Comment 0 for bug 1932292

Let's put for instance keystone service in lxd on vm with K8s master installed

and there k8s installs firewall

the packets go whole way from one lxd on first machine to another lxd but on the way back their way back from the 2nd vm and they splash on the vm firewall installed by k8s
all baremetal, vm, container share the same network 10.198.0.0/16

here's the exact travel of icmp packets (or any other packets

lxd1 -> vm1 > baremetal1 -> network layer2 -> baremetal2 -> vm2 -> lxd2 (echo request reached dst)
then travel back:
lxd2 -> vm2 ---!!!---> baremetal1

no communication, the packets heats the following rule:


Chain KUBE-FORWARD (1 references)
 pkts bytes target prot opt in out source destination
 1353 84652 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000
  248 43868 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED

ubuntu@k8smaster-1:~$ sudo iptables -D KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP

root@juju-587661-1-lxd-0:~# ping 10.198.0.249
PING 10.198.0.249 (10.198.0.249) 56(84) bytes of data.
64 bytes from 10.198.0.249: icmp_seq=1 ttl=64 time=0.720 ms
64 bytes from 10.198.0.249: icmp_seq=2 ttl=64 time=0.511 ms