diff --git a/utils/cni-plugins-nft/patches/010-fw4-force-inet-family.patch b/utils/cni-plugins-nft/patches/010-fw4-force-inet-family.patch new file mode 100644 index 0000000000..8c383ec5dc --- /dev/null +++ b/utils/cni-plugins-nft/patches/010-fw4-force-inet-family.patch @@ -0,0 +1,330 @@ +--- a/pkg/utils/broadcast_rule.go ++++ b/pkg/utils/broadcast_rule.go +@@ -25,7 +25,7 @@ func addPostRoutingBroadcastRule(opts ma + + tb := &nftables.Table{ + Name: tableName, +- Family: nftables.TableFamilyIPv4, ++ Family: nftables.TableFamilyINet, + } + + ch := &nftables.Chain{ +--- a/pkg/utils/chain_jump_rule.go ++++ b/pkg/utils/chain_jump_rule.go +@@ -26,11 +26,8 @@ func DeleteJumpRule(v, tableName, srcCha + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: srcChainName, +@@ -159,11 +156,8 @@ func createJumpRule(v, tableName, srcCha + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: srcChainName, +--- a/pkg/utils/chains.go ++++ b/pkg/utils/chains.go +@@ -33,14 +33,8 @@ func IsChainExists(v, tableName, chainNa + if chain.Table.Name != tableName { + continue + } +- if v == "4" { +- if chain.Table.Family != nftables.TableFamilyIPv4 { +- continue +- } +- } else { +- if chain.Table.Family != nftables.TableFamilyIPv6 { +- continue +- } ++ if chain.Table.Family != nftables.TableFamilyINet { ++ continue + } + return true, nil + } +@@ -100,11 +94,8 @@ func CreateChain(v, tableName, chainName + Name: tableName, + } + +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ tb.Family = nftables.TableFamilyINet ++ + ch := &nftables.Chain{ + Name: chainName, + Table: tb, +@@ -178,11 +169,9 @@ func CreateFilterForwardChain(v, tableNa + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet ++ + ch := &nftables.Chain{ + Name: chainName, + Table: tb, +@@ -217,11 +206,8 @@ func DeleteChain(v, tableName, chainName + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/dest_nat.go ++++ b/pkg/utils/dest_nat.go +@@ -34,11 +34,8 @@ func AddDestinationNatRules(opts map[str + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/dest_nat_rewrite.go ++++ b/pkg/utils/dest_nat_rewrite.go +@@ -28,11 +28,8 @@ func AddDestinationNatRewriteRules(opts + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/filter_forward_inbound_traffic_rule.go ++++ b/pkg/utils/filter_forward_inbound_traffic_rule.go +@@ -16,11 +16,8 @@ func addFilterForwardInboundTrafficRule( + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/filter_forward_intra_interface_rule.go ++++ b/pkg/utils/filter_forward_intra_interface_rule.go +@@ -16,11 +16,8 @@ func addFilterForwardIntraInterfaceRule( + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/filter_forward_mapped_port_rules.go ++++ b/pkg/utils/filter_forward_mapped_port_rules.go +@@ -32,11 +32,8 @@ func AddFilterForwardMappedPortRules(opt + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +@@ -247,11 +244,8 @@ func RemoveFilterForwardMappedPortRules( + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/filter_forward_outbound_traffic_rule.go ++++ b/pkg/utils/filter_forward_outbound_traffic_rule.go +@@ -16,11 +16,8 @@ func addFilterForwardOutboundTrafficRule + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/get_chain_props.go ++++ b/pkg/utils/get_chain_props.go +@@ -33,14 +33,8 @@ func GetChainProps(v, tableName, chainNa + var chain *nftables.Chain + + for _, c := range chains { +- if v == "4" { +- if c.Table.Family != nftables.TableFamilyIPv4 { +- continue +- } +- } else { +- if c.Table.Family != nftables.TableFamilyIPv6 { +- continue +- } ++ if c.Table.Family != nftables.TableFamilyINet { ++ continue + } + if chainName != c.Name { + continue +@@ -66,11 +60,8 @@ func GetChainProps(v, tableName, chainNa + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/local_multicast_rule.go ++++ b/pkg/utils/local_multicast_rule.go +@@ -23,11 +23,8 @@ func addPostRoutingLocalMulticastRule(op + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/log_deny_rule.go ++++ b/pkg/utils/log_deny_rule.go +@@ -16,11 +16,8 @@ func addLogDenyRule(v, tableName, chainN + tb := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- tb.Family = nftables.TableFamilyIPv4 +- } else { +- tb.Family = nftables.TableFamilyIPv6 +- } ++ ++ tb.Family = nftables.TableFamilyINet + + ch := &nftables.Chain{ + Name: chainName, +--- a/pkg/utils/source_nat.go ++++ b/pkg/utils/source_nat.go +@@ -29,7 +29,7 @@ func addPostRoutingSourceNatRule(opts ma + + tb := &nftables.Table{ + Name: tableName, +- Family: nftables.TableFamilyIPv4, ++ Family: nftables.TableFamilyINet, + } + + ch := &nftables.Chain{ +@@ -97,7 +97,7 @@ func AddPostRoutingDestNatRule(opts map[ + + tb := &nftables.Table{ + Name: tableName, +- Family: nftables.TableFamilyIPv4, ++ Family: nftables.TableFamilyINet, + } + + ch := &nftables.Chain{ +--- a/pkg/utils/tables.go ++++ b/pkg/utils/tables.go +@@ -34,14 +34,8 @@ func IsTableExist(v, tableName string) ( + if table.Name != tableName { + continue + } +- if v == "4" { +- if table.Family != nftables.TableFamilyIPv4 { +- continue +- } +- } else { +- if table.Family != nftables.TableFamilyIPv6 { +- continue +- } ++ if table.Family != nftables.TableFamilyINet { ++ continue + } + return true, nil + } +@@ -62,11 +56,7 @@ func CreateTable(v, tableName string) er + t := &nftables.Table{ + Name: tableName, + } +- if v == "4" { +- t.Family = nftables.TableFamilyIPv4 +- } else { +- t.Family = nftables.TableFamilyIPv6 +- } ++ t.Family = nftables.TableFamilyINet + conn.AddTable(t) + if err := conn.Flush(); err != nil { + return err diff --git a/utils/cni-plugins-nft/patches/020-fw4-fix-default-table-and-chain-names.patch b/utils/cni-plugins-nft/patches/020-fw4-fix-default-table-and-chain-names.patch new file mode 100644 index 0000000000..d9a8448b26 --- /dev/null +++ b/utils/cni-plugins-nft/patches/020-fw4-fix-default-table-and-chain-names.patch @@ -0,0 +1,67 @@ +--- a/pkg/firewall/config.go ++++ b/pkg/firewall/config.go +@@ -31,7 +31,7 @@ func parseConfigFromBytes(data []byte) ( + + // Default the filter table name to filter + if conf.FilterTableName == "" { +- conf.FilterTableName = "filter" ++ conf.FilterTableName = "fw4" + } + + // Default the forwarding chain name to forward +@@ -41,12 +41,12 @@ func parseConfigFromBytes(data []byte) ( + + // Default the nat table name to nat + if conf.NatTableName == "" { +- conf.NatTableName = "nat" ++ conf.NatTableName = "fw4" + } + + // Default the postrouting chain name to postrouting + if conf.PostRoutingNatChainName == "" { +- conf.PostRoutingNatChainName = "postrouting" ++ conf.PostRoutingNatChainName = "srcnat" + } + + // Parse previous result. +--- a/pkg/portmap/config.go ++++ b/pkg/portmap/config.go +@@ -56,16 +56,16 @@ func parseConfigFromBytes(data []byte, i + + // Set default values + if conf.NatTableName == "" { +- conf.NatTableName = "nat" ++ conf.NatTableName = "fw4" + } + if conf.RawTableName == "" { +- conf.RawTableName = "raw" ++ conf.RawTableName = "fw4" + } + if conf.PostRoutingNatChainName == "" { +- conf.PostRoutingNatChainName = "postrouting" ++ conf.PostRoutingNatChainName = "srcnat" + } + if conf.PreRoutingNatChainName == "" { +- conf.PreRoutingNatChainName = "prerouting" ++ conf.PreRoutingNatChainName = "dstnat" + } + if conf.OutputNatChainName == "" { + conf.OutputNatChainName = "output" +@@ -76,14 +76,14 @@ func parseConfigFromBytes(data []byte, i + } + + if conf.RawTableName == "" { +- conf.RawTableName = "raw" ++ conf.RawTableName = "fw4" + } + if conf.PreRoutingRawChainName == "" { +- conf.PreRoutingRawChainName = "prerouting" ++ conf.PreRoutingRawChainName = "dstnat" + } + + if conf.FilterTableName == "" { +- conf.FilterTableName = "filter" ++ conf.FilterTableName = "fw4" + } + if conf.ForwardFilterChainName == "" { + conf.ForwardFilterChainName = "forward"