Skip to main content
Calico Enterprise 3.19 (latest) documentation

iptables logs

About iptables logs

iptables logs are produced by policy audit mode or by using the Log action in either Network Policy or Global Network Policy. These logs are written to syslog (specifically the /dev/log socket) on the nodes where the events are generated. Collection, rotation and other management of these logs is provided by your syslog agent, for example, journald or rsyslogd.

Policy audit mode

Calico Enterprise adds a Felix option DropActionOverride that configures how the deny action in a Rule is interpreted. It can add logs for denied packets, or even allow the traffic through.

See the Felix configuration reference for information on how to configure this option.

DropActionOverride controls what happens to each packet that is denied by the current Calico Enterprise policy, i.e., by the ordered combination of all the configured policies and profiles that apply to that packet. It may be set to one of the following values:

  • Drop
  • Accept
  • LogAndDrop
  • LogAndAccept

Normally the Drop or LogAndDrop value should be used, as dropping a packet is the obvious implication of that packet being denied. However when experimenting, or debugging a scenario that is not behaving as you expect, the "Accept" and "LogAndAccept" values can be useful: then the packet will be still be allowed through.

When one of the LogAnd* values is set, each denied packet is logged in syslog, with an entry like this:

May 18 18:42:44 ubuntu kernel: [ 1156.246182] calico-drop: IN=tunl0 OUT=cali76be879f658 MAC= SRC=192.168.128.30 DST=192.168.157.26 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=56743 DF PROTO=TCP SPT=56248 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0xa000000

Note that Denied Packet Metrics are independent of the DropActionOverride setting. Specifically, if packets that would normally be denied are being allowed through by a setting of Accept or LogAndAccept, those packets still contribute to the denied packet metrics as normal.

For example, to set a DropActionOverride for myhost to log then drop denied packets:

Edit the FelixConfiguration object for the myhost Node.

kubectl patch felixconfiguration.p node.myhost --type='merge' -p \
'{"spec":{"dropActionOverride":"LogAndDrop"}}'

For a global setting, modify the default FelixConfiguration resource.