0

For my Kubernetes nodes, I see following entry with a star under the interface column. I do not see this mentioned in "route" command's documentation. The only star mentioned there is for gateway. This entry has been created by Calico for the gateway on current VM.

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.0.0 --- 0.0.0.0 --- 255.255.255.0 --- U --- 0 --- 0 --- 0 --- *

I have attached the output of route and "ip route" commands.

enter image description here

user6317694
  • 131
  • 3
  • Where did all those hyphens come from? What command did you run to generate this output? – Michael Hampton May 23 '19 at 01:25
  • I added the hyphens to the output of "route -n" – user6317694 May 23 '19 at 11:19
  • 2
    That's really confusing. It's best to just paste command output without modification, and [format](/help/formatting) it with the code format button `{}` in the editor. Also, you should run `ip route` instead of the deprecated and sometimes wrong `route`. – Michael Hampton May 23 '19 at 14:36
  • 1
    This is a side effect of `route` output. Some types of routes (`unreachable` in your case) don't require the interface specification. So, the `route` tool uses `*` as flag of empty interface attribute. – Anton Danilov May 24 '19 at 13:41
  • Thanks for suggesting the "ip route" comand @MichaelHampton. he output of that shows the entry as "blackhole". Further looking at Calico documentation, I see that one purpose of blackhole route is to prevent DDoS attacks, though more relevant to IPV6. I am still trying to find the exact purpose of that routing rule. – user6317694 May 24 '19 at 13:59
  • I think this is the aggregated static route from the bird (defined as `reject` inside `protocol static` section). It requires to avoid the routing loops. – Anton Danilov May 24 '19 at 14:13
  • From https://github.com/projectcalico/calico/issues/2457#issuecomment-468767265, `It's by design that a blackhole route for the Service CIDR is present. It causes BIRD to export that route to its BGP peers, so that those peers think they can reach the CIDR via this node. For local routing it's not supposed to come into play, because we expect that iptables rules programmed by kube-proxy will DNAT to an actual pod IP.` – user6317694 May 24 '19 at 17:12

1 Answers1

0

An * under the interface column in output of route command denotes a blackhole destination. In this particular case of a route created by Calico, it causes BIRD to export that route to its BGP peers(on other worker VMs), so that those peers think they can reach the CIDR via this node. For local routing it's not supposed to come into play, because we expect that iptables rules programmed by kube-proxy will DNAT to an actual pod IP.

Source : https://github.com/projectcalico/calico/issues/2457#issuecomment-468767265

user6317694
  • 131
  • 3