Apply on forwarded traffic
If applyOnForward
is false
, the host endpoint policy applies to traffic to/from
local processes only.
If applyOnForward
is true
, the host endpoint policy also applies to forwarded traffic:
- Traffic that comes in via a host endpoint and is forwarded to a local workload (container/pod/VM).
- Traffic from a local workload that is forwarded out via a host endpoint.
- Traffic that comes in via a host endpoint and is forwarded out via another host endpoint.
By default, applyOnForward
is false
.
Untracked policies and pre-DNAT policies must have applyOnForward
set to true
because they apply to all forwarded traffic.
Forwarded traffic is allowed by default if no policies apply to the endpoint and direction. In
other words, if a host endpoint is configured, but there are no policies with applyOnForward
set to true
that apply to that host endpoint and traffic direction, forwarded traffic is
allowed in that direction. For example if a forwarded flow is incoming via a host endpoint, but there are
no Ingress policies with applyOnForward: true
that apply to that host endpoint, the flow is
allowed. If there are applyOnForward: true
policies that select the host endpoint and direction,
but no rules in the policies allow the traffic, the traffic is denied.
This is different from how Calico treats traffic to or from a local process: if a host endpoint is configured and there are no policies that select the host endpoint in the traffic direction, or no rules that allow the traffic, the traffic is denied.
Traffic that traverses a host endpoint and is forwarded to a workload endpoint must also pass
the applicable workload endpoint policy, if any. That is to say, if an applyOnForward: true
host
endpoint policy allows the traffic, but workload endpoint policy denies it, the packet is still dropped.
Traffic that ingresses one host endpoint, is forwarded, and egresses host endpoint must pass ingress policy on the first host endpoint and egress policy on the second host endpoint.
Calico's handling of host endpoint policy has changed, since before Calico v3.0, in two ways:
- It will not apply at all to forwarded traffic, by default. If you have an existing
policy and you want it to apply to forwarded traffic, you need to add
applyOnForward: true
to the policy. - Even with
applyOnForward: true
, the treatment is not quite the same in Calico v3.0 as in previous releases, because–once a host endpoint is configured– Calico v3.0 allows forwarded traffic through that endpoint by default, whereas previous releases denied forwarded traffic through that endpoint by default. If you want to maintain the default-deny behavior for all host-endpoint forwarded traffic, you can create an empty policy withapplyOnForward
set totrue
that applies to all traffic on all host endpoints.
calicoctl apply -f - <<EOF
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: empty-default-deny
spec:
types:
- Ingress
- Egress
selector: has(host-endpoint)
applyOnForward: true
EOF
This policy has no order
field specified which causes it to default
to the highest value. Because higher order values have the lowest order of precedence,
Calico will apply this policy after all other policies. Refer to the
policy spec for
more discussion.