3:30000 httpd httpd 1010101010111 1010101010111 1010101010111 1010101010111 -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A KUBE-FORWARD -d 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A KUBE-SERVICES -d 10.99.38.155/32 -p tcp -m comment --comment "default/nginx-59: has no endpoints" -m tcp --dport 80 -j REJECT --reject-with

mark --mark KUBE-MARK-MASQ -j ACCEPT -s 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -d 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT KUBE-SERVICES ! -s synchroniza�on kicked in or un�l pods were restarted. Upgrading from >=1.4.0 to 1.5.y In v1.4, the TCP conntrack table size ct-global-max-entries-tcp ConfigMap parameter was ineffec�ve due to a bug and thus, table u�liza�on below 25%. If needed, the interval can be set to a sta�c interval with the op�on --conntrack-gc-interval . If connec�vity fails and cilium monitor --type drop shows xx drop (CT: Map insertion

mark --mark KUBE-MARK-MASQ -j ACCEPT -s 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -d 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT KUBE-SERVICES ! -s policy_l7_total instead. 1.5 Upgrade Notes Upgrading from >=1.4.0 to 1.5.y 1. In v1.4, the TCP conntrack table size ct-global-max-entries-tcp ConfigMap parameter was ineffective due to a bug and thus utilization below 25%. If needed, the interval can be set to a static interval with the option --conntrack-gc- interval. If connectivity fails and cilium monitor --type drop shows xx drop (CT: Map insertion

mark --mark KUBE-MARK-MASQ -j ACCEPT -s 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -d 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT KUBE-SERVICES ! -s cilium_policy_import_errors_total instead. cilium_datapath_errors_total is removed. Please use cilium_datapth_conntrack_dump_resets_total instead. Label mapName in cilium_bpf_map_ops_total is removed. Please use label label subnet_id and availability_zone instead. New Metrics cilium_datapath_conntrack_dump_resets_total Number of conntrack dump resets. Happens when a BPF entry gets removed while dumping the map is in

mark --mark KUBE-MARK-MASQ -j ACCEPT -s 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -d 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT KUBE-SERVICES ! -s policy_l7_total instead. 1.5 Upgrade Notes Upgrading from >=1.4.0 to 1.5.y 1. In v1.4, the TCP conntrack table size ct-global-max-entries-tcp ConfigMap parameter was ineffective due to a bug and thus utilization below 25%. If needed, the interval can be set to a static interval with the option --conntrack-gc- interval. If connectivity fails and cilium monitor --type drop shows xx drop (CT: Map insertion

mark --mark KUBE-MARK-MASQ -j ACCEPT -s 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -d 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT KUBE-SERVICES ! -s mark --mark KUBE-MARK-MASQ -j ACCEPT -s 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -d 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT KUBE-SERVICES ! -s required the following command can be used to check the currently configured maximum number of TCP conntrack entries: sudo grep -R CT_MAP_SIZE_TCP /var/run/cilium/state/templates/ If the maximum number is

mark --mark KUBE-MARK-MASQ -j ACCEPT -s 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -d 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT KUBE-SERVICES ! -s required the following command can be used to check the currently configured maximum number of TCP conntrack entries: sudo grep -R CT_MAP_SIZE_TCP /var/run/cilium/state/templates/ If the maximum number is table size parameter bpf-nat-global-max in the daemon is derived from the default value of the conntrack table size parameter bpf-ct-global- tcp-max. Since the latter was changed (see above), the default

mark --mark KUBE-MARK-MASQ -j ACCEPT -s 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -d 10.233.64.0/18 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT KUBE-SERVICES ! -s Description datapath_conntrack_dump_resets_total area, name, family Number of conntrack dump resets. Happens when a BPF entry gets removed while dumping the map is in progress. datapath_conntrack_gc_runs_total l status Number of times that the conntrack garbage collector process was run datapath_conntrack_gc_key_fallbacks_total The number of alive and deleted conntrack entries at the end of a garbage collector

ports 7, 77, 777 are closed check VM IP What is socket lookup? raw PREROUTING filter INPUT conntrack routing decision mangle PREROUTING nat PREROUTING socket lookup socket receive buffer Application

allowed ports and icmp (ping) chain input { ……} Allow related and established traffic by using conntrack ct state invalid drop ct state established,related accept Drop all forward traffic chain forward