From: Patrick Donnelly <pdonnell@ibm.com>
Date: Mon, 17 Nov 2025 18:14:47 +0000 (-0500)
Subject: qa: use nft instead iptables
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=60b31e50217ea05a818ff16eb83e02cae2548bf3;p=ceph.git

qa: use nft instead iptables

rocky.10 does not support iptables with MASQUERADE targets. (Or maybe it
does with more prodding but it's easier to just switch to nft.)

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/qa/tasks/cephfs/mount.py b/qa/tasks/cephfs/mount.py
index 566d8988214a..dbef8e7d4b34 100644
--- a/qa/tasks/cephfs/mount.py
+++ b/qa/tasks/cephfs/mount.py
@@ -308,9 +308,29 @@ class CephFSMountBase(object):
 
         self.run_shell_payload(f"""
             set -e
-            sudo iptables -A FORWARD -o {gw} -i ceph-brx -j ACCEPT
-            sudo iptables -A FORWARD -i {gw} -o ceph-brx -j ACCEPT
-            sudo iptables -t nat -A POSTROUTING -s {ip}/{mask} -o {gw} -j MASQUERADE
+
+            # Try iptables first. If it's missing or lacks MASQUERADE support (Rocky 10), it falls back to nft.
+            if command -v iptables >/dev/null 2>&1 && sudo iptables -t nat -A POSTROUTING -s {self.ceph_brx_net} -o {gw} -j MASQUERADE 2>/dev/null; then
+                sudo iptables -A FORWARD -o {gw} -i ceph-brx -j ACCEPT
+                sudo iptables -A FORWARD -i {gw} -o ceph-brx -j ACCEPT
+            else
+                # Ensure filter table exists. Ignore error if it already does.
+                sudo nft add table ip filter > /dev/null 2>&1 || true
+                sudo nft add chain ip filter forward {{ type filter hook forward priority 0 \; }} > /dev/null 2>&1 || true
+
+                # Ensure nat table exists. Ignore error if it already does.
+                sudo nft add table ip nat > /dev/null 2>&1 || true
+
+                # Ensure postrouting chain exists. Ignore error if it already does.
+                sudo nft add chain ip nat postrouting {{ type nat hook postrouting priority 100 \; }} > /dev/null 2>&1 || true
+
+                # Add the forwarding rules (to filter table, forward chain)
+                sudo nft add rule ip filter forward iifname ceph-brx oifname {gw} accept
+                sudo nft add rule ip filter forward iifname {gw} oifname ceph-brx accept
+
+                # Add the NAT rule (Using the true network CIDR to prevent masking bugs)
+                sudo nft add rule ip nat postrouting ip saddr {self.ceph_brx_net} oifname {gw} masquerade
+            fi
         """, timeout=(5*60), omit_sudo=False, cwd='/')
 
     def _setup_netns(self):
@@ -450,9 +470,15 @@ class CephFSMountBase(object):
 
         self.run_shell_payload(f"""
             set -e
-            sudo iptables -D FORWARD -o {gw} -i ceph-brx -j ACCEPT
-            sudo iptables -D FORWARD -i {gw} -o ceph-brx -j ACCEPT
-            sudo iptables -t nat -D POSTROUTING -s {ip}/{mask} -o {gw} -j MASQUERADE
+            # Attempt to delete via iptables; if that fails, clean up via nftables
+            if command -v iptables >/dev/null 2>&1 && sudo iptables -t nat -D POSTROUTING -s {self.ceph_brx_net} -o {gw} -j MASQUERADE 2>/dev/null; then
+                sudo iptables -D FORWARD -o {gw} -i ceph-brx -j ACCEPT || true
+                sudo iptables -D FORWARD -i {gw} -o ceph-brx -j ACCEPT || true
+            else
+                sudo nft delete rule ip filter forward iifname ceph-brx oifname {gw} accept > /dev/null 2>&1 || true
+                sudo nft delete rule ip filter forward iifname {gw} oifname ceph-brx accept > /dev/null 2>&1 || true
+                sudo nft delete rule ip nat postrouting ip saddr {self.ceph_brx_net} oifname {gw} masquerade > /dev/null 2>&1 || true
+            fi
         """, timeout=(5*60), omit_sudo=False, cwd='/')
 
     def setup_netns(self):