search

weaveworks / weave

Simple, resilient multi-host containers networking and more.
https://www.weave.works
Apache License 2.0
6.62k stars 670 forks source link

Shorewall + weave = issues #3751

Open koying opened 4 years ago

koying commented 4 years ago

There are some issues using weave on k8s together with shorewall. I understand my setup is a playground, and the k8s shouldn't be installed on a bare metal with a firewall, so this is for reference in case someone else stumble on those issues, really.

1) if the "iface" extension is installed on the node, shorewall uses it, but the weave pod doesn have it, resulting in Can't find library for match 'iface' 2) weave does a iptables -A INPUT -i weave -j WEAVE-NPC-EGRESS, resulting in the rule ending up after the reject from shorewall, ie

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    KUBE-FIREWALL  all  --  anywhere             anywhere
2    KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
3    KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
[zone related rules]
12   ACCEPT     all  --  anywhere             anywhere
13   Reject     all  --  anywhere             anywhere
14   LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:REJECT:"
15   reject     all  --  anywhere             anywhere            [goto]
16   WEAVE-NPC-EGRESS  all  --  anywhere             anywhere

Solutions: 1) I ended up removing the extension from my system. Shorewall seems fine without it. 2) I manually add a iptables -I INPUT 4 -i weave -j WEAVE-NPC-EGRESS to duplicate the rule before the reject

bboreham commented 4 years ago

I'm not sure what to do with this. Generally where two or more pieces of software are trying to manipulate the same iptables chains they run into trouble.

If there is an API for shorewall this could be a feature request to use that API. Or perhaps shorewall defines chains which can be used to add rules without fighting.

3586 is related

And I didn't follow your point 1 about "iface" at all. What is it an extension to?

koying commented 4 years ago

And I didn't follow your point 1 about "iface" at all. What is it an extension to?

It's xt_iface.ko from xtables-addons