Open koying opened 4 years ago
I'm not sure what to do with this. Generally where two or more pieces of software are trying to manipulate the same iptables chains they run into trouble.
If there is an API for shorewall this could be a feature request to use that API. Or perhaps shorewall defines chains which can be used to add rules without fighting.
And I didn't follow your point 1 about "iface" at all. What is it an extension to?
And I didn't follow your point 1 about "iface" at all. What is it an extension to?
It's xt_iface.ko from xtables-addons
There are some issues using weave on k8s together with shorewall. I understand my setup is a playground, and the k8s shouldn't be installed on a bare metal with a firewall, so this is for reference in case someone else stumble on those issues, really.
1) if the "iface" extension is installed on the node, shorewall uses it, but the weave pod doesn have it, resulting in
Can't find library for match 'iface'
2) weave does aiptables -A INPUT -i weave -j WEAVE-NPC-EGRESS
, resulting in the rule ending up after the reject from shorewall, ieSolutions: 1) I ended up removing the extension from my system. Shorewall seems fine without it. 2) I manually add a
iptables -I INPUT 4 -i weave -j WEAVE-NPC-EGRESS
to duplicate the rule before the reject