在centos7主机上运行centos8容器时。在容器中,将一个iptables规则添加到一个CHAIN(例如,筛选表INPUT CHAIN(,该规则不仅会添加到INPUT CHAIN,还会添加到其他CHAIN(如OUTPUT、FORWARD,甚至PREROUTING、POSTROUTING(
- 在centos7主机上运行centos8容器
docker run -it --privileged centos:8 sh
- 运行时,在容器中安装iptables
yum install -y iptables
- 显示iptables版本:
iptables -V
iptables version: v1.8.4 (nf_tables)
- 列出当前规则:
iptables -t nat -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
添加新规则:
iptables -I INPUT -i eth0 -j REJECT再次列出规则:
iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
# Warning: iptables-legacy tables present, use iptables-legacy to see them
我测试过,如果在centos8主机上运行centos8容器,就不会发生这种情况。
总之:主机和容器混合了iptables和nftables。
https://github.com/kubernetes/kubernetes/issues/71305
https://bugzilla.redhat.com/show_bug.cgi?id=1668007