Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bridge to Netfilter / IPTables #16

Closed
jhunt opened this issue Jul 13, 2019 · 0 comments
Closed

Bridge to Netfilter / IPTables #16

jhunt opened this issue Jul 13, 2019 · 0 comments
Assignees
@jhunt

Comments

@jhunt
Copy link
Owner

jhunt commented Jul 13, 2019

Ran into this issue this morning, with a tinynetes: coredns/coredns#1879 and kubernetes/kubernetes#21613.

We were in fact bypassing netfilter for bridged traffic, causing our DNS responses to come directly from the pod IP, and not get mangled to "originate" from the service IP for DNS.

Fixed it with the following:

# modprobe br_netfilter

Afterwards, the sysctl were set (automagically):

k8s/08ea6ac6-9e85-44d6-81be-0dc94c73ddd7:~# sysctl -a | grep nf-call
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

but we could be forgiven for manually setting those.
@jhunt jhunt closed this as completed in caf98fc Jul 14, 2019
@jhunt jhunt self-assigned this Jul 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhunt jhunt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jhunt