Skip to content

nft table is not removed from the gateway #3142

New issue
New issue
Open
Open
nft table is not removed from the gateway#3142
Labels
bugReport a bug encountered while operating Liqo
@riccardotornesello

Description

@riccardotornesello
riccardotornesello
opened on Nov 7, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Version

v1.0.1

What happened?

Using liqo, I noticed that when FirewallConfigurations are deleted from the gateway, the associated nft tables are not removed.

By experimenting and checking the code, I noticed that the behavior is different between FirewallConfigurations applied on the gateway and those applied on the fabric, as those inserted on the fabric are deleted without any problems.

The difference in the code is in the initialization of the FirewallConfiguration reconciler, which can be created with NewFirewallConfigurationReconcilerWithFinalizer or with NewFirewallConfigurationReconcilerWithoutFinalizer.
On the gateway controller, it is created without a finalizer, so when the resource is removed, the code to remove the table is not executed.

Is this behavior intentional or is it a bug? Only the gateway does not use the finalizer for this type of resource.

UPDATE
I would like to add a possible unpredictable behavior due to this configuration: the gateway is generated with a deployment, so if the pod were to be deleted for some reason, it would be recreated from scratch. This means that only the nft rules derived from the FirewallConfigurations present at that moment would be added, which are different from those present in the old pod that still had remnants of deleted FirewallConfigurations.

How can we reproduce the issue?

  1. Create two k3d clusters
  2. Install liqo on both clusters with the command liqoctl install k3s --cluster-id $cluster_name --pod-cidr 10.200.0.0/16 --service-cidr 10.201.0.0/16 --api-server-url https://$api_server_address:6443
  3. Peer the clusters with the command liqoctl peer --kubeconfig $kubeconfig --remote-kubeconfig $remote_kubeconfig --gw-server-service-type LoadBalancer
  4. Create any firewallconfiguration with firewall-category: gateway and (optionally) firewall-subcategory: fabric (example code below) with the command kubectl apply -f example.yaml
  5. Check the nfables ruleset in the gateway with kubectl -n liqo-tenant-<...> exec --tty --stdin gw-<...> -- nft list ruleset and note that the table is set
  6. Delete the firewallconfiguration with kubectl delete -f example.yaml
  7. Check again the nft ruleset in the gateway and note that the table is still there
table ip test-table {
        chain test-chain {
                type filter hook forward priority filter; policy accept;
        }
}

Example resource:

apiVersion: networking.liqo.io/v1beta1
kind: FirewallConfiguration
metadata:
  labels:
    liqo.io/managed: "true"
    networking.liqo.io/firewall-category: gateway
    networking.liqo.io/firewall-subcategory: fabric
  name: test
  namespace: liqo
spec:
  table:
    family: IPV4
    name: test-table
    chains:
    - hook: forward
      name: test-chain
      policy: accept
      priority: 0
      type: filter

Provider or distribution

k3d

CNI version

flannel

Kernel Version

No response

Kubernetes Version

1.30

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugReport a bug encountered while operating Liqo

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions