kube-cnc-router networking is broken when host has nf_tables

[chralg]

Hi,

I am no iptables nor Kubernetes guru but I think I've found a issue in the current Citrix Node Controller.
Citrix-node-controller 2.2.1 deploys kube-cnc-router in kube-system namespace.
image: quay.io/citrix/cnc-router:1.1.0
imagePullPolicy: IfNotPresent

However, cnc-router:1.1.0, has legacy iptables v1.6.1 which is used to create a rule that permits ingress VXLAN traffic.
I use cilium along with eBPF that has a more current nf_tables environment.

It seems that iptables rules crated within cnc-router image never gets applied.
pod# iptables --version
iptables v1.6.1

Kubernetes-host (I use udp/8500 for VxLAN)
iptables -L -n | wc -l
Warning: iptables-legacy tables present, use iptables-legacy to see them
82
iptables-legacy -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8500

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

bridge fdb add ${ingmac} dev routervxlan0 dst ${vtepip} iptables -D INPUT -p udp -m udp --dport ${vxlanPort} -j ACCEPT 2>nul iptables -I INPUT 1 -p udp --dport ${vxlanPort} -j ACCEPT if [[ ! -z ${dspiprange} ]] then iptables -D FORWARD -s ${dspiprange} -i ${ifName} -j ACCEPT 2>nul iptables -I FORWARD 1 -s ${dspiprange} -i ${ifName} -j ACCEPT echo "iptables -I FORWARD 1 -s ${dspiprange} -i ${ifName} -j ACCEPT" fi sleep 3d

Thanks

[aroraharsh23]

Will update for nf-tables going ahead. As of now, it supports Iptables.

[mleneveut]

@aroraharsh23 @subashd Hello, any progress on migrating to nftables ?