Deleting Iptables -S of calico

Question

I am trying to delete all calico related Iptables using calico-script . After running this script most of the calico iptables is removed except these:

root@Ubuntu-18-VM:~# iptables -S | grep -oP '(?<!^:)cali-[^ ]+'
cali-FORWARD
cali-INPUT
cali-OUTPUT
cali-cidr-block
cali-from-hep-forward
cali-from-host-endpoint
cali-from-wl-dispatch
cali-from-wl-dispatch-5
cali-fw-cali2847b154969
cali-fw-cali4bb24809f90
cali-fw-cali531f8f2e712
cali-fw-cali5a82b3ff301
cali-pri-_CVSZITRyIpEmH8AB6H
cali-pri-_HayIXLB85hzHkIhWER
cali-pri-_PTRGc0U-L5Kz7V6ERW
cali-pri-_u2Tn2rSoAPffvE7JO6
cali-pri-kns.kube-system
cali-pro-_CVSZITRyIpEmH8AB6H
cali-pro-_HayIXLB85hzHkIhWER
cali-pro-_PTRGc0U-L5Kz7V6ERW
cali-pro-_u2Tn2rSoAPffvE7JO6
cali-pro-kns.kube-system
cali-to-hep-forward
cali-to-host-endpoint
cali-to-wl-dispatch
cali-to-wl-dispatch-5
cali-tw-cali2847b154969
cali-tw-cali4bb24809f90
cali-tw-cali531f8f2e712
cali-tw-cali5a82b3ff301
cali-wl-to-host

Total 31 are still left. I am trying to add one more grep line in the script that should grep above remaining 31 entries and remove those iptables. But when I added below line just after line14

iptables -S | grep -oP '(?<!^:)cali-[^ ]+' | while read line; do iptables -t nat -F $line; done

I am getting below error 31 times:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
.
.
.

How can I fix this script so that it can grep & delete remaining 31 iptables entries also.

Answer 1

Update Nov 2022: The removal script from Calico is now located at

https://github.com/projectcalico/calico/blob/master/calico/hack/remove-calico-policy/remove-calico-policy.sh

1. remove your line

2. try add below after L36

echo 'Cleaning all calico'
for i in `iptables -L |grep cali|awk '{print $2}'`; do iptables -F $i && iptables -X $i;  done

In my case, before this adjustment, script left me 40 out of 242

iptables -S | grep -oP '(?<!^:)cali-[^ ]+' | wc -l
40

after: 0

# iptables -S | grep -oP '(?<!^:)cali-[^ ]+' | wc -l
242
# ./calico-removal.sh 
Setting default FORWARD action to ACCEPT...
net.ipv4.ip_forward = 1
Starting the flush Calico policy rules...
Make sure calico-node DaemonSet is stopped before this gets executed.
Flushing all the calico iptables chains in the nat table...
Flushing all the calico iptables chains in the raw table...
Flushing all the calico iptables chains in the mangle table...
Flushing all the calico iptables chains in the filter table...
Cleaning up calico rules from the nat table...
Cleaning up calico rules from the raw table...
Cleaning up calico rules from the mangle table...
Cleaning up calico rules from the filter table...
Cleaning all calico

## iptables -S | grep -oP '(?<!^:)cali-[^ ]+' | wc -l
0