add a warning about the filter table

2025-07-31 15:25:57 +00:00 · 2021-04-15 16:22:28 -07:00 · 2021-04-15 16:22:28 -07:00 · ba3fc65072
commit ba3fc65072
parent a55bd63172
1 changed files with 3 additions and 0 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -123,6 +123,9 @@ function gce-metadata-fw-helper {
  iptables -w ${command} OUTPUT -p tcp --dport 80 -d ${METADATA_SERVER_IP} -m owner ${invert:-} --uid-owner=${METADATA_SERVER_ALLOWED_UID_RANGE:-0-2999} -j ${action}
 }

+# WARNING: DO NOT USE THE FILTER TABLE! Some implementations of network policy
+# think they own it and will stomp all over your changes. At this time, the
+# mangle table is less contentious so use that if possible.
 function config-ip-firewall {
  echo "Configuring IP firewall rules"