-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nftables with conntrack can break k3s #11415
Comments
This crash is in the kube-router netpol controller. You'll want to open an issue at https://github.com/cloudnativelabs/kube-router
Maybe don't try to mix native nft and iptables-nft use on the same host? Why are you doing this in the first place? |
@brandond thank you!
I mostly wanted to transition to native nft since it's there now but will fallback to iptables-nft. |
Environmental Info:
K3s Version:
Node(s) CPU architecture, OS, and Version:
Ubuntu 24.04
Cluster Configuration: Single node
Describe the bug:
When a certain conntrack rule is added via the
nft
command, it breaks k3s when it tries to setup the firewall:Steps To Reproduce:
There are two ways of adding the "rule" (eg: allow all established TCP), one with
nft
and the other withiptables
.The first one breaks k3s but the second does not. There seem to be a translation of
established,related
into opcodes breaking theiptables -S
command, breaking in turn k3s.will be converted into:
but
will result into
Expected behavior:
With the
iptables
commandActual behavior:
With the
nft
commandThank you for your help
The text was updated successfully, but these errors were encountered: