New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add WireGuard to the firewall rules documentation #27170
Conversation
joestringer
commented
Jul 31, 2023
- docs: Word-wrap firewall section
- docs: Add WireGuard into the firewall rules
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch, thank you for adding this! I think there are a couple of changes we could make to add more context to this.
- If WireGuard is enabled with tunnel mode, do users need to open firewall rules for VXLAN/Geneve and WireGuard, or just WireGuard, since packets bypass the VXLAN/Geneve tunnels when WireGuard is enabled? If users only need to open a port for WireGuard, can we add a statement saying so?
- If users need to open ports for WireGuard and VXLAN/Geneve, can we move the information for WireGuard into its own own paragraph, similar to IPSec?
@brb can you help to answer the above questions? |
It's a bit tricky, as it depends on the encryption mode.
TL;DR with the node encryption enabled, there is no need to open ports for the VXLAN/Geneve tunnels. |
This just makes it easier for editing. No changes. Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Joe Stringer <joe@cilium.io>
ca36c98
to
0bcf37e
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Thanks!