![]() ![]() If it’s not there, they recreate routing routes, but nothing is done for network policy rules. Please note that this problem is partially addressed by weave, because they monitor rules to see if a special (empty) chain WEAVE-CANARY still exists. May it be related to using iptables commands instead of nft? Even if iptables uses nf_tables backend? Now, my problem is that if I reload firewalld (with firewall-cmd -reload or systemctl reload rvice) after weave set its rules, all rules are flushed! I can confirm that with iptables-save or nft list ruleset. This means that even if weave is using iptables to set its rules, they are in fact set into nftables. When weave sets its iptables rules (for routing and network policies), I can see them either with iptables-save or nft list ruleset. if I start nftables service, firewalld service is stopped, and vice-versaĪs of my understanding of firewalld, because it uses nftables, it shouldn’t flush iptables at all, as per their blog post about nftables backend.nftables service is loaded, but inactive.iptables service doesn’t exists ( Unit rvice could not be found.).firewalld is setup to use nftables as its backend ( FirewallBackend).this is confirmed by iptables -V output which gives me iptables v1.8.4 (nf_tables).on weave docker containers and VM hosts, iptables with nf_tables backend is used.I’m using Weave CNI, which is using iptables in order to create its networking rules. I need to have firewalld running, given this environment. ![]() I setup a K8S cluster on VMWare ESXi with six virtual machines, all the same. Well, not really iptables anyway… Let me explain. I’m running on Rocky Linux (RHEL8 based) and am kind of struggling with firewalld and iptables. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |