note to self: CNIs use the iptables-wrapper script to align their version w/ the kernel

 Today dan asked in sig-net slack:

"I’m a little confused, I’ve a pod with hostNetwork: true I can see all the network devices.. but the iptables rules are different on the host to what I can see inside the pod." 

It turns out that Iptables is a client app that runs in containers, and that client can be different then the implementation of iptables underneath, which is in the kernel

So, looking at how CNIs , they all seem to bundle the same iptables-wrapper script into their Dockerfiles.   Looking at the antrea changelog, recently:

## 1.5.1 - 2022-03-07
22
23	### Changed
24
25	- Use iptables-wrapper in Antrea container. Now antrea-agent can work with distros that lack the iptables kernel module of "legacy" mode (ip_tables). ([#3308](https://github.com/antrea-io/antrea/pull/3308), [@antoninbas])
26	- Reduce permissions of Antrea ServiceAccount for updating annotations. ([#3408](https://github.com/antrea-io/antrea/pull/3408), [@tnqn])
27
28

- https://github.com/antrea-io/antrea/blob/main/build/images/base/Dockerfile 

- https://github.com/cilium/cilium/blob/master/images/runtime/Dockerfile

- https://github.com/flannel-io/flannel/blob/master/Dockerfile.amd64

All Vendor in this lovely tool from Red hat  https://github.com/kubernetes-sigs/iptables-wrappers/blob/master/README.md#background 

The iptables-wrapper scripts above look at the underlying implementation and then decide what to use as the iptables client in the container. 

The reason this is important is that CNIs (which are packaged in containers)  need to make calls out to iptables (i.e. calico does this for network policies, antrea agent has to write masquerading rules for routing https://antrea.io/docs/v1.2.3/docs/design/architecture/ , and so on).

Im not sure, and im kinda curious: If you have a diff version of iptables "client" in your container then in the actual node your running on, are there more serious bugs then just "seeing different rules" in the container ?  Probably .  Otherwise the whole kubernetes-sigs/iptables-wrappers repo wouldnt exist.