[Backport 1.25] Update kube-router to move ACCEPT rule at the end of the chain

[rbrtbnfgl]

Backport for

• Iptables not properly set when using dual stack with ipv6 #7211
• Container networking is broken on hosts with default-deny iptables rules after upgrading to v1.26.3 #7203

[fmoral2]

@rbrtbnfgl question, should i see this change also somewhere on the chain in nft tables ?

table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		 counter packets 48509 bytes 9157122 jump KUBE-ROUTER-INPUT
		ct state new  counter packets 61 bytes 3550 jump KUBE-PROXY-FIREWALL
		 counter packets 45279 bytes 8545776 jump KUBE-NODEPORTS
		ct state new  counter packets 61 bytes 3550 jump KUBE-EXTERNAL-SERVICES
		counter packets 45279 bytes 8545776 jump KUBE-FIREWALL
		 mark and 0x20000 == 0x20000 counter packets 0 bytes 0 accept
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		 counter packets 4 bytes 164 jump KUBE-ROUTER-FORWARD
		ct state new  counter packets 1 bytes 40 jump KUBE-PROXY-FIREWALL
		 counter packets 1 bytes 40 jump KUBE-FORWARD
		ct state new  counter packets 0 bytes 0 jump KUBE-SERVICES
		ct state new  counter packets 0 bytes 0 jump KUBE-EXTERNAL-SERVICES
		 counter packets 0 bytes 0 jump FLANNEL-FWD
		 mark and 0x20000 == 0x20000 counter packets 0 bytes 0 accept
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		 counter packets 48681 bytes 8882342 jump KUBE-ROUTER-OUTPUT
		ct state new  counter packets 62 bytes 4792 jump KUBE-PROXY-FIREWALL
		ct state new  counter packets 62 bytes 4792 jump KUBE-SERVICES
		counter packets 45198 bytes 8544283 jump KUBE-FIREWALL
		 mark and 0x20000 == 0x20000 counter packets 0 bytes 0 accept
	}




	chain KUBE-ROUTER-FORWARD {
		ip daddr 1 counter packets 0 bytes 0 jump KUBE-POD-FW-TBMHIUG4OUHMUCS3
		ip daddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-TBMHIUG4OUHMUCS3
		ip saddr 1  counter packets 0 bytes 0 jump KUBE-POD-FW-TBMHIUG4OUHMUCS3
		ip saddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-TBMHIUG4OUHMUCS3
		ip daddr 1  counter packets 0 bytes 0 jump KUBE-POD-FW-CZURLYP3UEV2WLXG
		ip daddr 10 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-CZURLYP3UEV2WLXG
		ip saddr 1 counter packets 0 bytes 0 jump KUBE-POD-FW-CZURLYP3UEV2WLXG
		ip saddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-CZURLYP3UEV2WLXG
		ip daddr 1  counter packets 0 bytes 0 jump KUBE-POD-FW-LR4Z2SHVDGBPG4AP
		ip daddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-LR4Z2SHVDGBPG4AP
		ip saddr 1  counter packets 0 bytes 0 jump KUBE-POD-FW-LR4Z2SHVDGBPG4AP
		ip saddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-LR4Z2SHVDGBPG4AP
		ip daddr 1  counter packets 3 bytes 120 jump KUBE-POD-FW-3USA2FSCXFZRLVOE
		ip daddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-3USA2FSCXFZRLVOE
		ip saddr 1  counter packets 1 bytes 44 jump KUBE-POD-FW-3USA2FSCXFZRLVOE
		ip saddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-3USA2FSCXFZRLVOE
		ip daddr 1 counter packets 0 bytes 0 jump KUBE-POD-FW-F5PKDPPUB5DIJFJL
		ip daddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-F5PKDPPUB5DIJFJL
		ip saddr 1  counter packets 0 bytes 0 jump KUBE-POD-FW-F5PKDPPUB5DIJFJL
		ip saddr 1 # PHYSDEV match --physdev-is-bridged  counter packets 0 bytes 0 jump KUBE-POD-FW-F5PKDPPUB5DIJFJL
	}

	chain KUBE-ROUTER-INPUT {
		ip daddr 10  counter packets 0 bytes 0 return
		meta l4proto tcp  fib daddr type local tcp dport 30000-32767 counter packets 0 bytes 0 return
		meta l4proto udp  fib daddr type local udp dport 30000-32767 counter packets 0 bytes 0 return
		ip saddr 10  counter packets 2226 bytes 531019 jump KUBE-POD-FW-TBMHIUG4OUHMUCS3
		ip saddr 10.  counter packets 705 bytes 57085 jump KUBE-POD-FW-CZURLYP3UEV2WLXG
		ip saddr 10  counter packets 15 bytes 1063 jump KUBE-POD-FW-LR4Z2SHVDGBPG4AP
		ip saddr 10.  counter packets 284 bytes 22179 jump KUBE-POD-FW-3USA2FSCXFZRLVOE
		ip saddr 10 counter packets 0 bytes 0 jump KUBE-POD-FW-F5PKDPPUB5DIJFJL
	}

	chain KUBE-ROUTER-OUTPUT {
		ip daddr 10  counter packets 2483 bytes 256283 jump KUBE-POD-FW-TBMHIUG4OUHMUCS3
		ip saddr 10.  counter packets 0 bytes 0 jump KUBE-POD-FW-TBMHIUG4OUHMUCS3
		ip daddr 10  counter packets 704 bytes 53162 jump KUBE-POD-FW-CZURLYP3UEV2WLXG
		ip saddr 10 counter packets 0 bytes 0 jump KUBE-POD-FW-CZURLYP3UEV2WLXG
		ip daddr 10.  counter packets 15 bytes 1625 jump KUBE-POD-FW-LR4Z2SHVDGBPG4AP
		ip saddr 10.  counter packets 0 bytes 0 jump KUBE-POD-FW-LR4Z2SHVDGBPG4AP
		ip daddr 10.  counter packets 281 bytes 26989 jump KUBE-POD-FW-3USA2FSCXFZRLVOE
		ip saddr 10  counter packets 0 bytes 0 jump KUBE-POD-FW-3USA2FSCXFZRLVOE
		ip daddr 10  counter packets 0 bytes 0 jump KUBE-POD-FW-F5PKDPPUB5DIJFJL
		ip saddr 10  counter packets 0 bytes 0 jump KUBE-POD-FW-F5PKDPPUB5DIJFJL
	}

[rbrtbnfgl]

If the iptables-nft module is installed they should use the same interface of configuration.

[fmoral2]

Validated on Version:

-k3s version v1.25.8+k3s-59e573d1 (59e573d) COMMIT ID= (59e573d)

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
Ubuntu 20.04

Cluster Configuration:
1 node

Config.yaml 1 node :

cat /etc/rancher/k3s/config.yaml
write-kubeconfig-mode: 644
token: test

Steps to validate the fix:

1. Copy config.yaml
2. Install k3s in the latest version on the branch
3. Check iptables chain and ACCEPT should be in the end
4. Check nftables chain and ACCEPT should be in the end
5. Upgrade Rke2 with commit ID
6. Check ACCEPT chain again
7. Install using the commit ID and check ACCEPT

Validation Results:

             
                     
:~$ k3s --version
k3s version v1.25.8+k3s1 (6c5ac022)
go version go1.19.7

~$ sudo iptables-save |grep network |grep ROUTER
-A KUBE-ROUTER-FORWARD -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-INPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-OUTPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN

UPDATE TO COMMIT ID = 59e573d

 ~$ k3s --version
k3s version v1.25.8+k3s-59e573d1 (59e573d1)

:~$ sudo iptables-save |grep network |grep ROUTER
-A INPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A FORWARD -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A OUTPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT

INSTALL WITH COMMIT ID = 59e573d

:~$ k3s --version
k3s version v1.25.8+k3s-59e573d1 (59e573d1)



:~$ sudo iptables-save |grep network |grep ROUTER
-A INPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A FORWARD -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A OUTPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT