action: allow
      destination: {}
      source: {}
    order: 1000
    selector: calico/k8s_ns == 'policy-demo'
    types:
    - ingress

tmjd commented 7 years ago

This seems to be the iptables rule that is dropping the traffic [2:120] -A cali-po-_l2a5_DDU8iKXgoc8Dav -m comment --comment "cali:WXDWSDmbDYSTHADG" -m set ! --match-set cali4-s:uK4R6n61sYuSXSz0NO3eBIb dst -j DROP

Note this was when the 'access' pod was on the same host as the destination pod which was specified by the nginx pod's IP address and both pods were running on the same host.

The full iptables output

``` # Generated by iptables-save v1.4.21 on Mon Sep 25 15:09:06 2017 *mangle :PREROUTING ACCEPT [100:6465] :INPUT ACCEPT [3477:916188] :FORWARD ACCEPT [33:2410] :OUTPUT ACCEPT [3521:332871] :POSTROUTING ACCEPT [3537:334141] :cali-PREROUTING - [0:0] :cali-failsafe-in - [0:0] :cali-from-host-endpoint - [0:0] :cali-pi-_64M-5B68oqchsNt4uhf - [0:0] :cali-pi-_AxB3YUE-4H-l6eiKn2A - [0:0] :cali-pi-__T3ATnucaLN6MO6Ylzt - [0:0] :cali-pi-___yCYWiB-B993Gu4WEv - [0:0] :cali-pi-_l2a5_DDU8iKXgoc8Dav - [0:0] :cali-pi-_ra3L4iuMubRbHLb1U1T - [0:0] :cali-po-_64M-5B68oqchsNt4uhf - [0:0] :cali-po-_AxB3YUE-4H-l6eiKn2A - [0:0] :cali-po-__T3ATnucaLN6MO6Ylzt - [0:0] :cali-po-___yCYWiB-B993Gu4WEv - [0:0] :cali-po-_l2a5_DDU8iKXgoc8Dav - [0:0] :cali-po-_ra3L4iuMubRbHLb1U1T - [0:0] [1108659:773614984] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING [1071341:771177953] -A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A cali-PREROUTING -m comment --comment "cali:nE3PUa5RSRqBBvwx" -m mark --mark 0x1000000/0x1000000 -j ACCEPT [144:10462] -A cali-PREROUTING -i cali+ -m comment --comment "cali:qgFofvzQe6yJPouQ" -j ACCEPT [37174:2426569] -A cali-PREROUTING -m comment --comment "cali:o178eO5vvpj8e65z" -j cali-from-host-endpoint [0:0] -A cali-PREROUTING -m comment --comment "cali:5TQcm-i_T8rVGEEa" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT [0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT [0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT [0:0] -A cali-pi-_64M-5B68oqchsNt4uhf -m comment --comment "cali:kZzWM4wu2A_MNzjD" -m set --match-set cali4-s:gxS8LG7f_uNZgHQicxHv4ZZ src -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pi-_64M-5B68oqchsNt4uhf -m comment --comment "cali:768dLuyEVulGo8ic" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-pi-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:GHMZgPTpJifAihZL" -m set --match-set cali4-s:uK4R6n61sYuSXSz0NO3eBIb src -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pi-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:eWnp_i9lBIZf0kOY" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-_64M-5B68oqchsNt4uhf -m comment --comment "cali:rONaEGCIlAThXmCx" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_64M-5B68oqchsNt4uhf -m comment --comment "cali:6ZZDbfW6wBYlUzlH" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-_AxB3YUE-4H-l6eiKn2A -m comment --comment "cali:2uleSazbQ2zD9raA" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_AxB3YUE-4H-l6eiKn2A -m comment --comment "cali:QEKJNrc6DP-fQATr" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:_-KckRY4CWKvzav2" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:frewaRvKX-8sTWQU" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-___yCYWiB-B993Gu4WEv -p udp -m comment --comment "cali:K2GXbGck6EILwWI0" -m set --match-set cali4-s:byS7HoDNre4fq8pZwcx7DNw dst -m multiport --dports 53 -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-___yCYWiB-B993Gu4WEv -m comment --comment "cali:RaPSGvkArZ3TpmR8" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-_l2a5_DDU8iKXgoc8Dav -m comment --comment "cali:WXDWSDmbDYSTHADG" -m set ! --match-set cali4-s:uK4R6n61sYuSXSz0NO3eBIb dst -j DROP [0:0] -A cali-po-_ra3L4iuMubRbHLb1U1T -m comment --comment "cali:8lgrYdXxMDekJ-eU" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_ra3L4iuMubRbHLb1U1T -m comment --comment "cali:MHmc2tLR3L3nCKNW" -m mark --mark 0x1000000/0x1000000 -j RETURN COMMIT # Completed on Mon Sep 25 15:09:06 2017 # Generated by iptables-save v1.4.21 on Mon Sep 25 15:09:06 2017 *raw :PREROUTING ACCEPT [3510:918598] :OUTPUT ACCEPT [3521:332871] :cali-OUTPUT - [0:0] :cali-PREROUTING - [0:0] :cali-failsafe-in - [0:0] :cali-failsafe-out - [0:0] :cali-from-host-endpoint - [0:0] :cali-pi-_64M-5B68oqchsNt4uhf - [0:0] :cali-pi-_AxB3YUE-4H-l6eiKn2A - [0:0] :cali-pi-__T3ATnucaLN6MO6Ylzt - [0:0] :cali-pi-___yCYWiB-B993Gu4WEv - [0:0] :cali-pi-_l2a5_DDU8iKXgoc8Dav - [0:0] :cali-pi-_ra3L4iuMubRbHLb1U1T - [0:0] :cali-po-_64M-5B68oqchsNt4uhf - [0:0] :cali-po-_AxB3YUE-4H-l6eiKn2A - [0:0] :cali-po-__T3ATnucaLN6MO6Ylzt - [0:0] :cali-po-___yCYWiB-B993Gu4WEv - [0:0] :cali-po-_l2a5_DDU8iKXgoc8Dav - [0:0] :cali-po-_ra3L4iuMubRbHLb1U1T - [0:0] :cali-to-host-endpoint - [0:0] [1108659:773614984] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING [1158439:88632615] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT [1158439:88632615] -A cali-OUTPUT -m comment --comment "cali:WX1xZBEtmbS0Rhjs" -j MARK --set-xmark 0x0/0xf000000 [1158439:88632615] -A cali-OUTPUT -m comment --comment "cali:iE00ZyllJNXfrlg_" -j cali-to-host-endpoint [0:0] -A cali-OUTPUT -m comment --comment "cali:Asois4hxp1rUxwJS" -m mark --mark 0x1000000/0x1000000 -j ACCEPT [1108659:773614984] -A cali-PREROUTING -m comment --comment "cali:zatSDPVUhhPCk6Iy" -j MARK --set-xmark 0x0/0xf000000 [331:38434] -A cali-PREROUTING -i cali+ -m comment --comment "cali:-ES4EW0vxFmM81t8" -j MARK --set-xmark 0x4000000/0x4000000 [1108328:773576550] -A cali-PREROUTING -m comment --comment "cali:VE1J3S_1t9q8GAsm" -m mark --mark 0x0/0x4000000 -j cali-from-host-endpoint [0:0] -A cali-PREROUTING -m comment --comment "cali:VX8l4jKL9w89GXz5" -m mark --mark 0x1000000/0x1000000 -j ACCEPT [0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT [0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT [0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:73bZKoyDfOpFwC2T" -m multiport --dports 2379 -j ACCEPT [0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:QMFuWo6o-d9yOpNm" -m multiport --dports 2380 -j ACCEPT [0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:Kup7QkrsdmfGX0uL" -m multiport --dports 4001 -j ACCEPT [0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:xYYr5PEqDf_Pqfkv" -m multiport --dports 7001 -j ACCEPT [0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:nbWBvu4OtudVY60Q" -m multiport --dports 53 -j ACCEPT [0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:UxFu5cDK5En6dT3Y" -m multiport --dports 67 -j ACCEPT [0:0] -A cali-pi-_64M-5B68oqchsNt4uhf -m comment --comment "cali:kZzWM4wu2A_MNzjD" -m set --match-set cali4-s:gxS8LG7f_uNZgHQicxHv4ZZ src -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pi-_64M-5B68oqchsNt4uhf -m comment --comment "cali:768dLuyEVulGo8ic" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-pi-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:GHMZgPTpJifAihZL" -m set --match-set cali4-s:uK4R6n61sYuSXSz0NO3eBIb src -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pi-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:eWnp_i9lBIZf0kOY" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-_64M-5B68oqchsNt4uhf -m comment --comment "cali:rONaEGCIlAThXmCx" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_64M-5B68oqchsNt4uhf -m comment --comment "cali:6ZZDbfW6wBYlUzlH" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-_AxB3YUE-4H-l6eiKn2A -m comment --comment "cali:2uleSazbQ2zD9raA" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_AxB3YUE-4H-l6eiKn2A -m comment --comment "cali:QEKJNrc6DP-fQATr" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:_-KckRY4CWKvzav2" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:frewaRvKX-8sTWQU" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-___yCYWiB-B993Gu4WEv -p udp -m comment --comment "cali:K2GXbGck6EILwWI0" -m set --match-set cali4-s:byS7HoDNre4fq8pZwcx7DNw dst -m multiport --dports 53 -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-___yCYWiB-B993Gu4WEv -m comment --comment "cali:RaPSGvkArZ3TpmR8" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-_l2a5_DDU8iKXgoc8Dav -m comment --comment "cali:WXDWSDmbDYSTHADG" -m set ! --match-set cali4-s:uK4R6n61sYuSXSz0NO3eBIb dst -j DROP [0:0] -A cali-po-_ra3L4iuMubRbHLb1U1T -m comment --comment "cali:8lgrYdXxMDekJ-eU" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_ra3L4iuMubRbHLb1U1T -m comment --comment "cali:MHmc2tLR3L3nCKNW" -m mark --mark 0x1000000/0x1000000 -j RETURN COMMIT # Completed on Mon Sep 25 15:09:06 2017 # Generated by iptables-save v1.4.21 on Mon Sep 25 15:09:06 2017 *nat :PREROUTING ACCEPT [2:120] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [6:360] :POSTROUTING ACCEPT [6:360] :DOCKER - [0:0] :KUBE-MARK-DROP - [0:0] :KUBE-MARK-MASQ - [0:0] :KUBE-NODEPORTS - [0:0] :KUBE-POSTROUTING - [0:0] :KUBE-SEP-7NR2EV65N4MOMQ37 - [0:0] :KUBE-SEP-BJJU6BYWL5OURLAJ - [0:0] :KUBE-SEP-FOGBDETOBTBXLB66 - [0:0] :KUBE-SEP-HCGPYH4OYV2KIMGS - [0:0] :KUBE-SEP-QDN5ZB4PDR2XYQHH - [0:0] :KUBE-SEP-QPFE23NSQUAY5EUP - [0:0] :KUBE-SEP-RTXFIJLNSO6EUBGK - [0:0] :KUBE-SERVICES - [0:0] :KUBE-SVC-3VXIGVIYYFN7DHDA - [0:0] :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0] :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0] :KUBE-SVC-WIU6PAXCRNIE3H4X - [0:0] :cali-OUTPUT - [0:0] :cali-POSTROUTING - [0:0] :cali-PREROUTING - [0:0] :cali-fip-dnat - [0:0] :cali-fip-snat - [0:0] :cali-nat-outgoing - [0:0] [4512:432164] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING [4523:432883] -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES [48:2832] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER [36243:2179653] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT [36346:2185774] -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES [31803:1908204] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER [36348:2187277] -A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING [36450:2193314] -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING [0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE [0:0] -A DOCKER -i docker0 -j RETURN [0:0] -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 [0:0] -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 [0:0] -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE [0:0] -A KUBE-SEP-7NR2EV65N4MOMQ37 -s 192.168.44.193/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ [0:0] -A KUBE-SEP-7NR2EV65N4MOMQ37 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.44.193:53 [0:0] -A KUBE-SEP-BJJU6BYWL5OURLAJ -s 192.168.154.215/32 -m comment --comment "policy-demo/nginx:" -j KUBE-MARK-MASQ [0:0] -A KUBE-SEP-BJJU6BYWL5OURLAJ -p tcp -m comment --comment "policy-demo/nginx:" -m tcp -j DNAT --to-destination 192.168.154.215:80 [0:0] -A KUBE-SEP-FOGBDETOBTBXLB66 -s 192.168.44.193/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ [0:0] -A KUBE-SEP-FOGBDETOBTBXLB66 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.44.193:53 [0:0] -A KUBE-SEP-HCGPYH4OYV2KIMGS -s 192.168.44.214/32 -m comment --comment "policy-demo/nginx:" -j KUBE-MARK-MASQ [0:0] -A KUBE-SEP-HCGPYH4OYV2KIMGS -p tcp -m comment --comment "policy-demo/nginx:" -m tcp -j DNAT --to-destination 192.168.44.214:80 [0:0] -A KUBE-SEP-QDN5ZB4PDR2XYQHH -s 172.18.18.101/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ [0:0] -A KUBE-SEP-QDN5ZB4PDR2XYQHH -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-QDN5ZB4PDR2XYQHH --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 172.18.18.101:6443 [0:0] -A KUBE-SEP-QPFE23NSQUAY5EUP -s 192.168.44.225/32 -m comment --comment "advanced-policy-demo/nginx:" -j KUBE-MARK-MASQ [0:0] -A KUBE-SEP-QPFE23NSQUAY5EUP -p tcp -m comment --comment "advanced-policy-demo/nginx:" -m tcp -j DNAT --to-destination 192.168.44.225:80 [0:0] -A KUBE-SEP-RTXFIJLNSO6EUBGK -s 192.168.154.221/32 -m comment --comment "advanced-policy-demo/nginx:" -j KUBE-MARK-MASQ [0:0] -A KUBE-SEP-RTXFIJLNSO6EUBGK -p tcp -m comment --comment "advanced-policy-demo/nginx:" -m tcp -j DNAT --to-destination 192.168.154.221:80 [0:0] -A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.100.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ [0:0] -A KUBE-SERVICES -d 10.100.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y [0:0] -A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.100.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ [0:0] -A KUBE-SERVICES -d 10.100.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4 [0:0] -A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.100.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ [0:0] -A KUBE-SERVICES -d 10.100.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU [0:0] -A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.100.0.58/32 -p tcp -m comment --comment "policy-demo/nginx: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ [0:0] -A KUBE-SERVICES -d 10.100.0.58/32 -p tcp -m comment --comment "policy-demo/nginx: cluster IP" -m tcp --dport 80 -j KUBE-SVC-3VXIGVIYYFN7DHDA [0:0] -A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.100.0.82/32 -p tcp -m comment --comment "advanced-policy-demo/nginx: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ [0:0] -A KUBE-SERVICES -d 10.100.0.82/32 -p tcp -m comment --comment "advanced-policy-demo/nginx: cluster IP" -m tcp --dport 80 -j KUBE-SVC-WIU6PAXCRNIE3H4X [6:360] -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS [0:0] -A KUBE-SVC-3VXIGVIYYFN7DHDA -m comment --comment "policy-demo/nginx:" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BJJU6BYWL5OURLAJ [0:0] -A KUBE-SVC-3VXIGVIYYFN7DHDA -m comment --comment "policy-demo/nginx:" -j KUBE-SEP-HCGPYH4OYV2KIMGS [0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-7NR2EV65N4MOMQ37 [0:0] -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-QDN5ZB4PDR2XYQHH --mask 255.255.255.255 --rsource -j KUBE-SEP-QDN5ZB4PDR2XYQHH [0:0] -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-QDN5ZB4PDR2XYQHH [0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-FOGBDETOBTBXLB66 [0:0] -A KUBE-SVC-WIU6PAXCRNIE3H4X -m comment --comment "advanced-policy-demo/nginx:" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-RTXFIJLNSO6EUBGK [0:0] -A KUBE-SVC-WIU6PAXCRNIE3H4X -m comment --comment "advanced-policy-demo/nginx:" -j KUBE-SEP-QPFE23NSQUAY5EUP [36243:2179653] -A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat [36348:2187277] -A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat [36348:2187277] -A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing [0:0] -A cali-POSTROUTING -o tunl0 -m comment --comment "cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE [4512:432164] -A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat [1:84] -A cali-nat-outgoing -m comment --comment "cali:Wd76s91357Uv7N3v" -m set --match-set cali4-masq-ipam-pools src -m set ! --match-set cali4-all-ipam-pools dst -j MASQUERADE COMMIT # Completed on Mon Sep 25 15:09:06 2017 # Generated by iptables-save v1.4.21 on Mon Sep 25 15:09:06 2017 *filter :INPUT ACCEPT [291:60398] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [274:24193] :DOCKER - [0:0] :DOCKER-ISOLATION - [0:0] :KUBE-FIREWALL - [0:0] :KUBE-SERVICES - [0:0] :cali-FORWARD - [0:0] :cali-INPUT - [0:0] :cali-OUTPUT - [0:0] :cali-failsafe-in - [0:0] :cali-failsafe-out - [0:0] :cali-from-host-endpoint - [0:0] :cali-from-wl-dispatch - [0:0] :cali-fw-calibc29c0f7c1e - [0:0] :cali-fw-calic51e6ca5ae9 - [0:0] :cali-fw-calie92fdc10b25 - [0:0] :cali-pi-_64M-5B68oqchsNt4uhf - [0:0] :cali-pi-_AxB3YUE-4H-l6eiKn2A - [0:0] :cali-pi-__T3ATnucaLN6MO6Ylzt - [0:0] :cali-pi-___yCYWiB-B993Gu4WEv - [0:0] :cali-pi-_l2a5_DDU8iKXgoc8Dav - [0:0] :cali-pi-_ra3L4iuMubRbHLb1U1T - [0:0] :cali-po-_64M-5B68oqchsNt4uhf - [0:0] :cali-po-_AxB3YUE-4H-l6eiKn2A - [0:0] :cali-po-__T3ATnucaLN6MO6Ylzt - [0:0] :cali-po-___yCYWiB-B993Gu4WEv - [0:0] :cali-po-_l2a5_DDU8iKXgoc8Dav - [0:0] :cali-po-_ra3L4iuMubRbHLb1U1T - [0:0] :cali-pri-_tk1llJHCZICMNyE70e - [0:0] :cali-pri-k8s_ns.policy-demo - [0:0] :cali-pro-_tk1llJHCZICMNyE70e - [0:0] :cali-pro-k8s_ns.policy-demo - [0:0] :cali-to-host-endpoint - [0:0] :cali-to-wl-dispatch - [0:0] :cali-tw-calibc29c0f7c1e - [0:0] :cali-tw-calic51e6ca5ae9 - [0:0] :cali-tw-calie92fdc10b25 - [0:0] :cali-wl-to-host - [0:0] [321:64145] -A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT [321:64145] -A INPUT -j KUBE-FIREWALL [321:64145] -A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES [2:120] -A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD [0:0] -A FORWARD -j DOCKER-ISOLATION [0:0] -A FORWARD -o docker0 -j DOCKER [0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT [0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT [301:25688] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT [301:25688] -A OUTPUT -j KUBE-FIREWALL [301:25688] -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES [0:0] -A DOCKER-ISOLATION -j RETURN [0:0] -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP [2:120] -A cali-FORWARD -i cali+ -m comment --comment "cali:X3vB2lGcBrfkYquC" -j cali-from-wl-dispatch [0:0] -A cali-FORWARD -o cali+ -m comment --comment "cali:UtJ9FnhBnFbyQMvU" -j cali-to-wl-dispatch [0:0] -A cali-FORWARD -i cali+ -m comment --comment "cali:Tt19HcSdA5YIGSsw" -j ACCEPT [0:0] -A cali-FORWARD -o cali+ -m comment --comment "cali:9LzfFCvnpC5_MYXm" -j ACCEPT [0:0] -A cali-FORWARD -m comment --comment "cali:7AofLLOqCM5j36rM" -j MARK --set-xmark 0x0/0xe000000 [0:0] -A cali-FORWARD -m comment --comment "cali:QM1_joSl7tL76Az7" -m mark --mark 0x0/0x1000000 -j cali-from-host-endpoint [0:0] -A cali-FORWARD -m comment --comment "cali:C1QSog3bk0AykjAO" -j cali-to-host-endpoint [0:0] -A cali-FORWARD -m comment --comment "cali:DmFiPAmzcisqZcvo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT [0:0] -A cali-INPUT -m comment --comment "cali:i7okJZpS8VxaJB3n" -m mark --mark 0x1000000/0x1000000 -j ACCEPT [0:0] -A cali-INPUT -p ipencap -m comment --comment "cali:p8Wwvr6qydjU36AQ" -m comment --comment "Drop IPIP packets from non-Calico hosts" -m set ! --match-set cali4-all-hosts src -j DROP [0:0] -A cali-INPUT -i cali+ -m comment --comment "cali:QZT4Ptg57_76nGng" -g cali-wl-to-host [321:64145] -A cali-INPUT -m comment --comment "cali:V0Veitpvpl5h1xwi" -j MARK --set-xmark 0x0/0xf000000 [321:64145] -A cali-INPUT -m comment --comment "cali:3R1g0cpvSoBlKzVr" -j cali-from-host-endpoint [0:0] -A cali-INPUT -m comment --comment "cali:efXx-pqD4s60WsDL" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT [0:0] -A cali-OUTPUT -m comment --comment "cali:YQSSJIsRcHjFbXaI" -m mark --mark 0x1000000/0x1000000 -j ACCEPT [0:0] -A cali-OUTPUT -o cali+ -m comment --comment "cali:KRjBsKsBcFBYKCEw" -j RETURN [301:25688] -A cali-OUTPUT -m comment --comment "cali:3VKAQBcyUUW5kS_j" -j MARK --set-xmark 0x0/0xf000000 [301:25688] -A cali-OUTPUT -m comment --comment "cali:Z1mBCSH1XHM6qq0k" -j cali-to-host-endpoint [0:0] -A cali-OUTPUT -m comment --comment "cali:N0jyWt2RfBedKw3L" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT [0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT [0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT [0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:73bZKoyDfOpFwC2T" -m multiport --dports 2379 -j ACCEPT [0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:QMFuWo6o-d9yOpNm" -m multiport --dports 2380 -j ACCEPT [0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:Kup7QkrsdmfGX0uL" -m multiport --dports 4001 -j ACCEPT [0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:xYYr5PEqDf_Pqfkv" -m multiport --dports 7001 -j ACCEPT [0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:nbWBvu4OtudVY60Q" -m multiport --dports 53 -j ACCEPT [0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:UxFu5cDK5En6dT3Y" -m multiport --dports 67 -j ACCEPT [0:0] -A cali-from-wl-dispatch -i calibc29c0f7c1e -m comment --comment "cali:oLY0FlLFpRRWe7TV" -g cali-fw-calibc29c0f7c1e [0:0] -A cali-from-wl-dispatch -i calic51e6ca5ae9 -m comment --comment "cali:7c4appHDiYxbWdet" -g cali-fw-calic51e6ca5ae9 [2:120] -A cali-from-wl-dispatch -i calie92fdc10b25 -m comment --comment "cali:rYNHSfcybVQ0vqqn" -g cali-fw-calie92fdc10b25 [0:0] -A cali-from-wl-dispatch -m comment --comment "cali:s65p5SmrBNnrySI3" -m comment --comment "Unknown interface" -j DROP [0:0] -A cali-fw-calibc29c0f7c1e -m comment --comment "cali:rmX1z_3E2tMlU32e" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A cali-fw-calibc29c0f7c1e -m comment --comment "cali:Ur88K7kVlGCxG-q0" -m conntrack --ctstate INVALID -j DROP [0:0] -A cali-fw-calibc29c0f7c1e -m comment --comment "cali:WNGMYDA7o9uGq0qH" -j MARK --set-xmark 0x0/0x1000000 [0:0] -A cali-fw-calibc29c0f7c1e -m comment --comment "cali:6QtVUC8pBKITentV" -j cali-pro-k8s_ns.policy-demo [0:0] -A cali-fw-calibc29c0f7c1e -m comment --comment "cali:DXjz3qmkMqTkw9T5" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-fw-calibc29c0f7c1e -m comment --comment "cali:TvQKCbVLLQXE-djH" -m comment --comment "Drop if no profiles matched" -j DROP [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:iNXU4Sor6-DObF2g" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:VkAIbnosR6CMgAr2" -m conntrack --ctstate INVALID -j DROP [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:yfOQ6g75bUXoBew8" -j MARK --set-xmark 0x0/0x1000000 [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:1qx6EzTXkzEQNu3k" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x2000000 [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:N4Fts12Sj0ARwoLF" -m mark --mark 0x0/0x2000000 -j cali-po-___yCYWiB-B993Gu4WEv [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:BIrYYV1z1C0b_F3I" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:8yWR5O2rYzYXWaiW" -m mark --mark 0x0/0x2000000 -j cali-po-_l2a5_DDU8iKXgoc8Dav [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:cNmrOxtrbW4Mkw5U" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:subA5-q_4TXaFj4q" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x2000000 -j DROP [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:wGvDRdISUiU_cX87" -j cali-pro-_tk1llJHCZICMNyE70e [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:bnHsuIJP1-XpZ4aw" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-fw-calic51e6ca5ae9 -m comment --comment "cali:nC2oAyn5s-uyvUib" -m comment --comment "Drop if no profiles matched" -j DROP [0:0] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:pSCIqspnVDBf7hGk" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:EhTaM9Rxoxl2uSad" -m conntrack --ctstate INVALID -j DROP [2:120] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:4u-sTsnqBLWyRpFC" -j MARK --set-xmark 0x0/0x1000000 [2:120] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:m422t1Iou9wmjOCq" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x2000000 [2:120] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:NkAxzlsTyQyrrhok" -m mark --mark 0x0/0x2000000 -j cali-po-___yCYWiB-B993Gu4WEv [0:0] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:6p5HleEImtZq9F8E" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [2:120] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:N0PR-8MPmpYJXBNx" -m mark --mark 0x0/0x2000000 -j cali-po-_l2a5_DDU8iKXgoc8Dav [0:0] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:_OjkWEV9T0HKMMpe" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:MO8C6efUQBICwKzq" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x2000000 -j DROP [0:0] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:WjuBWESenYnZFVaa" -j cali-pro-_tk1llJHCZICMNyE70e [0:0] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:lJorvDbycWqoTawL" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-fw-calie92fdc10b25 -m comment --comment "cali:-t0WRZeqZI6aq_16" -m comment --comment "Drop if no profiles matched" -j DROP [0:0] -A cali-pi-_64M-5B68oqchsNt4uhf -m comment --comment "cali:kZzWM4wu2A_MNzjD" -m set --match-set cali4-s:gxS8LG7f_uNZgHQicxHv4ZZ src -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pi-_64M-5B68oqchsNt4uhf -m comment --comment "cali:768dLuyEVulGo8ic" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-pi-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:GHMZgPTpJifAihZL" -m set --match-set cali4-s:uK4R6n61sYuSXSz0NO3eBIb src -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pi-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:eWnp_i9lBIZf0kOY" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-_64M-5B68oqchsNt4uhf -m comment --comment "cali:rONaEGCIlAThXmCx" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_64M-5B68oqchsNt4uhf -m comment --comment "cali:6ZZDbfW6wBYlUzlH" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-_AxB3YUE-4H-l6eiKn2A -m comment --comment "cali:2uleSazbQ2zD9raA" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_AxB3YUE-4H-l6eiKn2A -m comment --comment "cali:QEKJNrc6DP-fQATr" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:_-KckRY4CWKvzav2" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-__T3ATnucaLN6MO6Ylzt -m comment --comment "cali:frewaRvKX-8sTWQU" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-po-___yCYWiB-B993Gu4WEv -p udp -m comment --comment "cali:K2GXbGck6EILwWI0" -m set --match-set cali4-s:byS7HoDNre4fq8pZwcx7DNw dst -m multiport --dports 53 -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-___yCYWiB-B993Gu4WEv -m comment --comment "cali:RaPSGvkArZ3TpmR8" -m mark --mark 0x1000000/0x1000000 -j RETURN [2:120] -A cali-po-_l2a5_DDU8iKXgoc8Dav -m comment --comment "cali:WXDWSDmbDYSTHADG" -m set ! --match-set cali4-s:uK4R6n61sYuSXSz0NO3eBIb dst -j DROP [0:0] -A cali-po-_ra3L4iuMubRbHLb1U1T -m comment --comment "cali:8lgrYdXxMDekJ-eU" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-po-_ra3L4iuMubRbHLb1U1T -m comment --comment "cali:MHmc2tLR3L3nCKNW" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-pri-_tk1llJHCZICMNyE70e -m comment --comment "cali:F03K5DrFckQiSZB_" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pri-_tk1llJHCZICMNyE70e -m comment --comment "cali:EkNutwOSM13x4Cpe" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-pri-k8s_ns.policy-demo -m comment --comment "cali:5nyf8MMoCxgM28um" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pri-k8s_ns.policy-demo -m comment --comment "cali:E10GJziRtyf1bgdO" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-pro-_tk1llJHCZICMNyE70e -m comment --comment "cali:5qqhq7grInz-dcex" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pro-_tk1llJHCZICMNyE70e -m comment --comment "cali:RMqn785Q9jyS2e2o" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-pro-k8s_ns.policy-demo -m comment --comment "cali:gWOIaukdJxJtEFRR" -j MARK --set-xmark 0x1000000/0x1000000 [0:0] -A cali-pro-k8s_ns.policy-demo -m comment --comment "cali:joKnmX34K7aMT0zl" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-to-wl-dispatch -o calibc29c0f7c1e -m comment --comment "cali:vG4l9PEYrh6wEYPn" -g cali-tw-calibc29c0f7c1e [0:0] -A cali-to-wl-dispatch -o calic51e6ca5ae9 -m comment --comment "cali:0QkiQNgeUPPzkscV" -g cali-tw-calic51e6ca5ae9 [0:0] -A cali-to-wl-dispatch -o calie92fdc10b25 -m comment --comment "cali:vRLxOvRUWYlOakUu" -g cali-tw-calie92fdc10b25 [0:0] -A cali-to-wl-dispatch -m comment --comment "cali:_KBS7t1VmTWUFEpN" -m comment --comment "Unknown interface" -j DROP [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:lm95Up-DMsPrvApL" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:AfjOxyNCQwwPPhUm" -m conntrack --ctstate INVALID -j DROP [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:AjJqVuTAlTfYK6kK" -j MARK --set-xmark 0x0/0x1000000 [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:A1QwT3I1ymWsz3_4" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x2000000 [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:QZUtpvIVDz_miVwQ" -m mark --mark 0x0/0x2000000 -j cali-pi-_64M-5B68oqchsNt4uhf [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:Nog7Hsgz-9ywOs-E" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:j6Z-so0KacOjzSHo" -m mark --mark 0x0/0x2000000 -j cali-pi-_AxB3YUE-4H-l6eiKn2A [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:ZD0XRMBHNpIB2VzW" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:j0OnY-GrBH3Ke5C0" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x2000000 -j DROP [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:Jf4cHYb2U3uwe1QW" -j cali-pri-k8s_ns.policy-demo [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:Dmvl1g-xnf4CVOcQ" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-tw-calibc29c0f7c1e -m comment --comment "cali:AjAidTKu85FHIZIU" -m comment --comment "Drop if no profiles matched" -j DROP [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:kmHl1l2MavbrKt5e" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:mvk4aBbx9ooKMZT2" -m conntrack --ctstate INVALID -j DROP [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:aG6Zm10AFhXwSBbU" -j MARK --set-xmark 0x0/0x1000000 [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:eoNTT2mvrl1Yy7W1" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x2000000 [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:2Gcwl7sE2gu6s-2D" -m mark --mark 0x0/0x2000000 -j cali-pi-__T3ATnucaLN6MO6Ylzt [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:mFh4bmrOy80v0fkM" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:aT2TECK97SVFO-y-" -m mark --mark 0x0/0x2000000 -j cali-pi-_ra3L4iuMubRbHLb1U1T [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:ermsZba3s4-LOI1K" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:Anad2Q0yeSscjGtD" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x2000000 -j DROP [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:6u9-bX-wqW_W4t7f" -j cali-pri-_tk1llJHCZICMNyE70e [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:LY8f_3B2L9dbQ-Ie" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-tw-calic51e6ca5ae9 -m comment --comment "cali:ur8hb9ZIWque4PG6" -m comment --comment "Drop if no profiles matched" -j DROP [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:6VQWfFWjNKtde1dt" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:sZUXRuRLVPpmz6O0" -m conntrack --ctstate INVALID -j DROP [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:M8HniCDkBMMg90an" -j MARK --set-xmark 0x0/0x1000000 [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:UO1F0sZC4tGt1mN6" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x2000000 [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:gBBVS5v9b3kVxnsU" -m mark --mark 0x0/0x2000000 -j cali-pi-_ra3L4iuMubRbHLb1U1T [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:BNGQXlOSFax2kkPN" -m comment --comment "Return if policy accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:o8JA4mIfcwDUArmq" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x2000000 -j DROP [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:UIl0ggbYCXYr08S4" -j cali-pri-_tk1llJHCZICMNyE70e [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:7a97phGf6BLqRiDs" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN [0:0] -A cali-tw-calie92fdc10b25 -m comment --comment "cali:EvEp9x4MG4kKfxA0" -m comment --comment "Drop if no profiles matched" -j DROP [0:0] -A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch [0:0] -A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT COMMIT # Completed on Mon Sep 25 15:09:06 2017 ```

caseydavenport commented 7 years ago

I think this is occurring because of the new types field and how it behaves.

In previous versions of the demo, the policy controller programmed egress "allow" rules which allowed all egress traffic. That's why the demo included a "deny all traffic leaving the namespace" rule to override that behavior.

Given that those egress rules are no longer taking affect because of the types: [ingress] part of the policy, the "deny all traffic leaving the namespace" rule should probably instead be a allow traffic within the namespace rule.

e.g.

- apiVersion: v1
  kind: policy
  metadata:
    name: advanced-policy-demo.deny-egress
  spec:
    egress:
    - action: allow
      destination:
        selector: calico/k8s_ns == 'advanced-policy-demo'
      source: {}
    order: 500
    selector: calico/k8s_ns == 'advanced-policy-demo'
    types:
    - egress

@tmjd could you try that instead and see if the demo behaves as expected?

tmjd commented 7 years ago

So switching the 'deny-egress' policy to that does seem to work. I can now reach the nginx service but cannot ping google.com.

caseydavenport commented 7 years ago

We'll need to release note this behavior change in big red letters.

This is the right behavior - what was there before was a workaround for missing Ingress/Egress types support.

caseydavenport commented 7 years ago

Actions:

Include a release note
Update the demo to use the new policy above.

@tmjd are you OK handling the latter?

tmjd commented 7 years ago

Fixed by #1133

projectcalico / calico