Skip to content

NodePort traffic gets dropped in nftables kube-proxy if iptables rules are configured with default DROP policy #132461

New issue
New issue
Closed
Closed
NodePort traffic gets dropped in nftables kube-proxy if iptables rules are configured with default DROP policy#132461
Labels
needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/networkCategorizes an issue or PR as relevant to SIG Network.
@aroradaman

Description

@aroradaman
aroradaman
opened on Jun 23, 2025

kube-proxy(iptables) mode work independent of the default policy of the base chains. Historically, there was a case where NodePort traffic was dropped #39823 when default policy for forward chain in filter table was DROP and got fixed in #52569.

#39823 added a rule in forward chain that explicitly ACCEPTs traffic destined to ClusterCIDR to make it work independent of the default policy.

In nftables kube-proxy we only operate in kube-proxy table. Policies configured by iptables (nf_tables) binaries reside in filter/nat table. For distros shipping with default policy of DROP NodePort traffic might get dropped.

We observed this in a cluster running with calico

# nftrace for NodePort + CNI Calico
 
# Processing in kube-proxy table
trace id 95f3cdfa ip kube-proxy filter-forward rule ct state new jump service-endpoints-check (verdict jump service-endpoints-check)
trace id 95f3cdfa ip kube-proxy filter-forward rule ct state new jump cluster-ips-check (verdict jump cluster-ips-check)
trace id 95f3cdfa ip kube-proxy filter-forward policy accept meta mark 0x00004000
 
# Processing in filter table
trace id 95f3cdfa ip filter FORWARD packet: iif "eth0" oif "tunl0" ether saddr 02:50:56:56:44:52 ether daddr 04:50:56:00:84:00 ip saddr 10.246.0.3 ip daddr 100.115.83.3 ip dscp cs0 ip ecn not-ect ip ttl 60 ip id 22451 ip length 60 tcp sport 60316 tcp dport 9153 tcp flags == syn tcp window 64240
trace id 95f3cdfa ip filter FORWARD rule  counter packets 21 bytes 1260 jump cali-FORWARD (verdict jump cali-FORWARD)
trace id 95f3cdfa ip filter cali-FORWARD rule  counter packets 71 bytes 5220 meta mark set mark and 0xffe5ffff (verdict continue)
trace id 95f3cdfa ip filter cali-FORWARD rule  meta mark & 0x00010000 == 0x00000000 counter packets 71 bytes 5220 jump cali-from-hep-forward (verdict jump cali-from-hep-forward)
trace id 95f3cdfa ip filter cali-FORWARD rule  counter packets 71 bytes 5220 jump cali-to-hep-forward (verdict jump cali-to-hep-forward)
trace id 95f3cdfa ip filter cali-FORWARD rule  counter packets 71 bytes 5220 jump cali-cidr-block (verdict jump cali-cidr-block)
trace id 95f3cdfa ip filter FORWARD rule  counter packets 21 bytes 1260 meta mark set mark or 0x10000 (verdict continue)
 
# Packet reaching end of filter table and being dropped because of default policy "DROP"
trace id 95f3cdfa ip filter FORWARD policy drop

This was however not observed when running cluster with antrea, as antrea installs forwardding rules to accept traffic from/to pods.

# Processing in filter table
trace id 6cd1f252 ip filter FORWARD packet: iif "eth0" oif "antrea-gw0" ether saddr 02:50:56:56:44:52 ether daddr 04:50:56:00:38:00 ip saddr 172.26.0.4 ip daddr 100.96.0.4 ip dscp cs0 ip ecn not-ect ip ttl 60 ip id 60518 ip length 60 tcp sport 47292 tcp dport 9153 tcp flags == syn tcp window 64240
trace id 6cd1f252 ip filter FORWARD rule  counter packets 100 bytes 7920 jump ANTREA-FORWARD (verdict jump ANTREA-FORWARD)
trace id 6cd1f252 ip filter ANTREA-FORWARD unknown rule handle 415 (verdict accept)

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/networkCategorizes an issue or PR as relevant to SIG Network.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions