You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
= Supporting multi-network policies in IPv6 networks
8
8
9
9
[role="_abstract"]
10
-
The ICMPv6 Neighbor Discovery Protocol (NDP) is a set of messages and processes that enable devices to discover and maintain information about neighboring nodes. NDP plays a crucial role in IPv6 networks, facilitating the interaction between devices on the same link.
10
+
The ICMPv6 Neighbor Discovery Protocol (NDP) is a set of messages and processes that enable devices to discover and maintain information about neighboring nodes. NDP is essential in IPv6 networks, facilitating the interaction between devices on the same link.
11
11
12
-
The Cluster Network Operator (CNO) deploys the iptables implementation of multi-network policy when the `useMultiNetworkPolicy` parameter is set to `true`.
12
+
The Cluster Network Operator (CNO) deploys the `nftables` implementation of multi-network policy when the `useMultiNetworkPolicy` parameter is set to `true`.
13
13
14
-
To support multi-network policies in IPv6 networks the Cluster Network Operator deploys the following set of custom rules in every pod affected by a multi-network policy:
14
+
To support multi-network policies in IPv6 networks, the Cluster Network Operator deploys the following predefined `nftables`rules in every pod affected by a multi-network policy. The CNO automatically creates and manages the following `ConfigMap`. You do not need to create this resource.
`icmpv6-type neighbor-solicitation`:: This rule allows incoming ICMPv6 neighbor solicitation messages, which are part of the neighbor discovery protocol (NDP). These messages help determine the link-layer addresses of neighboring nodes.
37
-
`icmpv6-type neighbor-advertisement`:: This rule allows incoming ICMPv6 neighbor advertisement messages, which are part of NDP and provide information about the link-layer address of the sender.
38
-
`icmpv6-type router-solicitation`:: This rule permits incoming ICMPv6 router solicitation messages. Hosts use these messages to request router configuration information.
39
-
`icmpv6-type router-advertisement`:: This rule allows incoming ICMPv6 router advertisement messages, which give configuration information to hosts.
35
+
`icmpv6type nd-neighbor-solicit`:: This rule allows incoming ICMPv6 neighbor solicitation messages, which are part of the Neighbor Discovery Protocol (NDP). These messages help determine the link-layer addresses of neighboring nodes. In a multi-network setup, this allows other pods or the secondary interface gateway to resolve the pod's MAC address. Without this, the pod becomes 'invisible' to its neighbors on the secondary network.
36
+
`icmpv6type nd-neighbor-advert`:: This rule allows incoming ICMPv6 neighbor advertisement messages, which are part of NDP and provide information about the link-layer address of the sender. This ensures the pod can receive MAC address updates from other nodes.
37
+
`icmpv6type nd-router-advert`:: This rule allows incoming ICMPv6 router advertisement messages, which provide configuration information to hosts. This allows the pod to receive its default gateway and routing prefix dynamically from the network infrastructure.
38
+
`icmpv6type nd-router-solicit`:: This rule allows incoming ICMPv6 router solicitation messages. Hosts use these messages to request router configuration information. This ensures that when a pod's interface comes online, it can immediately request network parameters rather than waiting for the next scheduled broadcast, reducing container startup latency.
Copy file name to clipboardExpand all lines: networking/multiple_networks/secondary_networks/configuring-multi-network-policy.adoc
+8-1Lines changed: 8 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ toc::[]
9
9
[role="_abstract"]
10
10
As an administrator, you can use the `MultiNetworkPolicy` API to create multiple network policies that manage traffic for pods that are attached to secondary networks. For example, you can create policies that allow or deny traffic based on specific ports, IPs and ranges, or labels.
11
11
12
-
Multi-network policies can be used to manage traffic on secondary networks in the cluster. These policies cannot manage the default cluster network or primary network of user-defined networks.
12
+
Multi-network policies can be used to manage traffic on secondary networks in the cluster. These policies cannot manage the default cluster network or primary network of user-defined networks.
13
13
14
14
As a cluster administrator, you can configure a multi-network policy for any of the following network types:
15
15
@@ -24,6 +24,13 @@ As a cluster administrator, you can configure a multi-network policy for any of
24
24
Support for configuring multi-network policies for SR-IOV secondary networks is only supported with kernel network interface controllers (NICs). SR-IOV is not supported for Data Plane Development Kit (DPDK) applications.
25
25
====
26
26
27
+
[IMPORTANT]
28
+
====
29
+
In {product-title} 4.22 and later, the multi-network policy backend uses `nftables`.
30
+
The `iptables` backend has been removed and there is no option to revert to it.
31
+
The `MultiNetworkPolicy` API and user-facing configuration are unchanged.
0 commit comments