From ba3fc6507217a7878628d4fbf6354127d44cd924 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Thu, 15 Apr 2021 16:22:28 -0700 Subject: [PATCH] add a warning about the filter table --- cluster/gce/gci/configure-helper.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index bffb491b418..36b57cd71ee 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -123,6 +123,9 @@ function gce-metadata-fw-helper { iptables -w ${command} OUTPUT -p tcp --dport 80 -d ${METADATA_SERVER_IP} -m owner ${invert:-} --uid-owner=${METADATA_SERVER_ALLOWED_UID_RANGE:-0-2999} -j ${action} } +# WARNING: DO NOT USE THE FILTER TABLE! Some implementations of network policy +# think they own it and will stomp all over your changes. At this time, the +# mangle table is less contentious so use that if possible. function config-ip-firewall { echo "Configuring IP firewall rules"