Hi Jan, On Wed, Mar 26, 2025 at 11:21:09PM +0100, Jan Engelhardt wrote: > > On Wednesday 2025-03-26 16:56, Phil Sutter wrote: > > > >The suggested 'flush ruleset' stems from Fedora's nftables.service and > >is also present in CentOS Stream and RHEL. So anyone running k8s there > >either doesn't use nftables.service (likely, firewalld is default) or > >doesn't restart the service. Maybe k8s should "officially" conflict with > >nftables and iptables services? > > It definitely should. > > For example, in openSUSE we already added an extra constraint between > firewalld <-> nftables, so k8s should likely get a similar treatment. > > fail2ban is also interesting, but a solved problem > (equally added ordering constraints to the distro years ago). I think this still needs one more iteration based on the feedback, Phil mentioned one issue with flush ruleset that I can remember. Thanks.
