Apply on forwarded traffic
false, the host endpoint policy applies to traffic to/from
local processes only.
true, the host endpoint policy also applies to forwarded traffic:
- Traffic that comes in via a host endpoint and is forwarded to a local workload (container/pod/VM).
- Traffic from a local workload that is forwarded out via a host endpoint.
- Traffic that comes in via a host endpoint and is forwarded out via another host endpoint.
Untracked policies and pre-DNAT policies must have
applyOnForward set to
because they apply to all forwarded traffic.
Forwarded traffic is allowed by default if no policies apply to the endpoint and direction. In
other words, if a host endpoint is configured, but there are no policies with
true that apply to that host endpoint and traffic direction, forwarded traffic is
allowed in that direction. For example if a forwarded flow is incoming via a host endpoint, but there are
no Ingress policies with
applyOnForward: true that apply to that host endpoint, the flow is
allowed. If there are
applyOnForward: true policies that select the host endpoint and direction,
but no rules in the policies allow the traffic, the traffic is denied.
This is different from how Calico treats traffic to or from a local process: if a host endpoint is configured and there are no policies that select the host endpoint in the traffic direction, or no rules that allow the traffic, the traffic is denied.
Traffic that traverses a host endpoint and is forwarded to a workload endpoint must also pass
the applicable workload endpoint policy, if any. That is to say, if an
applyOnForward: true host
endpoint policy allows the traffic, but workload endpoint policy denies it, the packet is still dropped.
Traffic that ingresses one host endpoint, is forwarded, and egresses host endpoint must pass ingress policy on the first host endpoint and egress policy on the second host endpoint.
Note: Calico’s handling of host endpoint policy has changed, since before Calico v3.0, in two ways:
- It will not apply at all to forwarded traffic, by default. If you have an existing policy and you want it to apply to forwarded traffic, you need to add
applyOnForward: trueto the policy.
- Even with
applyOnForward: true, the treatment is not quite the same in Calico v3.0 as in previous releases, because–once a host endpoint is configured– Calico v3.0 allows forwarded traffic through that endpoint by default, whereas previous releases denied forwarded traffic through that endpoint by default. If you want to maintain the default-deny behavior for all host-endpoint forwarded traffic, you can create an empty policy with
truethat applies to all traffic on all host endpoints.
calicoctl apply -f - <<EOF - apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: empty-default-deny spec: types: - Ingress - Egress selector: has(host-endpoint) applyOnForward: true EOF
Note: This policy has no
orderfield specified which causes it to default to the highest value. Because higher order values have the lowest order of precedence, Calico will apply this policy after all other policies. Refer to the policy spec for more discussion.