🤖 Created branch: z_pr2835/yboaron/packetfilter
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

Since the packetfilter package is intended to replace iptables, we had also discussed renaming/moving directories/files to maintain git history continuity. So first rename the iptables dir to packetfilter then move iptables.go under packetfilter/iptables as a starting point.

I pushed #2871 based on my comments to serve as a starting point for the general structure. I left the packetfilter interface the same as it was. I think the logical next step would be to generalize the interface as is done in this PR. Then I think it would be useful to implement the interface using nftables and see if any changes are needed. Eg, can InsertUnique, PrependUnique, UpdateChainRules etc be implemented in the adapter interface as they are now?

I guess we need also the CNI (KindNet) switched to nftables , for full e2e testing on Kind, right ?

Yes. Kindnet programs certain IPtable rules mainly to perform MASQ for outbound traffic so that the pods can reach internet. As you are familiar, iptables-nft was created to facilitiate smooth migration to nftables and pretty much all the CNIs (along with kubeproxy) use iptables-nft under the hood today.
So, if the nftables handler in Submariner uses nft while the CNI uses iptables-nft AFAICT it should still continue to work, assuming we take care of the priority to enforce the order in which the rules have to be applied.

With the latest version I pushed, we have the history pointing to the prev files for the relevant files [1] ,
do we need something else ?

[1]
git log --pretty=oneline --follow pkg/packetfilter/adapter.go
git log --pretty=oneline --follow pkg/packetfilter/packetfilter.go
git log --pretty=oneline --follow pkg/packetfilter/fake/packetfilter.go
git log --pretty=oneline --follow pkg/routeagent_driver/handlers/kubeproxy/packetfilter_iface.go
git log --pretty=oneline --follow pkg/routeagent_driver/handlers/kubeproxy/kp_packetfilter.go

Yes. Kindnet programs certain IPtable rules mainly to perform MASQ for outbound traffic so that the pods can reach internet.

My Q was more about the nftables tables Submariner should use/create,
we know that Kube-proxy uses its own table, and a CNI that uses iptables-nft use the default tables and chains similar to iptables while other CNIs that use nftables may create their own table/s.

I guess we can't assume that default tables/chains (iptables-nft) will always be there, WDYT? meaning we should create our own table.

With the latest version I pushed, we have the history pointing to the prev files for the relevant files [1] , do we need something else ?

That looks good.

My Q was more about the nftables tables Submariner should use/create, we know that Kube-proxy uses its own table, and a CNI that uses iptables-nft use the default tables and chains similar to iptables while other CNIs that use nftables may create their own table/s.

I guess we can't assume that default tables/chains (iptables-nft) will always be there, WDYT? meaning we should create our own table.

AFAICT, if some component is using "iptables" (with iptables-nft under the hood) it will anyway use the default tables (like nat, filter, mangle etc) and it can create it own chains (like KUBE-PREROUTING etc) with a rule in the default chain (like PREROUTING) to forward packets to its custom chain (KUBE-PREROUTING). While using iptables they will not be creating any custom tables.

However, when a component has fully migrated to support nft, it can decide to create additional tables within each family and these tables can be given custom names. The components can then configure higher priority to those tables so that it gets priority over the default tables.

Personally, I feel in nftables implementation, we can create our own tables with Submariner specific chains/rules and use a higher priority.

🤖 Closed branches: [z_pr2835/yboaron/packetfilter]