Skip to content

WIP: Migrate iptables to nftables in networking test suite#3935

Open
weliang1 wants to merge 1 commit into
openshift:mainfrom
weliang1:replace-iptable-with-nftable
Open

WIP: Migrate iptables to nftables in networking test suite#3935
weliang1 wants to merge 1 commit into
openshift:mainfrom
weliang1:replace-iptable-with-nftable

Conversation

@weliang1

@weliang1 weliang1 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Replace all iptables command references with nftables equivalents across the networking test suite.

Changes

  • pod.feature: Migrate u32 module matching to nftables raw payload matching
  • egress-ip.feature: Update EgressIP rule verification to use nft
  • ovn.feature: Convert OVN port blocking with IPv4/IPv6 support
  • service.feature: Update service DNAT/REDIRECT verification
  • sdn.feature: Rule repair, version checks, and conntrack rules

Migration Statistics

  • ✅ 5 files updated, 108 lines changed (55+, 53-)
  • ✅ 8 test scenarios updated
  • ✅ 100% iptables references removed

Technical Changes

  • iptables --versionnft --version
  • iptables-savenft list ruleset
  • iptables -S -t <table>nft list table ip <table>
  • ip6tables support → nft family ip6
  • Rule deletion now uses handle-based approach

Documentation

  • Added MIGRATION_SUMMARY.md with complete migration guide
  • Includes command mappings and syntax differences
  • Documents next steps for step definition updates

Status: WIP

Pending work:

  • Update Ruby step definitions for nftables commands
    • the node nftables config is checked
    • the node standard nftables rules are removed
    • the node standard nftables rules are completely flushed
  • Test scenarios against OpenShift 4.x cluster
  • Verify nftables availability on test nodes (RHEL 8+)

Testing

Requires RHEL 8+ nodes with nftables support.

See MIGRATION_SUMMARY.md for complete technical details.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 25, 2026
@openshift-ci openshift-ci Bot requested review from asood-rh and rbbratta June 25, 2026 14:37
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign anuragthehatter for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@weliang1 @claude
WIP: Migrate iptables to nftables in networking test suite
b6fc3cd 
Replace all iptables command references with nftables equivalents
across 5 test feature files in the networking test suite.

Changes:
- pod.feature: Migrate u32 module matching to nftables raw payload
- egress-ip.feature: Update EgressIP rule verification to use nft
- ovn.feature: Convert OVN port blocking with IPv4/IPv6 support
- service.feature: Update service DNAT/REDIRECT verification
- sdn.feature: Rule repair, version checks, and conntrack rules

Migration statistics:
- 5 files updated, 108 lines changed (55+, 53-)
- 8 test scenarios updated
- 100% iptables references removed

Technical changes:
- iptables --version → nft --version
- iptables-save → nft list ruleset
- iptables -S -t <table> → nft list table ip <table>
- ip6tables support → nft family ip6
- Rule deletion now uses handle-based approach

Note: Ruby step definitions still need updates for:
- node nftables config checks
- nftables rule removal/flush operations

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@weliang1 weliang1 force-pushed the replace-iptable-with-nftable branch from 2d6dbf9 to b6fc3cd Compare June 25, 2026 14:39
@asood-rh

asood-rh commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@weliang1 Does it make sense to migrate all to go so that when they are OTE enabled we do not need to think of ruby tests all?

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

@weliang1: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@weliang1

weliang1 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

@weliang1 Does it make sense to migrate all to go so that when they are OTE enabled we do not need to think of ruby tests all?

@asood-rh That's a good idea. This PR is WIP. We can migrate them to go after all the testing pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asood-rh asood-rh Awaiting requested review from asood-rh
@rbbratta rbbratta Awaiting requested review from rbbratta

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weliang1 @asood-rh