written in front
- Learn about the kube-proxy component call in K8s, the iptables mode found that the call chain is somewhat special
- It is suspected that the iptables version is too old, so try to upgrade
nftablesIt has been a long time since the upgrade is necessary, so I won’t consider it here.- If you don’t understand enough, please help me to correct
There is only one real duty for every human being: to find himself. Then stick to his life in his heart, wholeheartedly, and never stop. All other roads are incomplete, a way of escape, a cowardly return to the popular ideal, a drift with the flow, and a fear of the heart - Hermann Hesse, Demian
What needs to be mentioned here is that some chain rules cannot be displayed normally in the old version ofk8s the cluster , but it does not affect the rules.Calicoiptables
The lower version cannot be displayed normally
-A KUBE-SEP-OLNIRCQFCXAN5USW -p tcp -m comment --comment "velero/minio:console" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0
The higher version can display normally
-A KUBE-SEP-OLNIRCQFCXAN5USW -p tcp -m comment --comment "velero/minio:console" -m tcp -j DNAT --to-destination 10.244.169.89:9090
Current system environment version
┌──[[email protected]]-[~/ansible]
└─$hostnamectl
Static hostname: vms100.liruilongs.github.io
Icon name: computer-vm
Chassis: vm
Machine ID: e93ae3f6cb354f3ba509eeb73568087e
Boot ID: 3276184063244f00bc6efff60ef31879
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 5.4.230-1.el7.elrepo.x86_64
Architecture: x86-64
┌──[[email protected]]-[~/ansible]
└─$
Download binary package location
https://www.netfilter.org/projects/iptables
┌──[[email protected]]-[~/ansible]
└─$wget --no-check-certificate https://www.netfilter.org/projects/iptables/files/iptables-1.8.7.tar.bz2
Install the decompression tool
┌──[[email protected]]-[~/ansible]
└─$yum -y install bzip2
Unzip the binary installation package
┌──[[email protected]]-[~/ansible]
└─$bunzip2 iptables-1.8.7.tar.bz2
┌──[[email protected]]-[~/ansible]
└─$tar -xvf iptables-1.8.7.tar
nftablesUpgrading together is not supported for some other packages, it seems that they need to be upgraded simultaneously, so here I directly nftablesexclude the adjustment
┌──[[email protected]]-[~/ansible/iptables-1.8.7]
└─$./configure --disable-nftables
┌──[[email protected]]-[~/ansible/iptables-1.8.7]
└─$ls
aclocal.m4 build-aux config.h config.log configure COPYING extensions INCOMPATIBILITIES iptables libipq libtool m4 Makefile.am stamp-h1 xlate-test.py
autogen.sh COMMIT_NOTES config.h.in config.status configure.ac etc include INSTALL iptables-test.py libiptc libxtables Makefile Makefile.in utils
┌──[[email protected]]-[~/ansible/iptables-1.8.7]
└─$make
┌──[[email protected]]-[~/ansible/iptables-1.8.7]
└─$make install
It is found here that the upgrade has not yet taken effect, and it is still the original version
┌──[[email protected]]-[~/ansible/iptables-1.8.7]
└─$iptables -V
iptables v1.4.21
After restarting the machine, it is found that it has become an upgraded version. There should be no need to restart here. You can consider logging in again or sourceclicking
┌──[[email protected]]-[~/ansible]
└─$iptables -V
iptables v1.8.7 (legacy)
Part of the blog post content reference
© The copyright of the content of the reference link in the article belongs to the original author, if there is any infringement, please inform
https://www.netfilter.org/projects/iptables
© 2018-2023 [email protected], All rights reserved. Attribution-Non-Commercial-Share Alike (CC BY-NC-SA 4.0)