submariner-io / submariner

Networking component for interconnecting Pods and Services across Kubernetes clusters.
https://submariner.io
Apache License 2.0
2.44k stars 193 forks source link

Submariner (including Globalnet) should be enhanced to support nftables. #1775

Open sridhargaddam opened 2 years ago

sridhargaddam commented 2 years ago

Some of the platforms are moving away from iptables backend to nftables backend. One such example is RHEL9. As part of this transition, the tools like iptables, ipsets etc are deprecated - https://access.redhat.com/solutions/6739041

Submariner pods like Globalnet, route-agent which program iptable rules on the nodes should now query if the underlying host uses iptables or nftables and ensure that its programming the necessary rules that are supported by the underlying host.

sridhargaddam commented 2 years ago

CC @nyechiel @skitt @yboaron

skitt commented 2 years ago

We already handle this partially – the tools we install in the container images use either the legacy or nft iptables backend.

I agree we do need to take care of this properly; anywhere we manipulate iptables and/or ipsets needs to be able to use nftables directly if appropriate.

I don’t think this is urgent for 0.13, it can wait until the release after that.

sridhargaddam commented 2 years ago

Currently, in an OCP 0.10 setup, we have seen that underlying host is using NFTables and the iptable/ipset rules programmed by Submariner Globalnet/Route-agent seem to get automatically translated without any issues except for the tcpd-mss-clamp rules for which I reported a separate issue - https://github.com/submariner-io/submariner/issues/1774

As long as the iptables/ipsets binary is present and automatic translation is working fine, we are good. But before these binaries are removed from the host/container, we have to enhance SM to program rules using nft. Anyways, I too believe that this is not urgent for 0.13 and can wait.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

dfarrell07 commented 1 year ago

This would greatly simplify our shipped containers/binaries/code, but it will only really help a lot once we don't need to support hosts without nftables.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.