Weave Net iptables rules disappear on firewalld reload

[JoostvdB94]

enhancement

What you expected to happen?

Persistent firewall settings, even after firewalld reload

What happened?

Weave chains & rules in IPTABLES (on a specific node) disappear when reloading the firewall on that node. Kubernetes and docker rules are coming back, although they seem to disappear too after a reload of firewalld.

How to reproduce it?

• Rollout (or use a existing) kubernetes cluster (mine is on-premise, using kubeadm init)
• (Start firewalld if not already running)
• run systemctl reload firewalld (or use another tool to do this e.g. firewall-cmd --reload)
• Check IPTABLES filter rules iptables -L -v -n -t filter --line-numbers

See that WEAVE-NPC-EGRESS WEAVE-NPC and all linked chains have disappeared.

Anything else we need to know?

Using Weave as CNI for kubernetes, running version 2.5.0

Versions:

$ weave version 2.5.0
$ docker version 17.03
$ uname -a 
Linux ---- 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ kubectl version 
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-24T06:54:59Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}

[bboreham]

Related: #2208, #3106

[bboreham]

I changed the title because I think it's better to have it describe the problem rather than a potential solution. Docker has code to react to firewalld reload. This might be easier to implement than a full reconcile (or let us poll more slowly if we do do a reconcile).

[bboreham]

3802 has addressed the iptables rules used by the "router" part, but the "npc" (Network Policy Controller) remains to do.

A possible work-around is to configure Weave Net to run with no network policies.