Submariner (including Globalnet) should be enhanced to support nftables. #1775
Comments
|
We already handle this partially – the tools we install in the container images use either the legacy or nft iptables backend. I agree we do need to take care of this properly; anywhere we manipulate iptables and/or ipsets needs to be able to use nftables directly if appropriate. I don’t think this is urgent for 0.13, it can wait until the release after that. |
|
Currently, in an OCP 0.10 setup, we have seen that underlying host is using NFTables and the iptable/ipset rules programmed by Submariner Globalnet/Route-agent seem to get automatically translated without any issues except for the tcpd-mss-clamp rules for which I reported a separate issue - #1774 As long as the iptables/ipsets binary is present and automatic translation is working fine, we are good. But before these binaries are removed from the host/container, we have to enhance SM to program rules using nft. Anyways, I too believe that this is not urgent for 0.13 and can wait. |
|
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions. |
sridhargaddam
added
size:medium
|
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions. |
|
This would greatly simplify our shipped containers/binaries/code, but it will only really help a lot once we don't need to support hosts without nftables. |
|
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions. |
nyechiel
added
size:large
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further |
Some of the platforms are moving away from iptables backend to nftables backend. One such example is RHEL9.
As part of this transition, the tools like iptables, ipsets etc are deprecated - https://access.redhat.com/solutions/6739041
Submariner pods like Globalnet, route-agent which program iptable rules on the nodes should now query if the underlying host uses iptables or nftables and ensure that its programming the necessary rules that are supported by the underlying host.
The text was updated successfully, but these errors were encountered: