Port hostport code from iptables to nftables

IPTables will not be available in RHEL 10, and is deprecated / not being improved in general. This changes the code to use nftables instead. Signed-off-by: Dan Winship <danwinship@redhat.com>
cri-o · Oct 16, 2024 · fd31b5e · fd31b5e
1 parent 6e05732
commit fd31b5e
Show file tree

Hide file tree

Showing 37 changed files with 3,679 additions and 3,100 deletions.
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -35,6 +35,8 @@ jobs:
       - name: Install vmmeter
         run: crane export --platform linux/${{ matrix.run.arch }} ghcr.io/openfaasltd/vmmeter:latest | sudo tar -xvf - -C /usr/local/bin
       - uses: self-actuated/vmmeter-action@c7e2162e39294a810cab647cacc215ecd68a44f6
+      - name: Install nftables # needed for the arm64 image, no-op for amd64
+        run: sudo apt-get install -y nftables
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:

diff --git a/contrib/test/ci/system-packages.yml b/contrib/test/ci/system-packages.yml
@@ -39,6 +39,7 @@
       - make
       - mlocate
       - nfs-utils
+      - nftables
       - nmap-ncat
       - openssl
       - openssl-devel

diff --git a/go.mod b/go.mod
@@ -81,6 +81,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubelet v0.31.0
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
+	sigs.k8s.io/knftables v0.0.17
 	sigs.k8s.io/release-sdk v0.12.1
 	sigs.k8s.io/release-utils v0.8.4
 	sigs.k8s.io/yaml v1.4.0

diff --git a/go.sum b/go.sum
@@ -1069,6 +1069,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/letsencrypt/boulder v0.0.0-20240418210053-89b07f4543e0 h1:aiPrFdHDCCvigNBCkOWj2lv9Bx5xDp210OANZEoiP0I=
 github.com/letsencrypt/boulder v0.0.0-20240418210053-89b07f4543e0/go.mod h1:srVwm2N3DC/tWqQ+igZXDrmKlNRN8X/dmJ1wEZrv760=
+github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY=
+github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
 github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
@@ -2108,6 +2110,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/knftables v0.0.17 h1:wGchTyRF/iGTIjd+vRaR1m676HM7jB8soFtyr/148ic=
+sigs.k8s.io/knftables v0.0.17/go.mod h1:f/5ZLKYEUPUhVjUCg6l80ACdL7CIIyeL0DxfgojGRTk=
 sigs.k8s.io/release-sdk v0.12.1 h1:/Q+yWpl33EnFx1b7xh6FnbioWSRUTrVkigL4KZVTrkU=
 sigs.k8s.io/release-sdk v0.12.1/go.mod h1:nnB4tt1g0VXMUCIYzDzPVqNI896OQrWipE6WbyZ6FSk=
 sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw=

diff --git a/install.md b/install.md
@@ -19,7 +19,7 @@ It is assumed you are running a Linux machine.
 - [Build and install CRI-O from source](#build-and-install-cri-o-from-source)
   - [Runtime dependencies](#runtime-dependencies)
   - [Build and Run Dependencies](#build-and-run-dependencies)
-    - [Fedora - RHEL 7 - CentOS](#fedora---rhel-7---centos)
+    - [Fedora - RHEL 8 - CentOS](#fedora---rhel-8---centos)
       - [Required](#required)
     - [RHEL 8](#rhel-8)
     - [Debian - Raspbian - Ubuntu](#debian---raspbian---ubuntu)
@@ -162,18 +162,18 @@ chmod +x create_crio_sysext.sh
 
 - runc, crun or any other OCI compatible runtime
 - iproute
-- iptables
+- nftables
 
 Latest version of `runc` is expected to be installed on the system. It is picked
 up as the default runtime by CRI-O.
 
 ### Build and Run Dependencies
 
-#### Fedora - RHEL 7 - CentOS
+#### Fedora - RHEL 8 - CentOS
 
 ##### Required
 
-Fedora, RHEL 7, CentOS and related distributions:
+Fedora, RHEL 8, CentOS and related distributions:
 
 ```shell
 yum install -y \