Skip to content

feat: remove jump to swift-postrouting in iptables legacy as rules already exist in iptables nftables #3958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 28, 2025
Merged

feat: remove jump to swift-postrouting in iptables legacy as rules already exist in iptables nftables #3958

merged 6 commits into from
Aug 28, 2025

Conversation

QxBytes
Copy link
Contributor

@QxBytes QxBytes commented Aug 21, 2025
edited
Loading

Reason for Change:

Contains same changes as #3930 but without the behavioral change of snat to node ip

Deletes iptables legacy jump to swift postrouting rule before adding nftables rules because:
If we delete before:
If iptables maps to iptables nftables, we should already have nftables rules programmed on the node because cns 1.7.1 has fully rolled out, so deleting first should not cause any connectivity blip.
If iptables somehow maps to iptables legacy, we have a blip and then write the rule immediately after

If we delete afterwards:
If iptables maps to iptables nftables, we write the rules and delete the legacy jump after as expected
If iptables somehow maps to iptables legacy, we would add the rules and then delete the jump we just added, breaking the node until the cns restarts

Issue Fixed:

Requirements:

Notes:
Tested upgrade from 1.7.0 --> 1.7.1 --> 1.7.2 (this PR) for cns

@QxBytes QxBytes self-assigned this Aug 21, 2025
@Copilot Copilot AI review requested due to automatic review settings August 21, 2025 19:46
@QxBytes QxBytes added the cns Related to CNS. label Aug 21, 2025
@QxBytes QxBytes requested a review from a team as a code owner August 21, 2025 19:46
@QxBytes QxBytes requested a review from thatmattlong August 21, 2025 19:46
Copilot
Copilot AI reviewed Aug 21, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes the jump to swift-postrouting in iptables legacy since the same rules already exist in iptables nftables. It introduces an iptables legacy client interface to clean up legacy rules during SNAT rule programming.

  • Adds a new iptablesLegacyClient interface for deleting legacy iptables rules
  • Implements legacy iptables cleanup in SNAT rule programming
  • Updates logging to be more descriptive about SWIFT-POSTROUTING chain operations

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
cns/restserver/restserver.go Adds iptablesLegacyClient interface and getter method
cns/restserver/internalapi_windows.go Implements unsupported legacy client for Windows
cns/restserver/internalapi_linux.go Implements legacy iptables deletion and integrates cleanup into SNAT programming
cns/restserver/internalapi_linux_test.go Adds test coverage for legacy iptables deletion
cns/fakes/iptablesfake.go Adds mock implementation for legacy iptables client

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

tamilmani1989
tamilmani1989 reviewed Aug 26, 2025
View reviewed changes
tamilmani1989
tamilmani1989 previously approved these changes Aug 27, 2025
View reviewed changes
@QxBytes QxBytes dismissed stale reviews from tamilmani1989 and santhoshmprabhu via e68f37b August 27, 2025 22:14
tamilmani1989
tamilmani1989 reviewed Aug 27, 2025
View reviewed changes
@QxBytes QxBytes force-pushed the alew/remove-iptables-legacy branch from e68f37b to 99e339d Compare August 27, 2025 23:03
@QxBytes QxBytes enabled auto-merge August 28, 2025 00:17
@QxBytes
Copy link
Contributor Author

QxBytes commented Aug 28, 2025

/azp run Azure Container Networking PR

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@QxBytes QxBytes added this pull request to the merge queue Aug 28, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 28, 2025
@QxBytes QxBytes added this pull request to the merge queue Aug 28, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 28, 2025
@QxBytes QxBytes added this pull request to the merge queue Aug 28, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 28, 2025
@QxBytes QxBytes added this pull request to the merge queue Aug 28, 2025
Merged via the queue into master with commit d12d99b Aug 28, 2025
16 checks passed
@QxBytes QxBytes deleted the alew/remove-iptables-legacy branch August 28, 2025 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MikeZappa87 MikeZappa87 MikeZappa87 left review comments

Copilot code review Copilot Copilot left review comments

@tamilmani1989 tamilmani1989 tamilmani1989 approved these changes

@santhoshmprabhu santhoshmprabhu santhoshmprabhu approved these changes

@thatmattlong thatmattlong Awaiting requested review from thatmattlong thatmattlong is a code owner automatically assigned from Azure/acn-cns-reviewers

Assignees

@QxBytes QxBytes

Labels
cns Related to CNS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@QxBytes @tamilmani1989 @santhoshmprabhu @MikeZappa87