Calico CNI networking and mangle rules on the host

I am running Calico networking on the AWS EKS k8s cluster.

When I am adding a mangle flag on the EKS node.
iptables -t mangle -A OUTPUT -p tcp --dport 80 -s -j DSCP --set-dscp 0x30

I don’t see POD running on that cluster it able to honor the rule. what can be done so that Calico doesn’t interfere with the DSCP bit as set above

I’m not sure, having never tried this exact thing before. Possible options:

Controls whether Felix hooks the kernel’s top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. Insert is the safe default since it prevents Calico’s rules from being bypassed. If you switch to Append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed.

I am worried however that you’re talking about adding that option on the Node, and expecting it to apply to Pod traffic. Wouldn’t that apply to ALL traffic, whether pod or not, going to tcp port 80?

Currently Calico does not support DSCP tagging of pod traffic. You may be interested in which concluded that DSCP tagging has no effect in a cloud-native environment today.

1 Like