What is the net.bridge.bridge-nf-call-iptables kernel parameter?

I am following this guide of installing kubernetes with kubeadm, and as part of the installation process, I need to set the following kernel parameters in sysctl.d/99-kuvernetes-cni.conf:

net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1

I know that these belong to the br_netfilter module, since I can only see them with sysctl -a after loading this module.

But what are they all about? Are they really necessary for running kubernetes?

Asked By: YoavKlein

||

These parameters determine whether packets crossing a bridge are sent to iptables for processing. Most Kubernetes CNIs rely on iptables, so this is usually necessary for Kubernetes.

The in-kernel default is to enable these settings, but many distributions disable them (see the previous link for details).

Answered By: Stephen Kitt

It seems with Nftables these parameters are not used anymore: https://netdevconf.info/1.1/proceedings/papers/Bridge-filter-with-nftables.pdf

Answered By: Osqui