ICMPv6 Neighbour Solicitation packets dropped preventing IPv6 from working #9807

ghost · 2024-03-27T10:08:31Z

ghost
Mar 27, 2024

Environmental Info:
K3s Version:

k3s version v1.28.7+k3s1 (051b14b2)
go version go1.21.7

Node(s) CPU architecture, OS, and Version:

Linux sg1-2 5.15.0-92-generic #102-Ubuntu SMP Wed Jan 10 09:33:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
PRETTY_NAME="Ubuntu 22.04.4 LTS"
ip6tables v1.8.7 (nf_tables)
nftables v1.0.2 (Lester Gooch)
ufw 0.36.1

Firewall rules:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
Anywhere                   ALLOW IN    10.x.1.0/24             
6443                       ALLOW IN    10.y.0.0/13             
6443                       ALLOW IN    10.z.0.0/16             
6443                       ALLOW IN    Anywhere
443/udp                    ALLOW IN    Anywhere                  
Anywhere on eno1           DENY IN     Anywhere                  
22 (v6)                    ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)             
Anywhere (v6)              ALLOW IN    fd:x::/56       
6443                       ALLOW IN    fd:y:y000::/56  
6443                       ALLOW IN    fd:z:z100::/112 
6443 (v6)                  ALLOW IN    Anywhere (v6)  
443/udp (v6)               ALLOW IN    Anywhere (v6)             
Anywhere (v6) on eno1      DENY IN     Anywhere (v6)

Cluster Configuration:

3 servers, embedded etcd

Describe the bug:
In a previous version of k3s (1.28.5+k3s1) this was not an issue. Pods could access services and other pods without trouble. After upgrading Ubuntu and K3s, pods could not access services and other pods.

Steps To Reproduce:

Installed K3s on all three nodes (with --cluster-init and --server as appropriate):

token: "..."

node-external-ip: "..."
flannel-iface: eno2
kubelet-arg:
  - "max-pods=250"

flannel-backend: host-gw
flannel-ipv6-masq: true
tls-san: ...
cluster-domain: ...
cluster-cidr: "10.x.0.0/13,fd:x:x000::/56"
service-cidr: "10.y.0.0/16,fd:y:y100::/112"
secrets-encryption: true
kube-controller-manager-arg:
  - "node-cidr-mask-size-ipv4=23"
  - "node-cidr-mask-size-ipv6=64"
etcd-expose-metrics: true
disable: local-storage

I upgraded from 1.28.5+k3s1 and also did some Ubuntu package upgrades at the same time, and this issue cropped up.

Expected behavior:

IPv6 traffic will flow correctly.

Actual behavior:

IPv6 traffic is blocked:

tcpdump -ni nflog:100 | grep <pod IPv6>

Additional context / logs:

Adding the following rules unblocks traffic:

ip6tables -I KUBE-ROUTER-FORWARD 1 -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -I KUBE-ROUTER-FORWARD 1 -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -I KUBE-ROUTER-INPUT 1 -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -I KUBE-ROUTER-INPUT 1 -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT

Answered by rbrtbnfgl

Apr 10, 2024

I did a PR on our kube-router fork k3s-io/kube-router#85

View full answer

brandond · 2024-03-27T19:16:49Z

brandond
Mar 27, 2024
Collaborator

We don't block any of the traffic in question; I suspect something changed in whatever host-based firewall you are using (firewalld/ufw) and the default rules are now more restrictive. Your firewall status output does specifically show a default-deny policy for ipv4 and ipv6 on eno1, so what you're reporting sounds logical.

I would recommend against adding rules to the kube-router chains; these are manage by the kube-router network policy controller and will likely be discarded when you restart k3s.

This doesn't appear to be related to k3s or our embedded network policy controller, so I am going to convert it to a discussion.

0 replies

ghost · 2024-03-28T18:16:20Z

ghost
Mar 28, 2024

Some notes on my research:

Looking at the NFLOG entries, the rules created by kube-router seem to not match any rules, and thus are logged as DROP:

Mar 28 17:41:28 sg1-2 DROP by policy <namespace>/<policy> IN=cni0 OUT=cni0 MAC=ce:e0:87:ca:a7:66:6a:e3:96:5b:e1:73:86:dd SRC=fdx:x001::22bd DST=fdx:x001::2209 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 MARK=0 
Mar 28 17:41:28 sg1-2  IN=cni0 OUT=cni0 MAC=ce:e0:87:ca:a7:66:6a:e3:96:5b:e1:73:86:dd SRC=fdx:x001::22bd DST=fdx:x001::2209 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 MARK=0 
Mar 28 17:41:29 sg1-2  IN=cni0 OUT=cni0 MAC=ce:e0:87:ca:a7:66:82:0c:25:74:06:25:86:dd SRC=fdx:x001::2294 DST=fdx:x001::2209 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 MARK=0

Which means none of the rules marked the packet as ALLOW (0x10000):

Chain FORWARD (policy ACCEPT 334 packets, 22712 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 230K   26M KUBE-ROUTER-FORWARD  all      *      *       ::/0                 ::/0                 /* kube-router netpol - X */
18757 2548K KUBE-PROXY-FIREWALL  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes load balancer firewall */
82906 7165K KUBE-FORWARD  all      *      *       ::/0                 ::/0                 /* kubernetes forwarding rules */
18757 2548K KUBE-SERVICES  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes service portals */
18757 2548K KUBE-EXTERNAL-SERVICES  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes externally-visible service portals */
82572 7142K ACCEPT     all      *      *       ::/0                 ::/0                 /* KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000
  334 22712 ufw6-before-logging-forward  all      *      *       ::/0                 ::/0                
  334 22712 ufw6-before-forward  all      *      *       ::/0                 ::/0                
  334 22712 ufw6-after-forward  all      *      *       ::/0                 ::/0                
  334 22712 ufw6-after-logging-forward  all      *      *       ::/0                 ::/0                
  334 22712 ufw6-reject-forward  all      *      *       ::/0                 ::/0                
  334 22712 ufw6-track-forward  all      *      *       ::/0                 ::/0                
  334 22712 FLANNEL-FWD  all      *      *       ::/0                 ::/0                 /* flanneld forward */

Chain KUBE-ROUTER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 ... (including jump to KUBE-POD-FW-X on source/destination match)

Chain KUBE-POD-FW-X (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
  122 14640 DROP       all      *      *       ::/0                 ::/0                 /* rule to drop invalid state for pod */ ctstate INVALID
    0     0 ACCEPT     all      *      *       ::/0                 fdx:x001::22bd  /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
 1098  152K KUBE-NWPLCY-Y  all      *      *       ::/0                 ::/0                 /* run through nw policy <policy> */
   32  2304 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic POD name:x namespace: <namespace> */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
  122  8784 REJECT     all      *      *       ::/0                 ::/0                 /* rule to REJECT traffic destined for POD name:x namespace: <namespace> */ mark match ! 0x10000/0x10000 reject-with icmp6-port-unreachable
  976  143K MARK       all      *      *       ::/0                 ::/0                 MARK and 0xfffeffff
  976  143K MARK       all      *      *       ::/0                 ::/0                 /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-NWPLCY-Y (10 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-A src match-set inet6:KUBE-DST-Z dst MARK or 0x10000
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-A src match-set inet6:KUBE-DST-Z dst mark match 0x10000/0x10000
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-Z src match-set inet6:KUBE-DST-B dst MARK or 0x10000
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-Z src match-set inet6:KUBE-DST-B dst mark match 0x10000/0x10000
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to specified ipBlocks selected by policy name: <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-Z src match-set inet6:KUBE-DST-C dst MARK or 0x10000
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to specified ipBlocks selected by policy name: <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-Z src match-set inet6:KUBE-DST-C dst mark match 0x10000/0x10000
 1124  165K MARK       udp      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-Z src match-set inet6:KUBE-DST-D dst udp dpt:53 MARK or 0x10000
 1124  165K RETURN     udp      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-Z src match-set inet6:KUBE-DST-D dst udp dpt:53 mark match 0x10000/0x10000
    0     0 MARK       tcp      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-Z src match-set inet6:KUBE-DST-D dst tcp dpt:53 MARK or 0x10000
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name <policy> namespace <namespace> */ match-set inet6:KUBE-SRC-Z src match-set inet6:KUBE-DST-D dst tcp dpt:53 mark match 0x10000/0x10000
   32  2304 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic */ limit: avg 10/min burst 10 mark match ! 0x10000/0x10000 nflog-prefix  "DROP by policy <namespace>/<policy>" nflog-group 100

Likely because when selecting a specific protocol (this case UDP) in a NetworkPolicy, the ICMPv6 packets will be dropped by the rule.

From what I can tell, kube-router is not aware of ICMPv6 Neighbour Solicitation and does not inject ICMPv6 rules. For reference, UFW injects a set of ICMPv6 rules in it's ufw6-before-input chain, regardless of the rules configured:

Chain ufw6-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0                
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
...
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134 HL match HL == 255
  243 17496 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
  114  7296 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 141 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 142 HL match HL == 255
...

0 replies

ghost · 2024-03-28T18:56:06Z

ghost
Mar 28, 2024

I managed to resolve this connection failure by adding the NDP solicited-node address to the ipset:

ubuntu@x:~$ sudo ipset list inet6:KUBE-DST-C
Name: inet6:KUBE-DST-C
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 timeout 0 bucketsize 12 initval 0x84b680e1
Size in memory: 1432
References: 2
Number of entries: 2
Members:
fd00::/8 timeout 0
2000::/3 timeout 0
ubuntu@x:~$ sudo ipset add inet6:KUBE-DST-C ff02::1:ff00:0/104
ubuntu@x:~$ sudo ipset list inet6:KUBE-DST-C
Name: inet6:KUBE-DST-C
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 timeout 0 bucketsize 12 initval 0x84b680e1
Size in memory: 1528
References: 2
Number of entries: 3
Members:
ff02::1:ff00:0/104 timeout 0
fd00::/8 timeout 0
2000::/3 timeout 0

/ # nslookup google.com fdx:x001::2209
;; connection timed out; no servers could be reached

Now it succeeds:

/ # nslookup google.com fdx:x001::2209
Server:		fdx:x001::2209
Address:	[fdx:x001::2209]:53

Non-authoritative answer:
...

0 replies

ghost · 2024-03-28T19:04:27Z

ghost
Mar 28, 2024

The specific case where this seems to be an issue:

- apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    ...
  spec:
    egress:
    - to:
      - podSelector: {}
      ...
      - ipBlock:
          cidr: ::/0 (this translates to 2000::/3+fd00::/8 internally, so NDP packets are not covered)
      - ipBlock:
          cidr: 0.0.0.0/0
    - ports:
      - port: 53
        protocol: UDP
      - port: 53
        protocol: TCP
      to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
    ingress:
    - from:
      - podSelector: {}
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
      ...
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress

4 replies

ghost Mar 28, 2024

I can confirm adding ff02::1:ff00:0/104 to the NetworkPolicy causes this policy to start allowing DNS:

      - ipBlock:
          cidr: ::/0
      - ipBlock:
          cidr: ff02::1:ff00:0/104
      - ipBlock:
          cidr: fe00::/8
      - ipBlock:
          cidr: 0.0.0.0/0

brandond Mar 28, 2024
Collaborator

I'm confused. Are you saying that the issue is with DNS, not Neighbour Solicitation packets? Or both?

ghost Mar 30, 2024

The issues with Neighbour Solicitation packets surface to my applications as DNS resolution timeouts, however it causes most IPv6 traffic to be dropped.

In summary, networking fails until I add the following Ingress and Egress rules:

      - ipBlock:
          cidr: ff02::1:ff00:0/104
      - ipBlock:
          cidr: fe00::/8

Which just so happens to allow NDP packets through.

ghost Apr 1, 2024

I managed to reproduce it in a new cluster with the following Vagrantfile and manifests:

Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|
  config.vm.box = "generic/ubuntu2204"
  config.vm.box_version = "4.3.12"

  %w[libvirt virtualbox vmware_desktop].each do |p|
    config.vm.provider p do |v|
      v.cpus = 2
      v.memory = 2048
    end
  end

  k3s_env = %w[
    INSTALL_K3S_VERSION=v1.28.7+k3s1
    K3S_KUBECONFIG_MODE=0644
  ]

  k3s_config = {
    :token => 'vagrant-k3s',

    :'flannel-iface' => 'eth1',

    :'flannel-backend' => 'host-gw',
    :'flannel-ipv6-masq' => 'true',
    :'cluster-cidr' => '10.0.0.0/13,fd10:0000:0000:0000::/56',
    :'service-cidr' => '10.128.0.0/16,fd10:0000:0000:0100::/112',
    :'kube-controller-manager-arg' => %w[node-cidr-mask-size-ipv4=23 node-cidr-mask-size-ipv6=64],
    :disable => %w[local-storage],
  }

  packages = <<-SHELL
sed -i 's,https://mirrors.edge.kernel.org/ubuntu/,http://sg.archive.ubuntu.com/ubuntu/,' /etc/apt/sources.list
export DEBIAN_FRONTEND=noninteractive
#apt-get update
#apt-get upgrade -y
#apt-get install -y nfs-common
SHELL

  net_write = <<-SHELL
# Undo this Vagrant setting
sed -i 's/net.ipv6.conf.all.disable_ipv6 = 1//' /etc/sysctl.conf
sysctl net.ipv6.conf.all.disable_ipv6=0
# Set up the 
cat <<EOF > /etc/netplan/20-private.yaml
---
network:
  version: 2
  renderer: networkd
  ethernets:
    eth1:
      addresses:
        - $1
        - $2
      routes:
        - to: default
          via: "fd10:ffff::"
EOF
netplan apply
  SHELL

  (1..3).each do |i|
    config.vm.define "node-#{i}" do |node|
      ipv4 = "192.168.6.1#{i.to_s.rjust(2, '0')}/24"
      ipv6 = "fd10:ffff::10#{i.to_s(16).rjust(2, '0')}/64"
      node.vm.network "private_network", ip: ipv4, auto_config: false
      node.vm.provision "shell", inline: packages
      node.vm.provision "shell", inline: net_write, args: [ipv4, ipv6]
      node.vm.hostname = "node-#{i}"
      node.vm.provision :k3s, run: "once" do |k3s|
        # This section runs the installation script with a configuration file,
        # environmental variables and a specific version.
        k3s.args = %w[server]
        k3s.env = k3s_env
        k3s.config_mode = '0644'
        if i == 1
          k3s.config = k3s_config.merge(:'cluster-init' => 'true')
        else
          k3s.config = k3s_config.merge(:server => 'https://192.168.6.101:6443')
          k3s.skip_start = true
        end
      end
      # Enable bash completion
      node.vm.provision "shell", inline: "kubectl completion bash > /etc/bash_completion.d/kubectl"
      # Enable synced folder
      #node.vm.synced_folder ".", "/manifests", type: "9p"
      if i == 1
        # Apply default manifest
        node.vm.provision "file", source: "setup.yaml", destination: "$HOME/setup.yaml"
        node.vm.provision "shell", inline: "kubectl apply -f $HOME/setup.yaml", privileged: false
      else
        # Wait for boot
        node.vm.provision "shell", inline: "while ! curl -o /dev/null --insecure https://192.168.6.101:6443; do sleep 1; done"
        # Start k3s
        node.vm.provision "shell", inline: "systemctl enable --now k3s"
      end
    end
  end

end

setup.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test
  namespace: default
spec:
  egress:
  - to:
    - podSelector: {}
    - ipBlock:
        cidr: 2000::/3  # internet
    - ipBlock:
        cidr: 0.0.0.0/0  # internet
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
    to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
  ingress:
  - from:
    - podSelector: {}
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-foo
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-foo
  template:
    metadata:
      labels:
        app: test-foo
    spec:
      containers:
      - image: traefik/whoami:v1.10.1@sha256:6bebf84c091b5da4d4228bf8905436e33ca371afc6f3bd52b1682b40d76b23de
        name: serve
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: test-foo
  namespace: default
spec:
  ipFamilyPolicy: PreferDualStack
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: http
  selector:
    app: test-foo
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-bar
  namespace: default
spec:
  replicas: 10
  selector:
    matchLabels:
      app: test-bar
  template:
    metadata:
      labels:
        app: test-bar
    spec:
      containers:
      - image: docker.io/library/alpine:3.19
        command:
        - sh
        - -ec
        - |
          apk add --no-cache wget
          while true; do
            wget -6O /dev/null http://test-foo && echo ping || echo fail
            sleep 3
          done
        name: poll
      - image: docker.io/library/alpine:3.19
        command:
        - sh
        - -ec
        - |
          apk add --no-cache tcpdump
          tcpdump -ni eth0
        name: dump

In the above setup, the pods test-bar fail to make the HTTP request to test-foo over IPv6 (DNS succeeds because it happens over IPv4):

host$ vagrant ssh node-1
vm$ kubectl logs deploy/test-bar
Found 10 pods, using pod/test-bar-8f8966964-rxpwl
Defaulted container "poll" out of: poll, dump
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/4) Installing libunistring (1.1-r2)
(2/4) Installing libidn2 (2.3.4-r4)
(3/4) Installing pcre2 (10.42-r2)
(4/4) Installing wget (1.21.4-r0)
Executing busybox-1.36.1-r15.trigger
OK: 10 MiB in 19 packages
--2024-04-01 06:59:03--  http://test-foo/
Resolving test-foo (test-foo)... fd10:0:0:100::1b3a
Connecting to test-foo (test-foo)|fd10:0:0:100::1b3a|:80... failed: Host is unreachable.
failMon Apr  1 06:59:06 UTC 2024
--2024-04-01 06:59:09--  http://test-foo/
Resolving test-foo (test-foo)... fd10:0:0:100::1b3a
Connecting to test-foo (test-foo)|fd10:0:0:100::1b3a|:80... failed: Operation timed out.
Retrying.

--2024-04-01 07:01:21--  (try: 2)  http://test-foo/
Connecting to test-foo (test-foo)|fd10:0:0:100::1b3a|:80... failed: Operation timed out.
Retrying.

Checking the tcpdump logs, there are NDP NS packets being sent out from all pods, and the current pod sends out NDP NA packets (but these get dropped by the outbound firewall rules):

kubectl logs deploy/test-bar -c dump

Found 10 pods, using pod/test-bar-8f8966964-rxpwl
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/2) Installing libpcap (1.10.4-r1)
(2/2) Installing tcpdump (4.99.4-r1)
Executing busybox-1.36.1-r15.trigger
OK: 9 MiB in 17 packages
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:59:04.943272 IP6 fd10::14.48210 > fd10:0:0:100::1b3a.80: Flags [S], seq 532122764, win 64800, options [mss 1440,sackOK,TS val 4019160921 ecr 0,nop,wscale 7], length 0
06:59:04.943325 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:05.967372 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:06.867357 IP6 fd10::4 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has fd10::1, length 32
06:59:06.959333 IP6 fe80::b866:4fff:fe2a:666e > fd10::4: ICMP6, neighbor solicitation, who has fd10::4, length 32
06:59:06.959413 IP6 fd10::14.48210 > fd10:0:0:100::1b3a.80: Flags [S], seq 532122764, win 64800, options [mss 1440,sackOK,TS val 4019162937 ecr 0,nop,wscale 7], length 0
06:59:06.959290 ARP, Request who-has 10.0.0.20 tell 10.0.0.1, length 28
06:59:06.960588 ARP, Reply 10.0.0.20 is-at ba:66:4f:2a:66:6e, length 28
06:59:06.959380 IP6 fe80::949d:7aff:fe81:596 > fd10::14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:06.960705 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 24
06:59:06.960930 IP6 fd10::4 > fe80::b866:4fff:fe2a:666e: ICMP6, neighbor advertisement, tgt is fd10::4, length 24
06:59:06.991489 IP6 fd10:0:0:100::1b3a > fd10::14: ICMP6, destination unreachable, unreachable address fd10:0:0:100::1b3a, length 88
06:59:06.991574 IP6 fd10:0:0:100::1b3a > fd10::14: ICMP6, destination unreachable, unreachable address fd10:0:0:100::1b3a, length 88
06:59:06.991597 IP6 fd10:0:0:100::1b3a > fd10::14: ICMP6, destination unreachable, unreachable address fd10:0:0:100::1b3a, length 88
06:59:07.983369 IP6 fe80::949d:7aff:fe81:596 > fd10::14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:07.983441 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 24
06:59:09.007408 IP6 fe80::949d:7aff:fe81:596 > fd10::14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:09.007563 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 24
06:59:09.998213 IP 10.0.0.20.43547 > 10.128.0.10.53: 44620+ AAAA? test-foo.default.svc.cluster.local. (52)
06:59:09.998439 IP6 fd10::14.43547 > fd10:0:0:100::a.53: 44620+ AAAA? test-foo.default.svc.cluster.local. (52)
06:59:09.998885 IP 10.128.0.10.53 > 10.0.0.20.43547: 44620*- 1/0/0 AAAA fd10:0:0:100::1b3a (114)
06:59:09.999026 IP6 fd10:0:0:100::a.53 > fd10::14.43547: 44620*- 1/0/0 AAAA fd10:0:0:100::1b3a (114)
06:59:09.999399 IP6 fd10::14.37848 > fd10:0:0:100::1b3a.80: Flags [S], seq 2021481052, win 64800, options [mss 1440,sackOK,TS val 4019165977 ecr 0,nop,wscale 7], length 0
06:59:09.999468 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:11.027290 IP6 fd10::14.37848 > fd10:0:0:100::1b3a.80: Flags [S], seq 2021481052, win 64800, options [mss 1440,sackOK,TS val 4019167005 ecr 0,nop,wscale 7], length 0
06:59:11.027330 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:12.047328 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:12.079325 IP6 fe80::b866:4fff:fe2a:666e > fe80::949d:7aff:fe81:596: ICMP6, neighbor solicitation, who has fe80::949d:7aff:fe81:596, length 32
06:59:12.079427 IP6 fe80::78eb:ff:febf:9b92 > fe80::b866:4fff:fe2a:666e: ICMP6, neighbor solicitation, who has fe80::b866:4fff:fe2a:666e, length 32
06:59:12.079505 IP6 fe80::b866:4fff:fe2a:666e > fe80::78eb:ff:febf:9b92: ICMP6, neighbor advertisement, tgt is fe80::b866:4fff:fe2a:666e, length 24
06:59:12.079491 IP6 fe80::949d:7aff:fe81:596 > fe80::b866:4fff:fe2a:666e: ICMP6, neighbor advertisement, tgt is fe80::949d:7aff:fe81:596, length 24
06:59:13.039320 IP6 fd10::14.37848 > fd10:0:0:100::1b3a.80: Flags [S], seq 2021481052, win 64800, options [mss 1440,sackOK,TS val 4019169017 ecr 0,nop,wscale 7], length 0
06:59:13.071368 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:13.071627 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:13.071403 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:14.095316 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:14.095391 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:14.095476 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:15.119375 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:15.119503 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:15.119420 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:17.199338 IP6 fd10::14.37848 > fd10:0:0:100::1b3a.80: Flags [S], seq 2021481052, win 64800, options [mss 1440,sackOK,TS val 4019173177 ecr 0,nop,wscale 7], length 0
06:59:17.199377 IP6 fe80::b866:4fff:fe2a:666e > fe80::78eb:ff:febf:9b92: ICMP6, neighbor solicitation, who has fe80::78eb:ff:febf:9b92, length 32
06:59:17.199467 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:17.199419 IP6 fe80::949d:7aff:fe81:596 > fe80::b866:4fff:fe2a:666e: ICMP6, neighbor solicitation, who has fe80::b866:4fff:fe2a:666e, length 32
06:59:17.199551 IP6 fe80::b866:4fff:fe2a:666e > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fe80::b866:4fff:fe2a:666e, length 24
06:59:17.199581 IP6 fe80::78eb:ff:febf:9b92 > fe80::b866:4fff:fe2a:666e: ICMP6, neighbor advertisement, tgt is fe80::78eb:ff:febf:9b92, length 24
06:59:18.223352 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:19.247474 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:20.271446 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:20.271665 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:20.271527 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:21.299376 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:21.299417 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:21.299618 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:22.319310 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:22.319360 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:22.319324 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:25.391320 IP6 fd10::14.37848 > fd10:0:0:100::1b3a.80: Flags [S], seq 2021481052, win 64800, options [mss 1440,sackOK,TS val 4019181369 ecr 0,nop,wscale 7], length 0
06:59:25.391461 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:26.415289 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:27.443293 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:28.463487 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:28.463596 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:28.463536 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:29.487379 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:29.487393 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:29.487452 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:30.511309 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:30.511351 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:30.511327 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:41.519283 IP6 fd10::14.37848 > fd10:0:0:100::1b3a.80: Flags [S], seq 2021481052, win 64800, options [mss 1440,sackOK,TS val 4019197497 ecr 0,nop,wscale 7], length 0
06:59:41.519377 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:42.547334 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:43.567327 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:f: ICMP6, neighbor solicitation, who has fd10::f, length 32
06:59:44.591373 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:44.591498 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:44.591420 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:45.615345 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:13: ICMP6, neighbor solicitation, who has fd10::13, length 32
06:59:45.615378 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:45.615539 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32
06:59:46.639400 IP6 fe80::949d:7aff:fe81:596 > ff02::1:ff00:14: ICMP6, neighbor solicitation, who has fd10::14, length 32
06:59:46.639555 IP6 fd10::14 > fe80::949d:7aff:fe81:596: ICMP6, neighbor advertisement, tgt is fd10::14, length 32

Here's the firewall rules on one node:

sudo ip6tables -nvL

Chain INPUT (policy ACCEPT 21 packets, 1440 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   40  2800 KUBE-ROUTER-INPUT  all      *      *       ::/0                 ::/0                 /* kube-router netpol - 4IA2OSFRMVNDXBVV */
   22  1504 KUBE-FIREWALL  all      *      *       ::/0                 ::/0                
    0     0 KUBE-PROXY-FIREWALL  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes load balancer firewall */
   22  1504 KUBE-NODEPORTS  all      *      *       ::/0                 ::/0                 /* kubernetes health check service ports */
    0     0 KUBE-EXTERNAL-SERVICES  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes externally-visible service portals */
    1    64 ACCEPT     all      *      *       ::/0                 ::/0                 /* KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  176 25456 KUBE-ROUTER-FORWARD  all      *      *       ::/0                 ::/0                 /* kube-router netpol - TEMCG2JMHZYE7H7T */
   49  4540 KUBE-PROXY-FIREWALL  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes load balancer firewall */
   49  4540 KUBE-FORWARD  all      *      *       ::/0                 ::/0                 /* kubernetes forwarding rules */
   49  4540 KUBE-SERVICES  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes service portals */
   49  4540 KUBE-EXTERNAL-SERVICES  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes externally-visible service portals */
   49  4540 ACCEPT     all      *      *       ::/0                 ::/0                 /* KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000
    0     0 FLANNEL-FWD  all      *      *       ::/0                 ::/0                 /* flanneld forward */

Chain OUTPUT (policy ACCEPT 57 packets, 5016 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   78  7504 KUBE-ROUTER-OUTPUT  all      *      *       ::/0                 ::/0                 /* kube-router netpol - VEAAIY32XVBHCSCY */
   57  5016 KUBE-FIREWALL  all      *      *       ::/0                 ::/0                
    0     0 KUBE-PROXY-FIREWALL  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes load balancer firewall */
    0     0 KUBE-SERVICES  all      *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes service portals */
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 /* KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain FLANNEL-FWD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       fd10::/56            ::/0                 /* flanneld forward */
    0     0 ACCEPT     all      *      *       ::/0                 fd10::/56            /* flanneld forward */

Chain KUBE-EXTERNAL-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-FIREWALL (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      *       ::/0                 ::/0                 ctstate INVALID
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 /* kubernetes forwarding rules */ mark match 0x4000/0x4000
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 /* kubernetes forwarding conntrack rule */ ctstate RELATED,ESTABLISHED

Chain KUBE-KUBELET-CANARY (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-NODEPORTS (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-NWPLCY-DEFAULT (6 references)
 pkts bytes target     prot opt in     out     source               destination         
   32  3164 MARK       all      *      *       ::/0                 ::/0                 /* rule to mark traffic matching a network policy */ MARK or 0x10000

Chain KUBE-NWPLCY-OZ4T2IRMH5DLEC5L (4 references)
 pkts bytes target     prot opt in     out     source               destination         
   18  1440 MARK       all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name test namespace default */ match-set inet6:KUBE-SRC-CU2JOPAOCZ7TRJKX src match-set inet6:KUBE-DST-TYJ7YNSM54MVRTUJ dst MARK or 0x10000
   18  1440 RETURN     all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name test namespace default */ match-set inet6:KUBE-SRC-CU2JOPAOCZ7TRJKX src match-set inet6:KUBE-DST-TYJ7YNSM54MVRTUJ dst mark match 0x10000/0x10000
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name test namespace default */ match-set inet6:KUBE-SRC-TYJ7YNSM54MVRTUJ src match-set inet6:KUBE-DST-QE2YS32WBJRRN67W dst MARK or 0x10000
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name test namespace default */ match-set inet6:KUBE-SRC-TYJ7YNSM54MVRTUJ src match-set inet6:KUBE-DST-QE2YS32WBJRRN67W dst mark match 0x10000/0x10000
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to specified ipBlocks selected by policy name: test namespace default */ match-set inet6:KUBE-SRC-TYJ7YNSM54MVRTUJ src match-set inet6:KUBE-DST-Q4ZZ6EADLQF7DYFX dst MARK or 0x10000
    0     0 RETURN     all      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to specified ipBlocks selected by policy name: test namespace default */ match-set inet6:KUBE-SRC-TYJ7YNSM54MVRTUJ src match-set inet6:KUBE-DST-Q4ZZ6EADLQF7DYFX dst mark match 0x10000/0x10000
    0     0 MARK       udp      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name test namespace default */ match-set inet6:KUBE-SRC-TYJ7YNSM54MVRTUJ src match-set inet6:KUBE-DST-RLDF7EAC57B4LOMU dst udp dpt:53 MARK or 0x10000
    0     0 RETURN     udp      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name test namespace default */ match-set inet6:KUBE-SRC-TYJ7YNSM54MVRTUJ src match-set inet6:KUBE-DST-RLDF7EAC57B4LOMU dst udp dpt:53 mark match 0x10000/0x10000
    0     0 MARK       tcp      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name test namespace default */ match-set inet6:KUBE-SRC-TYJ7YNSM54MVRTUJ src match-set inet6:KUBE-DST-RLDF7EAC57B4LOMU dst tcp dpt:53 MARK or 0x10000
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* rule to ACCEPT traffic from source pods to dest pods selected by policy name test namespace default */ match-set inet6:KUBE-SRC-TYJ7YNSM54MVRTUJ src match-set inet6:KUBE-DST-RLDF7EAC57B4LOMU dst tcp dpt:53 mark match 0x10000/0x10000
   15  1080 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic */ limit: avg 10/min burst 10 mark match ! 0x10000/0x10000 nflog-prefix  "DROP by policy default/test" nflog-group 100

Chain KUBE-POD-FW-5KML5L6E6NCC2XQJ (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all      *      *       ::/0                 ::/0                 /* rule to drop invalid state for pod */ ctstate INVALID
    0     0 ACCEPT     all      *      *       ::/0                 fd10::a              /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    0     0 KUBE-NWPLCY-DEFAULT  all      *      *       fd10::a              ::/0                 /* run through default egress network policy chain */
    0     0 KUBE-NWPLCY-DEFAULT  all      *      *       ::/0                 fd10::a              /* run through default ingress network policy chain */
    0     0 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    0     0 REJECT     all      *      *       ::/0                 ::/0                 /* rule to REJECT traffic destined for POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp6-port-unreachable
    0     0 MARK       all      *      *       ::/0                 ::/0                 MARK and 0xfffeffff
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-5T2XEBWQLQB3XRVX (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all      *      *       ::/0                 ::/0                 /* rule to drop invalid state for pod */ ctstate INVALID
    0     0 ACCEPT     all      *      *       ::/0                 fd10::11             /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    0     0 KUBE-NWPLCY-DEFAULT  all      *      *       fd10::11             ::/0                 /* run through default egress network policy chain */
    0     0 KUBE-NWPLCY-DEFAULT  all      *      *       ::/0                 fd10::11             /* run through default ingress network policy chain */
    0     0 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    0     0 REJECT     all      *      *       ::/0                 ::/0                 /* rule to REJECT traffic destined for POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp6-port-unreachable
    0     0 MARK       all      *      *       ::/0                 ::/0                 MARK and 0xfffeffff
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-ARPN2DKFOSGSIOQI (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   128 ACCEPT     all      *      *       ::/0                 ::/0                 /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
    3   360 DROP       all      *      *       ::/0                 ::/0                 /* rule to drop invalid state for pod */ ctstate INVALID
    0     0 ACCEPT     all      *      *       ::/0                 fd10::14             /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    3   216 KUBE-NWPLCY-OZ4T2IRMH5DLEC5L  all      *      *       ::/0                 ::/0                 /* run through nw policy test */
    3   216 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic POD name:test-bar-8f8966964-rxpwl namespace: default */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    3   216 REJECT     all      *      *       ::/0                 ::/0                 /* rule to REJECT traffic destined for POD name:test-bar-8f8966964-rxpwl namespace: default */ mark match ! 0x10000/0x10000 reject-with icmp6-port-unreachable
    0     0 MARK       all      *      *       ::/0                 ::/0                 MARK and 0xfffeffff
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-CNNQJDECG6EJFDSV (7 references)
 pkts bytes target     prot opt in     out     source               destination         
  127 20916 ACCEPT     all      *      *       ::/0                 ::/0                 /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all      *      *       ::/0                 ::/0                 /* rule to drop invalid state for pod */ ctstate INVALID
    1    72 ACCEPT     all      *      *       ::/0                 fd10::4              /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    1    64 KUBE-NWPLCY-DEFAULT  all      *      *       fd10::4              ::/0                 /* run through default egress network policy chain */
   31  3100 KUBE-NWPLCY-DEFAULT  all      *      *       ::/0                 fd10::4              /* run through default ingress network policy chain */
    0     0 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic POD name:coredns-6799fbcd5-9vvhl namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    0     0 REJECT     all      *      *       ::/0                 ::/0                 /* rule to REJECT traffic destined for POD name:coredns-6799fbcd5-9vvhl namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp6-port-unreachable
   32  3164 MARK       all      *      *       ::/0                 ::/0                 MARK and 0xfffeffff
   32  3164 MARK       all      *      *       ::/0                 ::/0                 /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-DSQ64OVDLSU6GPYJ (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all      *      *       ::/0                 ::/0                 /* rule to drop invalid state for pod */ ctstate INVALID
    0     0 ACCEPT     all      *      *       ::/0                 fd10::12             /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    0     0 KUBE-NWPLCY-OZ4T2IRMH5DLEC5L  all      *      *       ::/0                 ::/0                 /* run through nw policy test */
    0     0 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic POD name:test-bar-8f8966964-wxj2h namespace: default */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    0     0 REJECT     all      *      *       ::/0                 ::/0                 /* rule to REJECT traffic destined for POD name:test-bar-8f8966964-wxj2h namespace: default */ mark match ! 0x10000/0x10000 reject-with icmp6-port-unreachable
    0     0 MARK       all      *      *       ::/0                 ::/0                 MARK and 0xfffeffff
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-VIXVV344P3O2B3IG (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
   12  1440 DROP       all      *      *       ::/0                 ::/0                 /* rule to drop invalid state for pod */ ctstate INVALID
    0     0 ACCEPT     all      *      *       ::/0                 fd10::f              /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
   30  2304 KUBE-NWPLCY-OZ4T2IRMH5DLEC5L  all      *      *       ::/0                 ::/0                 /* run through nw policy test */
   12   864 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic POD name:test-foo-6d5659b55-hc4h7 namespace: default */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
   12   864 REJECT     all      *      *       ::/0                 ::/0                 /* rule to REJECT traffic destined for POD name:test-foo-6d5659b55-hc4h7 namespace: default */ mark match ! 0x10000/0x10000 reject-with icmp6-port-unreachable
   18  1440 MARK       all      *      *       ::/0                 ::/0                 MARK and 0xfffeffff
   18  1440 MARK       all      *      *       ::/0                 ::/0                 /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-WO7BMDFUD4AALJ3W (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   128 ACCEPT     all      *      *       ::/0                 ::/0                 /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
    3   360 DROP       all      *      *       ::/0                 ::/0                 /* rule to drop invalid state for pod */ ctstate INVALID
    0     0 ACCEPT     all      *      *       ::/0                 fd10::13             /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    3   216 KUBE-NWPLCY-OZ4T2IRMH5DLEC5L  all      *      *       ::/0                 ::/0                 /* run through nw policy test */
    3   216 NFLOG      all      *      *       ::/0                 ::/0                 /* rule to log dropped traffic POD name:test-bar-8f8966964-s75l7 namespace: default */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    3   216 REJECT     all      *      *       ::/0                 ::/0                 /* rule to REJECT traffic destined for POD name:test-bar-8f8966964-s75l7 namespace: default */ mark match ! 0x10000/0x10000 reject-with icmp6-port-unreachable
    0     0 MARK       all      *      *       ::/0                 ::/0                 MARK and 0xfffeffff
    0     0 MARK       all      *      *       ::/0                 ::/0                 /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-PROXY-CANARY (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-PROXY-FIREWALL (3 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-ROUTER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-POD-FW-5T2XEBWQLQB3XRVX  all      *      *       ::/0                 fd10::11             /* rule to jump traffic destined to POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system to chain KUBE-POD-FW-5T2XEBWQLQB3XRVX */
    0     0 KUBE-POD-FW-5T2XEBWQLQB3XRVX  all      *      *       ::/0                 fd10::11             PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system to chain KUBE-POD-FW-5T2XEBWQLQB3XRVX */
    0     0 KUBE-POD-FW-5T2XEBWQLQB3XRVX  all      *      *       fd10::11             ::/0                 /* rule to jump traffic from POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system to chain KUBE-POD-FW-5T2XEBWQLQB3XRVX */
    0     0 KUBE-POD-FW-5T2XEBWQLQB3XRVX  all      *      *       fd10::11             ::/0                 PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system to chain KUBE-POD-FW-5T2XEBWQLQB3XRVX */
   18  1440 KUBE-POD-FW-VIXVV344P3O2B3IG  all      *      *       ::/0                 fd10::f              /* rule to jump traffic destined to POD name:test-foo-6d5659b55-hc4h7 namespace: default to chain KUBE-POD-FW-VIXVV344P3O2B3IG */
    0     0 KUBE-POD-FW-VIXVV344P3O2B3IG  all      *      *       ::/0                 fd10::f              PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:test-foo-6d5659b55-hc4h7 namespace: default to chain KUBE-POD-FW-VIXVV344P3O2B3IG */
    0     0 KUBE-POD-FW-VIXVV344P3O2B3IG  all      *      *       fd10::f              ::/0                 /* rule to jump traffic from POD name:test-foo-6d5659b55-hc4h7 namespace: default to chain KUBE-POD-FW-VIXVV344P3O2B3IG */
    0     0 KUBE-POD-FW-VIXVV344P3O2B3IG  all      *      *       fd10::f              ::/0                 PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:test-foo-6d5659b55-hc4h7 namespace: default to chain KUBE-POD-FW-VIXVV344P3O2B3IG */
    0     0 KUBE-POD-FW-DSQ64OVDLSU6GPYJ  all      *      *       ::/0                 fd10::12             /* rule to jump traffic destined to POD name:test-bar-8f8966964-wxj2h namespace: default to chain KUBE-POD-FW-DSQ64OVDLSU6GPYJ */
    0     0 KUBE-POD-FW-DSQ64OVDLSU6GPYJ  all      *      *       ::/0                 fd10::12             PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:test-bar-8f8966964-wxj2h namespace: default to chain KUBE-POD-FW-DSQ64OVDLSU6GPYJ */
    0     0 KUBE-POD-FW-DSQ64OVDLSU6GPYJ  all      *      *       fd10::12             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-wxj2h namespace: default to chain KUBE-POD-FW-DSQ64OVDLSU6GPYJ */
    0     0 KUBE-POD-FW-DSQ64OVDLSU6GPYJ  all      *      *       fd10::12             ::/0                 PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:test-bar-8f8966964-wxj2h namespace: default to chain KUBE-POD-FW-DSQ64OVDLSU6GPYJ */
  100 14620 KUBE-POD-FW-CNNQJDECG6EJFDSV  all      *      *       ::/0                 fd10::4              /* rule to jump traffic destined to POD name:coredns-6799fbcd5-9vvhl namespace: kube-system to chain KUBE-POD-FW-CNNQJDECG6EJFDSV */
    0     0 KUBE-POD-FW-CNNQJDECG6EJFDSV  all      *      *       ::/0                 fd10::4              PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:coredns-6799fbcd5-9vvhl namespace: kube-system to chain KUBE-POD-FW-CNNQJDECG6EJFDSV */
   58  9396 KUBE-POD-FW-CNNQJDECG6EJFDSV  all      *      *       fd10::4              ::/0                 /* rule to jump traffic from POD name:coredns-6799fbcd5-9vvhl namespace: kube-system to chain KUBE-POD-FW-CNNQJDECG6EJFDSV */
    0     0 KUBE-POD-FW-CNNQJDECG6EJFDSV  all      *      *       fd10::4              ::/0                 PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:coredns-6799fbcd5-9vvhl namespace: kube-system to chain KUBE-POD-FW-CNNQJDECG6EJFDSV */
    0     0 KUBE-POD-FW-WO7BMDFUD4AALJ3W  all      *      *       ::/0                 fd10::13             /* rule to jump traffic destined to POD name:test-bar-8f8966964-s75l7 namespace: default to chain KUBE-POD-FW-WO7BMDFUD4AALJ3W */
    0     0 KUBE-POD-FW-WO7BMDFUD4AALJ3W  all      *      *       ::/0                 fd10::13             PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:test-bar-8f8966964-s75l7 namespace: default to chain KUBE-POD-FW-WO7BMDFUD4AALJ3W */
    0     0 KUBE-POD-FW-WO7BMDFUD4AALJ3W  all      *      *       fd10::13             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-s75l7 namespace: default to chain KUBE-POD-FW-WO7BMDFUD4AALJ3W */
    0     0 KUBE-POD-FW-WO7BMDFUD4AALJ3W  all      *      *       fd10::13             ::/0                 PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:test-bar-8f8966964-s75l7 namespace: default to chain KUBE-POD-FW-WO7BMDFUD4AALJ3W */
    0     0 KUBE-POD-FW-5KML5L6E6NCC2XQJ  all      *      *       ::/0                 fd10::a              /* rule to jump traffic destined to POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system to chain KUBE-POD-FW-5KML5L6E6NCC2XQJ */
    0     0 KUBE-POD-FW-5KML5L6E6NCC2XQJ  all      *      *       ::/0                 fd10::a              PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system to chain KUBE-POD-FW-5KML5L6E6NCC2XQJ */
    0     0 KUBE-POD-FW-5KML5L6E6NCC2XQJ  all      *      *       fd10::a              ::/0                 /* rule to jump traffic from POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system to chain KUBE-POD-FW-5KML5L6E6NCC2XQJ */
    0     0 KUBE-POD-FW-5KML5L6E6NCC2XQJ  all      *      *       fd10::a              ::/0                 PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system to chain KUBE-POD-FW-5KML5L6E6NCC2XQJ */
    0     0 KUBE-POD-FW-ARPN2DKFOSGSIOQI  all      *      *       ::/0                 fd10::14             /* rule to jump traffic destined to POD name:test-bar-8f8966964-rxpwl namespace: default to chain KUBE-POD-FW-ARPN2DKFOSGSIOQI */
    0     0 KUBE-POD-FW-ARPN2DKFOSGSIOQI  all      *      *       ::/0                 fd10::14             PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:test-bar-8f8966964-rxpwl namespace: default to chain KUBE-POD-FW-ARPN2DKFOSGSIOQI */
    0     0 KUBE-POD-FW-ARPN2DKFOSGSIOQI  all      *      *       fd10::14             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-rxpwl namespace: default to chain KUBE-POD-FW-ARPN2DKFOSGSIOQI */
    0     0 KUBE-POD-FW-ARPN2DKFOSGSIOQI  all      *      *       fd10::14             ::/0                 PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:test-bar-8f8966964-rxpwl namespace: default to chain KUBE-POD-FW-ARPN2DKFOSGSIOQI */

Chain KUBE-ROUTER-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all      *      *       ::/0                 fd10:0:0:100::/112   /* allow traffic to primary/secondary cluster IP range - KMN4Z6ZTPWXCWQLL */
    0     0 RETURN     tcp      *      *       ::/0                 ::/0                 /* allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
    0     0 RETURN     udp      *      *       ::/0                 ::/0                 /* allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
    0     0 KUBE-POD-FW-5T2XEBWQLQB3XRVX  all      *      *       fd10::11             ::/0                 /* rule to jump traffic from POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system to chain KUBE-POD-FW-5T2XEBWQLQB3XRVX */
   12   864 KUBE-POD-FW-VIXVV344P3O2B3IG  all      *      *       fd10::f              ::/0                 /* rule to jump traffic from POD name:test-foo-6d5659b55-hc4h7 namespace: default to chain KUBE-POD-FW-VIXVV344P3O2B3IG */
    0     0 KUBE-POD-FW-DSQ64OVDLSU6GPYJ  all      *      *       fd10::12             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-wxj2h namespace: default to chain KUBE-POD-FW-DSQ64OVDLSU6GPYJ */
    1    64 KUBE-POD-FW-CNNQJDECG6EJFDSV  all      *      *       fd10::4              ::/0                 /* rule to jump traffic from POD name:coredns-6799fbcd5-9vvhl namespace: kube-system to chain KUBE-POD-FW-CNNQJDECG6EJFDSV */
    3   216 KUBE-POD-FW-WO7BMDFUD4AALJ3W  all      *      *       fd10::13             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-s75l7 namespace: default to chain KUBE-POD-FW-WO7BMDFUD4AALJ3W */
    0     0 KUBE-POD-FW-5KML5L6E6NCC2XQJ  all      *      *       fd10::a              ::/0                 /* rule to jump traffic from POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system to chain KUBE-POD-FW-5KML5L6E6NCC2XQJ */
    3   216 KUBE-POD-FW-ARPN2DKFOSGSIOQI  all      *      *       fd10::14             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-rxpwl namespace: default to chain KUBE-POD-FW-ARPN2DKFOSGSIOQI */

Chain KUBE-ROUTER-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-POD-FW-5T2XEBWQLQB3XRVX  all      *      *       ::/0                 fd10::11             /* rule to jump traffic destined to POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system to chain KUBE-POD-FW-5T2XEBWQLQB3XRVX */
    0     0 KUBE-POD-FW-5T2XEBWQLQB3XRVX  all      *      *       fd10::11             ::/0                 /* rule to jump traffic from POD name:svclb-traefik-cad28e80-hvj5l namespace: kube-system to chain KUBE-POD-FW-5T2XEBWQLQB3XRVX */
   12  1440 KUBE-POD-FW-VIXVV344P3O2B3IG  all      *      *       ::/0                 fd10::f              /* rule to jump traffic destined to POD name:test-foo-6d5659b55-hc4h7 namespace: default to chain KUBE-POD-FW-VIXVV344P3O2B3IG */
    0     0 KUBE-POD-FW-VIXVV344P3O2B3IG  all      *      *       fd10::f              ::/0                 /* rule to jump traffic from POD name:test-foo-6d5659b55-hc4h7 namespace: default to chain KUBE-POD-FW-VIXVV344P3O2B3IG */
    0     0 KUBE-POD-FW-DSQ64OVDLSU6GPYJ  all      *      *       ::/0                 fd10::12             /* rule to jump traffic destined to POD name:test-bar-8f8966964-wxj2h namespace: default to chain KUBE-POD-FW-DSQ64OVDLSU6GPYJ */
    0     0 KUBE-POD-FW-DSQ64OVDLSU6GPYJ  all      *      *       fd10::12             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-wxj2h namespace: default to chain KUBE-POD-FW-DSQ64OVDLSU6GPYJ */
    1    72 KUBE-POD-FW-CNNQJDECG6EJFDSV  all      *      *       ::/0                 fd10::4              /* rule to jump traffic destined to POD name:coredns-6799fbcd5-9vvhl namespace: kube-system to chain KUBE-POD-FW-CNNQJDECG6EJFDSV */
    0     0 KUBE-POD-FW-CNNQJDECG6EJFDSV  all      *      *       fd10::4              ::/0                 /* rule to jump traffic from POD name:coredns-6799fbcd5-9vvhl namespace: kube-system to chain KUBE-POD-FW-CNNQJDECG6EJFDSV */
    4   488 KUBE-POD-FW-WO7BMDFUD4AALJ3W  all      *      *       ::/0                 fd10::13             /* rule to jump traffic destined to POD name:test-bar-8f8966964-s75l7 namespace: default to chain KUBE-POD-FW-WO7BMDFUD4AALJ3W */
    0     0 KUBE-POD-FW-WO7BMDFUD4AALJ3W  all      *      *       fd10::13             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-s75l7 namespace: default to chain KUBE-POD-FW-WO7BMDFUD4AALJ3W */
    0     0 KUBE-POD-FW-5KML5L6E6NCC2XQJ  all      *      *       ::/0                 fd10::a              /* rule to jump traffic destined to POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system to chain KUBE-POD-FW-5KML5L6E6NCC2XQJ */
    0     0 KUBE-POD-FW-5KML5L6E6NCC2XQJ  all      *      *       fd10::a              ::/0                 /* rule to jump traffic from POD name:metrics-server-67c658944b-b2sf7 namespace: kube-system to chain KUBE-POD-FW-5KML5L6E6NCC2XQJ */
    4   488 KUBE-POD-FW-ARPN2DKFOSGSIOQI  all      *      *       ::/0                 fd10::14             /* rule to jump traffic destined to POD name:test-bar-8f8966964-rxpwl namespace: default to chain KUBE-POD-FW-ARPN2DKFOSGSIOQI */
    0     0 KUBE-POD-FW-ARPN2DKFOSGSIOQI  all      *      *       fd10::14             ::/0                 /* rule to jump traffic from POD name:test-bar-8f8966964-rxpwl namespace: default to chain KUBE-POD-FW-ARPN2DKFOSGSIOQI */

Chain KUBE-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination

UFW is not enabled.

brandond · 2024-03-28T19:06:44Z

brandond
Mar 28, 2024
Collaborator

@manuelbuil do you have any thoughts on this?

5 replies

manuelbuil Apr 1, 2024
Collaborator

@rbrtbnfgl was poking at kube-router and ipv6 a few releases ago, maybe what the user describes rings a bell?

rbrtbnfgl Apr 1, 2024
Collaborator

Before the IPv6 traffic drop policy wasn't working because the ipset was wrong, now it's working as expected. The default IPv6 accepted traffic should be fixed. If the netpol aren't used it's probably better to disable it when using IPv6 for now or add the netpol to accept that traffic.

brandond Apr 1, 2024
Collaborator

OK so just to confirm:

IPv6 traffic was previously being allowed due to a bug in kube-router's ipset generation.
IPv6 traffic is now properly blocked if not allowed by network policy rules.
Users will likely need to update their rules to make sure everything needed is allowed.

rbrtbnfgl Apr 1, 2024
Collaborator

Yes. I have to check which type of traffic should be allowed by default and fix kube-router rules.

ghost Apr 2, 2024

A good point of reference would be UFW and RFC4890 A.6:

iptables -nvL ufw-before-input

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
14063   13M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 7374 1237K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    2  1102 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    2  1102 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
   11   352 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
  125  6256 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
  125  6256 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

ip6tables -nvL ufw6-before-input

Chain ufw6-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0                
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
   13 10682 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 ufw6-logging-deny  all      *      *       ::/0                 ::/0                 ctstate INVALID
    0     0 DROP       all      *      *       ::/0                 ::/0                 ctstate INVALID
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 141 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 142 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 131
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 132
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 143
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 148 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 149 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 151 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 152 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 153 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 144
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 145
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 146
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 147
    0     0 ACCEPT     udp      *      *       fe80::/10            fe80::/10            udp spt:547 dpt:546
    0     0 ACCEPT     udp      *      *       ::/0                 ff02::fb             udp dpt:5353
    0     0 ACCEPT     udp      *      *       ::/0                 ff02::f              udp dpt:1900
    1    64 ufw6-user-input  all      *      *       ::/0                 ::/0

The rules that enable NDP are:

    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255

rbrtbnfgl · 2024-04-09T11:04:47Z

rbrtbnfgl
Apr 9, 2024
Collaborator

I investigated a bit on this. This is clearly related to the fix for the IPset rule on IPv6. This is specific to Flannel that differently from the other CNIs creates an L2 network between the pods and to manages the L2 communications IPv6 protocol uses multicast IP packets differently from IPv4. So the possible solutions could be:

Add by default acceptance for the IPv6 multicast packets (but if for some reasons a user would like to block this type of traffic it couldn't)
Document that when a IPv6 network policy is defined the user should be aware that the multicast traffic that manages the L2 communication should be allowed.

5 replies

brandond Apr 9, 2024
Collaborator

I would vote for 1; I don't think we should make people include the flannel-specific stuff in all their network policies. If its broken without it, we should do it ourselves.

manuelbuil Apr 10, 2024
Collaborator

Agree, I vote for 1 + documentation about this

brandond Apr 10, 2024
Collaborator

Why not just automatically generate the appropriate iptables rules? If I was an admin and had to manually allow this traffic in each and every one of my policies on an ipv6 cluster I'd consider this basically unusable.

rbrtbnfgl Apr 10, 2024
Collaborator

I did a PR on our kube-router fork k3s-io/kube-router#85

Answer selected

ghost Apr 13, 2024

Thank you so much!

boryashkin · 2024-05-11T17:49:48Z

boryashkin
May 11, 2024

For those who use firewalld:
https://docs.oracle.com/en/operating-systems/olcne/1.1/start/ports.html

On the Kubernetes worker nodes run:
$ sudo firewall-cmd --zone=trusted --add-interface=cni0 --permanent

0 replies

ICMPv6 Neighbour Solicitation packets dropped preventing IPv6 from working #9807

Replies: 7 comments · 14 replies

brandond Mar 27, 2024 Collaborator

brandond Mar 28, 2024 Collaborator

brandond Mar 28, 2024 Collaborator

manuelbuil Apr 1, 2024 Collaborator

rbrtbnfgl Apr 1, 2024 Collaborator

brandond Apr 1, 2024 Collaborator

rbrtbnfgl Apr 1, 2024 Collaborator

rbrtbnfgl Apr 9, 2024 Collaborator

brandond Apr 9, 2024 Collaborator

manuelbuil Apr 10, 2024 Collaborator

brandond Apr 10, 2024 Collaborator

rbrtbnfgl Apr 10, 2024 Collaborator

Replies: 7 comments 14 replies

brandond
Mar 27, 2024
Collaborator

brandond Mar 28, 2024
Collaborator

brandond
Mar 28, 2024
Collaborator

manuelbuil Apr 1, 2024
Collaborator

rbrtbnfgl Apr 1, 2024
Collaborator

brandond Apr 1, 2024
Collaborator

rbrtbnfgl Apr 1, 2024
Collaborator

rbrtbnfgl
Apr 9, 2024
Collaborator

brandond Apr 9, 2024
Collaborator

manuelbuil Apr 10, 2024
Collaborator

brandond Apr 10, 2024
Collaborator

rbrtbnfgl Apr 10, 2024
Collaborator