A very recent change modified the input iptables rules. However, this
resulted in an unfortunate situation.
The felix rules ("INPUT -j felix-INPUT", "FORWARD -j felix-FORWARD") are
inserted to the top of the chain, preempting any rules that were set before
it. Later in the felix input rule, there is this:
-A felix-INPUT -m conntrack --ctstate INVALID -j DROP
-A felix-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A felix-INPUT -d 127.0.0.1/32 -i tap+ -p tcp -m tcp --dport 8775 -j ACCEPT
-A felix-INPUT -i tap+ -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A felix-INPUT -i tap+ -j DROP
This basically means any previous allow rules on the input chain from the
VMs are disregarded. This is a problem for us as we run some services
locally on the hypervisors that the VMs need to be able to talk to.
While this was sort of the case with the forward chain before, it was
generally fine, since the outbound security policy was respected (which for
most cases is allow).
Is there a way to get the felix-INPUT (and maybe the felix-FORWARD) jumps
to be inserted further down the list (although putting it way down at the
bottom wouldn't work for us as we have a debug log for the catch-all policy
drop there)? Or can you think of another solution?
_______________________________________________
calico-tech mailing list
calico-tech@lists.projectcalico.org
http://lists.projectcalico.org/listinfo/calico-tech
