Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FLANNEL-FWD and FLANNEL-POSTRTG chains not recreated after firewalld restart #1668

Closed
wheatevo opened this issue Oct 28, 2022 · 1 comment · Fixed by #1669
Closed

FLANNEL-FWD and FLANNEL-POSTRTG chains not recreated after firewalld restart #1668

wheatevo opened this issue Oct 28, 2022 · 1 comment · Fixed by #1669

Comments

@wheatevo
Copy link
Contributor

wheatevo commented Oct 28, 2022
edited
Loading

Expected Behavior

The FLANNEL-FWD and FLANNEL-POSTRTG chains should be recreated if missing within the SetupAndEnsureIP4Tables and SetupAndEnsureIP6Tables loops.

flannel/network/iptables.go

Lines 251 to 258 in 4586e91

for {
// Ensure that all the iptables rules exist every 5 seconds
if err := ensureIPTables(ipt, iptRestore, rules); err != nil {
log.Errorf("Failed to ensure iptables rules: %v", err)
}
time.Sleep(time.Duration(resyncPeriod) * time.Second)
}

flannel/network/iptables.go

Lines 288 to 295 in 4586e91

for {
// Ensure that all the iptables rules exist every 5 seconds
if err := ensureIPTables(ipt, iptRestore, rules); err != nil {
log.Errorf("Failed to ensure iptables rules: %v", err)
}
time.Sleep(time.Duration(resyncPeriod) * time.Second)
}

Current Behavior

On Oracle Linux 7 with firewalld installed, the FLANNEL-FWD and FLANNEL-POSTRTG chains are dropped if the firewalld service is restarted.

Error messages

E1027 16:19:08.773196       1 iptables.go:254] Failed to ensure iptables rules: error checking rule existence: failed to check rule existence: running [/sbin/iptables -t filter -C FORWARD -m comment --comment flanneld forward -j FLANNEL-FWD --wait]: exit status 2: iptables v1.8.6 (legacy): Couldn't load target `FLANNEL-FWD':No such file or directory

E1027 16:19:08.936329       1 iptables.go:254] Failed to ensure iptables rules: error checking rule existence: failed to check rule existence: running [/sbin/iptables -t nat -C POSTROUTING -m comment --comment flanneld masq -j FLANNEL-POSTRTG --wait]: exit status 2: iptables v1.8.6 (legacy): Couldn't load target `FLANNEL-POSTRTG':No such file or directory

flannel/network/iptables.go

Line 169 in 4586e91

return false, fmt.Errorf("failed to check rule existence: %v", err)

Possible Solution

May be able to add a check within ipTablesRulesExist for the chain or add handling for Couldn't load target .... No such file or directory errors.

Steps to Reproduce (for bugs)

  1. Create a new Oracle Linux 7/CentOS 7 instance with firewalld running.
  2. Start Flannel v0.20.0
  3. Verify the FLANNEL-FWD and FLANNEL-POSTRTG chains exist
  4. Restart firewalld
  5. Verify the FLANNEL-FWD and FLANNEL-POSTRTG chains do not exist
  6. Errors should occur within the logs at this point

Context

We are currently attempting to upgrade to Flannel 0.20.0 in our Kubernetes environment.

The change that renamed the chains was introduced in #1650.

Your Environment

  • Flannel version: 0.20.0
  • Backend used (e.g. vxlan or udp): Wireguard
  • Etcd version: 3.4.13
  • Kubernetes version (if used): 1.21.5
  • Operating System and version: Oracle Linux 7.9
  • Link to your project (optional):
@rbrtbnfgl
Copy link
Contributor

Hi @wheatevo thanks for the report.
I am working on a patch to fix this.

@rbrtbnfgl rbrtbnfgl mentioned this issue Oct 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added check to ensure the iptables chain rbrtbnfgl/flannel
2 participants
@rbrtbnfgl @wheatevo