diff --git a/calico-cloud/reference/component-resources/node/felix/configuration.mdx b/calico-cloud/reference/component-resources/node/felix/configuration.mdx index da0c43dc32..90afa5fa0a 100644 --- a/calico-cloud/reference/component-resources/node/felix/configuration.mdx +++ b/calico-cloud/reference/component-resources/node/felix/configuration.mdx @@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows. | `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int | | `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean | | `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string | -| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | -| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | +| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | +| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | | | `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string | | `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean | | `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string | diff --git a/calico-cloud/reference/host-endpoints/failsafe.mdx b/calico-cloud/reference/host-endpoints/failsafe.mdx index 102a260e79..f866e551e1 100644 --- a/calico-cloud/reference/host-endpoints/failsafe.mdx +++ b/calico-cloud/reference/host-endpoints/failsafe.mdx @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../component-resources/node/felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico-cloud/reference/resources/felixconfig.mdx b/calico-cloud/reference/resources/felixconfig.mdx index 6edf2f0b4e..5c98f4552f 100644 --- a/calico-cloud/reference/resources/felixconfig.mdx +++ b/calico-cloud/reference/resources/felixconfig.mdx @@ -264,6 +264,25 @@ A timeout value of 0 disables the timeout. | protocol | The protocol match | tcp, udp, sctp | string | | net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string | +Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement. + +```yaml noValidation + ... +spec: + failsafeInboundHostPorts: + - net: "192.168.1.1/32" + port: 22 + protocol: tcp + - net: "" + port: 67 + protocol: udp +failsafeOutboundHostPorts: + - net: "0.0.0.0/0" + port: 67 + protocol: udp + ... +``` + ### AggregationKind | Value | Description | diff --git a/calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx b/calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx index 102a260e79..f866e551e1 100644 --- a/calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx +++ b/calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../component-resources/node/felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx b/calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx index 6edf2f0b4e..5c98f4552f 100644 --- a/calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx +++ b/calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx @@ -264,6 +264,25 @@ A timeout value of 0 disables the timeout. | protocol | The protocol match | tcp, udp, sctp | string | | net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string | +Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement. + +```yaml noValidation + ... +spec: + failsafeInboundHostPorts: + - net: "192.168.1.1/32" + port: 22 + protocol: tcp + - net: "" + port: 67 + protocol: udp +failsafeOutboundHostPorts: + - net: "0.0.0.0/0" + port: 67 + protocol: udp + ... +``` + ### AggregationKind | Value | Description | diff --git a/calico-enterprise/reference/host-endpoints/failsafe.mdx b/calico-enterprise/reference/host-endpoints/failsafe.mdx index 102a260e79..f866e551e1 100644 --- a/calico-enterprise/reference/host-endpoints/failsafe.mdx +++ b/calico-enterprise/reference/host-endpoints/failsafe.mdx @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../component-resources/node/felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico-enterprise/reference/resources/felixconfig.mdx b/calico-enterprise/reference/resources/felixconfig.mdx index 29d64b15b4..c7e2e80db8 100644 --- a/calico-enterprise/reference/resources/felixconfig.mdx +++ b/calico-enterprise/reference/resources/felixconfig.mdx @@ -267,6 +267,25 @@ A timeout value of 0 disables the timeout. | protocol | The protocol match | tcp, udp, sctp | string | | net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string | +Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement. + +```yaml noValidation + ... +spec: + failsafeInboundHostPorts: + - net: "192.168.1.1/32" + port: 22 + protocol: tcp + - net: "" + port: 67 + protocol: udp +failsafeOutboundHostPorts: + - net: "0.0.0.0/0" + port: 67 + protocol: udp + ... +``` + ### AggregationKind | Value | Description | diff --git a/calico-enterprise_versioned_docs/version-3.16/reference/component-resources/node/felix/configuration.mdx b/calico-enterprise_versioned_docs/version-3.16/reference/component-resources/node/felix/configuration.mdx index 8f78e7dcb3..d8db7a9ebb 100644 --- a/calico-enterprise_versioned_docs/version-3.16/reference/component-resources/node/felix/configuration.mdx +++ b/calico-enterprise_versioned_docs/version-3.16/reference/component-resources/node/felix/configuration.mdx @@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows. | `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int | | `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean | | `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string | -| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | -| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | +| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | +| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | | | `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string | | `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean | | `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string | diff --git a/calico-enterprise_versioned_docs/version-3.16/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.16/reference/host-endpoints/failsafe.mdx index 102a260e79..f866e551e1 100644 --- a/calico-enterprise_versioned_docs/version-3.16/reference/host-endpoints/failsafe.mdx +++ b/calico-enterprise_versioned_docs/version-3.16/reference/host-endpoints/failsafe.mdx @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../component-resources/node/felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico-enterprise_versioned_docs/version-3.16/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.16/reference/resources/felixconfig.mdx index fe70b750d0..d6a6f44a0a 100644 --- a/calico-enterprise_versioned_docs/version-3.16/reference/resources/felixconfig.mdx +++ b/calico-enterprise_versioned_docs/version-3.16/reference/resources/felixconfig.mdx @@ -262,6 +262,25 @@ A timeout value of 0 disables the timeout. | protocol | The protocol match | tcp, udp, sctp | string | | net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string | +Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement. + +```yaml noValidation + ... +spec: + failsafeInboundHostPorts: + - net: "192.168.1.1/32" + port: 22 + protocol: tcp + - net: "" + port: 67 + protocol: udp +failsafeOutboundHostPorts: + - net: "0.0.0.0/0" + port: 67 + protocol: udp + ... +``` + ### AggregationKind | Value | Description | diff --git a/calico-enterprise_versioned_docs/version-3.17/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.17/reference/host-endpoints/failsafe.mdx index 102a260e79..f866e551e1 100644 --- a/calico-enterprise_versioned_docs/version-3.17/reference/host-endpoints/failsafe.mdx +++ b/calico-enterprise_versioned_docs/version-3.17/reference/host-endpoints/failsafe.mdx @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../component-resources/node/felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico-enterprise_versioned_docs/version-3.17/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.17/reference/resources/felixconfig.mdx index e591b404dd..847d868088 100644 --- a/calico-enterprise_versioned_docs/version-3.17/reference/resources/felixconfig.mdx +++ b/calico-enterprise_versioned_docs/version-3.17/reference/resources/felixconfig.mdx @@ -262,6 +262,25 @@ A timeout value of 0 disables the timeout. | protocol | The protocol match | tcp, udp, sctp | string | | net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string | +Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement. + +```yaml noValidation + ... +spec: + failsafeInboundHostPorts: + - net: "192.168.1.1/32" + port: 22 + protocol: tcp + - net: "" + port: 67 + protocol: udp +failsafeOutboundHostPorts: + - net: "0.0.0.0/0" + port: 67 + protocol: udp + ... +``` + ### AggregationKind | Value | Description | diff --git a/calico-enterprise_versioned_docs/version-3.18-2/reference/component-resources/node/felix/configuration.mdx b/calico-enterprise_versioned_docs/version-3.18-2/reference/component-resources/node/felix/configuration.mdx index 8727eeba55..00dcbb6b3a 100644 --- a/calico-enterprise_versioned_docs/version-3.18-2/reference/component-resources/node/felix/configuration.mdx +++ b/calico-enterprise_versioned_docs/version-3.18-2/reference/component-resources/node/felix/configuration.mdx @@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows. | `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int | | `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean | | `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string | -| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | -| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | +| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | +| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | | | `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string | | `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean | | `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string | diff --git a/calico-enterprise_versioned_docs/version-3.18-2/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.18-2/reference/host-endpoints/failsafe.mdx index 102a260e79..f866e551e1 100644 --- a/calico-enterprise_versioned_docs/version-3.18-2/reference/host-endpoints/failsafe.mdx +++ b/calico-enterprise_versioned_docs/version-3.18-2/reference/host-endpoints/failsafe.mdx @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../component-resources/node/felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/felixconfig.mdx index 3652527699..25514884be 100644 --- a/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/felixconfig.mdx +++ b/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/felixconfig.mdx @@ -265,6 +265,25 @@ A timeout value of 0 disables the timeout. | protocol | The protocol match | tcp, udp, sctp | string | | net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string | +Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement. + +```yaml noValidation + ... +spec: + failsafeInboundHostPorts: + - net: "192.168.1.1/32" + port: 22 + protocol: tcp + - net: "" + port: 67 + protocol: udp +failsafeOutboundHostPorts: + - net: "0.0.0.0/0" + port: 67 + protocol: udp + ... +``` + ### AggregationKind | Value | Description | diff --git a/calico-enterprise_versioned_docs/version-3.18/reference/component-resources/node/felix/configuration.mdx b/calico-enterprise_versioned_docs/version-3.18/reference/component-resources/node/felix/configuration.mdx index 8727eeba55..00dcbb6b3a 100644 --- a/calico-enterprise_versioned_docs/version-3.18/reference/component-resources/node/felix/configuration.mdx +++ b/calico-enterprise_versioned_docs/version-3.18/reference/component-resources/node/felix/configuration.mdx @@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows. | `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int | | `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean | | `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string | -| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | -| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | +| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | +| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | | | `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string | | `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean | | `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string | diff --git a/calico-enterprise_versioned_docs/version-3.18/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.18/reference/host-endpoints/failsafe.mdx index 102a260e79..f866e551e1 100644 --- a/calico-enterprise_versioned_docs/version-3.18/reference/host-endpoints/failsafe.mdx +++ b/calico-enterprise_versioned_docs/version-3.18/reference/host-endpoints/failsafe.mdx @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../component-resources/node/felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico-enterprise_versioned_docs/version-3.18/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.18/reference/resources/felixconfig.mdx index bf80b14784..1919bfd5f3 100644 --- a/calico-enterprise_versioned_docs/version-3.18/reference/resources/felixconfig.mdx +++ b/calico-enterprise_versioned_docs/version-3.18/reference/resources/felixconfig.mdx @@ -263,6 +263,25 @@ A timeout value of 0 disables the timeout. | protocol | The protocol match | tcp, udp, sctp | string | | net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string | +Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement. + +```yaml noValidation + ... +spec: + failsafeInboundHostPorts: + - net: "192.168.1.1/32" + port: 22 + protocol: tcp + - net: "" + port: 67 + protocol: udp +failsafeOutboundHostPorts: + - net: "0.0.0.0/0" + port: 67 + protocol: udp + ... +``` + ### AggregationKind | Value | Description | diff --git a/calico-enterprise_versioned_docs/version-3.19-1/reference/component-resources/node/felix/configuration.mdx b/calico-enterprise_versioned_docs/version-3.19-1/reference/component-resources/node/felix/configuration.mdx index 8727eeba55..00dcbb6b3a 100644 --- a/calico-enterprise_versioned_docs/version-3.19-1/reference/component-resources/node/felix/configuration.mdx +++ b/calico-enterprise_versioned_docs/version-3.19-1/reference/component-resources/node/felix/configuration.mdx @@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows. | `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int | | `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean | | `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string | -| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | -| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | +| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | +| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | | | `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string | | `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean | | `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string | diff --git a/calico-enterprise_versioned_docs/version-3.19-1/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.19-1/reference/host-endpoints/failsafe.mdx index 102a260e79..f866e551e1 100644 --- a/calico-enterprise_versioned_docs/version-3.19-1/reference/host-endpoints/failsafe.mdx +++ b/calico-enterprise_versioned_docs/version-3.19-1/reference/host-endpoints/failsafe.mdx @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../component-resources/node/felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico-enterprise_versioned_docs/version-3.19-1/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.19-1/reference/resources/felixconfig.mdx index d0d9d9b1a2..123eccdc06 100644 --- a/calico-enterprise_versioned_docs/version-3.19-1/reference/resources/felixconfig.mdx +++ b/calico-enterprise_versioned_docs/version-3.19-1/reference/resources/felixconfig.mdx @@ -265,6 +265,25 @@ A timeout value of 0 disables the timeout. | protocol | The protocol match | tcp, udp, sctp | string | | net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string | +Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement. + +```yaml noValidation + ... +spec: + failsafeInboundHostPorts: + - net: "192.168.1.1/32" + port: 22 + protocol: tcp + - net: "" + port: 67 + protocol: udp +failsafeOutboundHostPorts: + - net: "0.0.0.0/0" + port: 67 + protocol: udp + ... +``` + ### AggregationKind | Value | Description | diff --git a/calico/reference/felix/configuration.mdx b/calico/reference/felix/configuration.mdx index f132cc356e..b8e2307985 100644 --- a/calico/reference/felix/configuration.mdx +++ b/calico/reference/felix/configuration.mdx @@ -54,8 +54,8 @@ The full list of parameters which can be set is as follows. | `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean | | `EndpointStatusPathPrefix` | `FELIX_ENDPOINTSTATUSPATHPREFIX` | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. [Default: ""] | string | | `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string | -| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | -| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string | +| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | +| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | | `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string | | `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean | | `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string | diff --git a/calico/reference/host-endpoints/failsafe.mdx b/calico/reference/host-endpoints/failsafe.mdx index 14e4425796..e3bd9ec4cd 100644 --- a/calico/reference/host-endpoints/failsafe.mdx +++ b/calico/reference/host-endpoints/failsafe.mdx @@ -28,7 +28,7 @@ The lists of failsafe ports can be configured via the configuration parameters `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` described in [Configuring Felix](../felix/configuration.mdx) . They -can be disabled by setting each configuration value to "none". +can be disabled by setting each configuration value to "[]". :::note diff --git a/calico/reference/resources/felixconfig.mdx b/calico/reference/resources/felixconfig.mdx index 0139df1bfd..a2d71532dc 100644 --- a/calico/reference/resources/felixconfig.mdx +++ b/calico/reference/resources/felixconfig.mdx @@ -46,8 +46,8 @@ spec: | deviceRouteProtocol | This defines the route protocol added to programmed device routes. | Protocol | int | RTPROT_BOOT | | endpointStatusPathPrefix | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. | Any existing path in the calico-node container | string | `""`| | string | | externalNodesCIDRList | A comma-delimited list of CIDRs of external non-calico nodes, which can source tunnel traffic for acceptance by calico-nodes. | IPv4 | string | `""` | -| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) |
- protocol: tcp
port: 22
- protocol: udp
port: 68
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
- protocol: udp
port: 53
- protocol: udp
port: 67
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
- net: ""
protocol: tcp
port: 22
- net: ""
protocol: udp
port: 68
- net: ""
protocol: tcp
port: 179
- net: ""
protocol: tcp
port: 2379
- net: ""
protocol: tcp
port: 2380
- net: ""
protocol: tcp
port: 5473
- net: ""
protocol: tcp
port: 6443
- net: ""
protocol: tcp
port: 6666
- net: ""
protocol: tcp
port: 6667
- net: ""
protocol: udp
port: 53
- net: ""
protocol: udp
port: 67
- net: ""
protocol: tcp
port: 179
- net: ""
protocol: tcp
port: 2379
- net: ""
protocol: tcp
port: 2380
- net: ""
protocol: tcp
port: 5473
- net: ""
protocol: tcp
port: 6443
- net: ""
protocol: tcp
port: 6666
- net: ""
protocol: tcp
port: 6667
- protocol: tcp
port: 22
- protocol: udp
port: 68
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
- protocol: udp
port: 53
- protocol: udp
port: 67
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
- net: ""
protocol: tcp
port: 22
- net: ""
protocol: udp
port: 68
- net: ""
protocol: tcp
port: 179
- net: ""
protocol: tcp
port: 2379
- net: ""
protocol: tcp
port: 2380
- net: ""
protocol: tcp
port: 5473
- net: ""
protocol: tcp
port: 6443
- net: ""
protocol: tcp
port: 6666
- net: ""
protocol: tcp
port: 6667
- net: ""
protocol: udp
port: 53
- net: ""
protocol: udp
port: 67
- net: ""
protocol: tcp
port: 179
- net: ""
protocol: tcp
port: 2379
- net: ""
protocol: tcp
port: 2380
- net: ""
protocol: tcp
port: 5473
- net: ""
protocol: tcp
port: 6443
- net: ""
protocol: tcp
port: 6666
- net: ""
protocol: tcp
port: 6667