Skip to content

Feat nftables #346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Oct 17, 2025
Merged

Feat nftables #346

merged 19 commits into from
Oct 17, 2025

Conversation

@chez-shanpu
Copy link
Contributor

@chez-shanpu chez-shanpu commented Sep 1, 2025
edited
Loading

Follow up #345

@chez-shanpu chez-shanpu force-pushed the feat-nftables branch 2 times, most recently from b09cab5 to 1d39829 Compare September 8, 2025 05:49
Till0196 and others added 16 commits September 8, 2025 15:50
@Till0196 @chez-shanpu
Add nftables support for egress NAT functionality
139fc3b 
Add nftables support for egress NAT functionality

temp: enable CI for this branch

Add nftables usage logging to coil-egress initialization

Improve enable-nft flag description to clarify NAT backend choice

Add nftables manifest

Add coil nftables test

Add nftables to Dockerfile

Remove iptables CHECKSUM rules from FoU tunnel initialization

add mac support

Add Mac support to setup-echotest

Add support multi platform

Add EnableNFT field to Egress CRD

Add nftables E2E test support

Remove unnecessary kube-proxy double NAT workaround

Add counter expressions to nftables rules in egress

add cross-platform support for yq binary download

Fix crd manifest generation in Makefile

Update generated CRDs to controller-gen v0.18.0

Run garbage collection immediately without waiting for first tick

refactor: use timer instead of ticker in garbage collector

ci: remove support-nftables branch trigger
@Till0196 @chez-shanpu
refactor: consolidate egress NAT rule setup and extract magic numbers
120e8fc
@Till0196 @chez-shanpu
fix: remove unused useNFT field from natSetup struct
d197da7
@Till0196 @chez-shanpu
refactor: move addEgressRule calls outside NAT backend conditional
8525c01
@Till0196 @chez-shanpu
refactor: consolidate nftables tests and fix configuration issues
7195261
@Till0196 @chez-shanpu
refactor: remove unused useNFT parameter and improve test cleanup
9d20788
@Till0196 @chez-shanpu
refactor: remove unused UseNFT field from EgressWatcher
12a7efb
@Till0196 @chez-shanpu
refactor: streamline nftables e2e testing and remove duplicate configs
c532c0f
@Till0196 @chez-shanpu
refactor: unify IPv4/IPv6 nftables masquerade rule creation
92d3b4e
@Till0196 @chez-shanpu
test: improve network state cleanup in e2e tests
839c9fb
@Till0196 @chez-shanpu
feat: migrate enableNFT to backend enum and integrate nftables testin…
8a080da 
…g in CI
@Till0196 @chez-shanpu
Add backend validation for egress NAT configuration
f20d3bb
@Till0196 @chez-shanpu
refactor: use patchesStrategicMerge for nftables backend configuration
87ae3bb
@Till0196 @chez-shanpu
add nftables command examples to egress.go
6ce684c
@Till0196 @chez-shanpu
refactor: remove unused DefaultEnableNFT constant
ff2fe5a
@chez-shanpu
Small fix to egress-backend
67f9594 
Signed-off-by: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp>
@chez-shanpu
Move nftables-related files to e2e
11e0cfc 
Signed-off-by: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp>
@chez-shanpu chez-shanpu marked this pull request as ready for review September 17, 2025 08:27
@chez-shanpu chez-shanpu changed the title WIP Feat nftables Feat nftables Sep 18, 2025
terassyi
terassyi reviewed Sep 22, 2025
View reviewed changes
@terassyi
Copy link
Contributor

@chez-shanpu

I think we need add following contents about this changes.

  • added flags (egress-controller and coild)
  • in the future, this flag value will be set nftables as default, and removed

@chez-shanpu
Reflect comments from terassyi
557a7d4 
Signed-off-by: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp>
@chez-shanpu
Copy link
Contributor Author

@terassyi

  • added flags (egress-controller and coild)

It seems egress-controller already has a backend flag.
About coild I don't think we have to to as the comment #346 (comment)

@terassyi
Copy link
Contributor

@chez-shanpu
Finally, please update some documents for this.

@chez-shanpu
Update docs
6033512 
Signed-off-by: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp>
terassyi
terassyi approved these changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@terassyi terassyi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chez-shanpu chez-shanpu merged commit 9808a2a into main Oct 17, 2025
157 of 164 checks passed
@chez-shanpu chez-shanpu deleted the feat-nftables branch October 17, 2025 07:56
@chez-shanpu
Copy link
Contributor Author

@Till0196 Finally, nftables feature is merged! Thank you for your contribution!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terassyi terassyi terassyi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chez-shanpu @terassyi @Till0196