UFW blocks certain packets from Calico
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ufw |
New
|
Undecided
|
Unassigned | ||
Bug Description
While looking at the `ufw` logs I can see that there are certain requests that are being blocked and they belong to Calico. I've tried many ufw rules but cannot manage to get the right one that enables that traffic so it is not shown anymore in the logs.
## Expected Behavior
I would expect not having any blocker in logs. I've tried with many `ufw` rules but I suppose that there is some conflict between Calico rules and the firewall.
## Current Behavior
At the application level I don't appreciate any problem, the apps in Kubernetes are working fine and they don't show any message error, but I don't feel confident seeing some packets being blocked in `ufw`
## Possible Solution
I've been able to configure `ufw` rules step by step until I don't see any other packets blocked, but those packets which come from virtual interfaces starting with `cali` and having and attribute `MARK` cannot be unblocked.
## Your Environment
This is my current setup
- Kubernetes cluster 1.24.6 on metal servers with Debian 10
- Kubernetes distribution is Kubespray with Calico configured to use Iptables
- Calico image version `quay.io/
- ufw version 0.36
- Only 1 worker node (`server-01`) has public IP and acts as a NAT gateway while the other worker nodes only have private IPv4
- There are some iptables rules that forward traffic from worker nodes to the `server-01` allowing those worker nodes to have access to internet.
- The worker nodes private IP have the range `10.0.0.0/16`
- The Kubernetes pod subnet range is `10.2.0.0/16`
- The Kubernetes service subnet range is `10.1.0.0/16`
- The ufw firewall configuration is the following
```
root@server-01 /home/debian # ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN 10.0.0.0/16 (log) # Allow ssh connections from within the subnet
[ 2] 80/tcp ALLOW IN Anywhere (log) # Allow external HTTP connections
[ 3] 443/tcp ALLOW IN Anywhere (log) # Allow external HTTPS connections
[ 6] Anywhere ALLOW FWD 10.0.0.0/16 (log) # Allow forward subnet NATed traffic
[ 7] Anywhere ALLOW IN 10.0.0.0/16 (log) # Allow server subnet internal communication
[ 8] Anywhere ALLOW IN 10.2.0.0/16/udp (log) # Allow Kubernetes pods communication through UDP
[ 9] Anywhere ALLOW IN 10.2.0.0/16/tcp (log) # Allow Kubernetes pods communication through TCP
[10] Anywhere ALLOW FWD 10.2.0.0/16 (log) # Allow Kubernetes pods forward traffic between subnets
[11] Anywhere on any ALLOW FWD 10.2.0.0/16 on any (log) # Allow Kubernetes pods forward traffic between subnets
```
- The ufw logs are these:
```
Jun 1 00:19:40 server-01 kernel: [4939271.395479] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:
Jun 1 00:19:40 server-01 kernel: [4939271.395910] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:
Jun 1 00:19:40 server-01 kernel: [4939271.397560] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:
Jun 1 00:19:41 server-01 kernel: [4939271.813207] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:
Jun 1 00:19:41 server-01 kernel: [4939271.813539] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:
Jun 1 00:19:41 server-01 kernel: [4939271.813804] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:
Jun 1 00:19:41 server-01 kernel: [4939272.533437] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:
```
| John Puskar (jpuskar-amtrust) wrote | #1 |
I've been struggling with this too and can't figure out a workaround.