NE-2716: Replace iptables with nftables in origin-egress-router

[Thealisyed]

Summary

• Replace the deprecated iptables-nft shim with the native nftables package in the egress router container image
• Rename gen_iptables_rules/setup_iptables to gen_nft_rules/setup_nft
• Translate all DNAT/SNAT rule output from iptables-restore format to nft format
• Create nat table and chains atomically via nft -f -, loading table creation, flush, and all generated rules in a single transaction
• Update all 9 Go unit test expected outputs to match the new nft rule format

Why

iptables is deprecated in RHEL 9 and the ip_tables kernel module is removed in RHEL 10. The iptables-nft userspace shim remains but is deprecated. This migrates to native nft before the shim is removed entirely.

Reference

nft rule syntax derived from the nftables wiki — Moving from iptables to nftables.

Summary by CodeRabbit

• New Features

  • NAT handling in the egress router has been switched to nftables-style rules (DNAT for prerouting and SNAT for postrouting).
  • The router container image now includes nftables tooling.

• Bug Fixes

  • Updated the forwarding and NAT rule generation and runtime setup to produce the new nftables rule format.
  • Refreshed router test expectations to match the updated rendered rules.

[openshift-ci-robot]

@Thealisyed: This pull request references NE-2716 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Replace the deprecated iptables-nft shim with the native nftables package in the egress router container image
• Rename gen_iptables_rules/setup_iptables to gen_nft_rules/setup_nft
• Translate all DNAT/SNAT rule output from iptables-restore format to nft format
• Create nat table and chains atomically via nft -f - heredoc
• Update all 9 Go unit test expected outputs to match the new nft rule format

Why

iptables is deprecated in RHEL 9 and the ip_tables kernel module is removed in RHEL 10. The iptables-nft userspace shim remains but is deprecated. This migrates to native nft before the shim is removed entirely.

Test plan

• Unit tests pass (go test ./... in egress/router/)
• Build container image and verify nft binary is available
• Deploy egress router pod and confirm DNAT/SNAT rules are applied correctly

Assisted with Claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The egress router switches from iptables to nftables. The Dockerfile installs nftables, the shell script renders and applies ip nat rules with nft syntax, and the router tests are updated to match the new output.

Changes

Egress router nftables migration

Layer / File(s)	Summary
Package and generator entrypoint egress/router/Dockerfile, egress/router/egress-router.sh	The image installs nftables, and the shell script replaces gen_iptables_rules() with gen_nft_rules().
NAT rule rendering and setup egress/router/egress-router.sh	The script emits nftables DNAT and SNAT rules for ip nat prerouting and ip nat postrouting, defines the ip nat table and chains, and loads them with nft -f -.
Mode dispatch and expectations egress/router/egress-router.sh, egress/router/egress_router_test.go	init, legacy, and unit-test now call the nftables helpers, and the test cases expect add rule ip nat output with iifname, oifname, tcp dport, dnat to, and snat to syntax.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: migrating the origin egress router from iptables to nftables.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Changed tests use plain testing.T; no Ginkgo It/Describe/Context/When titles or dynamic test names are present.
Test Structure And Quality	✅ Passed	PASS: The changed tests are table-driven Go unit tests, not Ginkgo; each case isolates one behavior, uses clear fatal messages, and no cluster setup/waits/cleanup are involved.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the changes are shell logic and Go unit-test expectation updates only, with no MicroShift-unsupported APIs or checks.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes a shell script and a standard Go unit test, with no SNO/HA assumptions found.
Topology-Aware Scheduling Compatibility	✅ Passed	Only Dockerfile, shell script, and unit tests changed; no pod specs, replicas, affinities, nodeSelectors, or topology-aware scheduling constraints were added.
Ote Binary Stdout Contract	✅ Passed	No OTE suite/main process stdout writes were introduced; the shell script’s rule echoes are piped to nft or used only in unit-test mode.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the touched Go test is plain unit testing, so the IPv6/disconnected-network notice is not applicable.
No-Weak-Crypto	✅ Passed	No weak-crypto primitives or secret comparisons were introduced; the PR only changes nftables NAT rule generation and test output strings.
Container-Privileges	✅ Passed	Changed files only update nftables/package logic and rule generation; no privileged, hostPID/hostNetwork/hostIPC, SYS_ADMIN, or allowPrivilegeEscalation settings appear.
No-Sensitive-Data-In-Logs	✅ Passed	No new logs expose secrets/PII; shell output is limited to validated IP/port rule text and debug tracing only covers IP-based env vars.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Thealisyed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• egress/OWNERS [Thealisyed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@egress/router/egress-router.sh`:
- Around line 112-126: The nft reload in setup_nft is not idempotent or atomic
because it recreates table ip nat and then applies cleanup and generated rules
in separate steps, which can fail on restart or leave a partial NAT state.
Update setup_nft in egress-router.sh to load the table, cleanup actions, chain
declarations, and gen_nft_rules output together through a single nft -f -
transaction so the whole reload succeeds or fails as one unit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2ab70d76-28db-4323-b945-086f20c71a0c

📥 Commits

Reviewing files that changed from the base of the PR and between 34acc69 and b4c8e8e.

📒 Files selected for processing (3)

• egress/router/Dockerfile
• egress/router/egress-router.sh
• egress/router/egress_router_test.go

[coderabbitai]

♻️ Duplicate comments (1)

egress/router/egress-router.sh (1)

112-126: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Make the nft reload restart-safe before declaring the table.

Line 115 recreates table ip nat before Line 123 flushes it, so a container restart can fail before cleanup if the table/chains already exist. Prefer an idempotent delete/destroy before recreating the table and loading generated rules in the same nft -f - batch.

Potential direction, if supported by the target nftables version

 function setup_nft() {
     {
         cat <<-'NFT'
+	destroy table ip nat
 	table ip nat {
 	  chain prerouting {
 	    type nat hook prerouting priority dstnat; policy accept;
 	  }
@@
-	}
-	flush table ip nat
+	}
 	NFT
         gen_nft_rules
     } | nft -f -
 }

Please verify the RHEL 9 image’s nftables supports destroy table; otherwise use a guarded delete before the batch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@egress/router/egress-router.sh` around lines 112 - 126, The nft reload in
setup_nft is not restart-safe because it declares table ip nat before cleaning
up any existing state. Update the nft -f - batch to remove or destroy the
existing nat table first, then recreate it and load gen_nft_rules, keeping the
whole flow idempotent. Use setup_nft as the locator and prefer destroy table if
supported by the target nftables version; otherwise use a guarded delete before
the new table declaration.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@egress/router/egress-router.sh`:
- Around line 112-126: The nft reload in setup_nft is not restart-safe because
it declares table ip nat before cleaning up any existing state. Update the nft
-f - batch to remove or destroy the existing nat table first, then recreate it
and load gen_nft_rules, keeping the whole flow idempotent. Use setup_nft as the
locator and prefer destroy table if supported by the target nftables version;
otherwise use a guarded delete before the new table declaration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ee8ef3d2-ec93-4217-a948-2b996e6e1fea

📥 Commits

Reviewing files that changed from the base of the PR and between b4c8e8e and 45f2641.

📒 Files selected for processing (3)

• egress/router/Dockerfile
• egress/router/egress-router.sh
• egress/router/egress_router_test.go

✅ Files skipped from review due to trivial changes (1)

• egress/router/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (1)

• egress/router/egress_router_test.go

[openshift-ci]

@Thealisyed: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6	45f2641	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-upgrade	45f2641	link	true	/test e2e-aws-upgrade
ci/prow/images	45f2641	link	true	/test images
ci/prow/e2e-aws	45f2641	link	true	/test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.