I have a network policy
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: default
namespace: test
spec:
selector: app == 'nginx'
ingress:
- action: Log
destination: {}
protocol: TCP
source: {}
egress:
- action: Allow
destination:
services:
name: kube-dns
namespace: kube-system
- action: Allow
destination:
services:
name: default-nginx-ingress-controller
namespace: nginx-ingress
This particular policy is tailored to fail (no ingress allowed as you've might see). And I'm trying to open my application using the Ingress.
I see logs in journalctl
Mar 27 22:54:35 HOSTNAME kernel: calico-packet: IN=cali2946daffa48 OUT=cali4b2091ec068 MAC=ee:ee:ee:ee:ee:ee:a6:8e:ee:53:38:b7:08:00 SRC=10.254.157.25 DST=10.254.157.20 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10079 DF PROTO=TCP SPT=35236 DPT=80 WINDOW=32640 RES=0x00 SYN URGP=0
Mar 27 22:54:52 HOSTNAME kernel: calico-packet: IN=cali2946daffa48 OUT=cali4b2091ec068 MAC=ee:ee:ee:ee:ee:ee:a6:8e:ee:53:38:b7:08:00 SRC=10.254.157.25 DST=10.254.157.20 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10080 DF PROTO=TCP SPT=35236 DPT=80 WINDOW=32640 RES=0x00 SYN URGP=0
And I can packets are dropped by the iptables due to policy mismatch counter is increasing
iptables-save -c | grep DROP
...
[76:4560] -A cali-tw-cali4b2091ec068 -m comment --comment "cali:dmC976zbMPTWTc-S" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x20000 -j DROP
...
My main goal here is to somehow identify the traffic that is being dropped by the "Drop if no policies passed packet" rule. Maybe there is something I'm missing in the journalctl calico-packet section that I cannot see, I don't know.
Could anyone point me to some identifier that explicitly denotes that the packets logged in journalctl were dropped?