From: Patrick Donnelly <pdonnell@ibm.com>
Date: Mon, 17 Nov 2025 18:14:47 +0000 (-0500)
Subject: qa: use nft instead iptables
X-Git-Tag: testing/wip-pdonnell-testing-20260207.214551~4^2~4
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ecf7f74be71ccec4ed687786668a85d1c1195e58;p=ceph-ci.git

qa: use nft instead iptables

rocky.10 does not support iptables with MASQUERADE targets. (Or maybe it
does with more prodding but it's easier to just switch to nft.)

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/qa/tasks/cephfs/mount.py b/qa/tasks/cephfs/mount.py
index 566d8988214..3b634f0fe92 100644
--- a/qa/tasks/cephfs/mount.py
+++ b/qa/tasks/cephfs/mount.py
@@ -308,9 +308,23 @@ class CephFSMountBase(object):
 
         self.run_shell_payload(f"""
             set -e
-            sudo iptables -A FORWARD -o {gw} -i ceph-brx -j ACCEPT
-            sudo iptables -A FORWARD -i {gw} -o ceph-brx -j ACCEPT
-            sudo iptables -t nat -A POSTROUTING -s {ip}/{mask} -o {gw} -j MASQUERADE
+
+            # Ensure filter table exists. Ignore error if it already does.
+            sudo nft add table ip filter > /dev/null 2>&1 || true
+            sudo nft add chain ip filter forward {{ type filter hook forward priority 0 \; }} > /dev/null 2>&1 || true
+
+            # Ensure nat table exists. Ignore error if it already does.
+            sudo nft add table ip nat > /dev/null 2>&1 || true
+
+            # Ensure postrouting chain exists. Ignore error if it already does.
+            sudo nft add chain ip nat postrouting {{ type nat hook postrouting priority 100 \; }} > /dev/null 2>&1 || true
+
+            # Add the forwarding rules (to filter table, forward chain)
+            sudo nft add rule ip filter forward iifname ceph-brx oifname {gw} accept
+            sudo nft add rule ip filter forward iifname {gw} oifname ceph-brx accept
+
+            # Add the NAT rule
+            sudo nft add rule ip nat postrouting ip saddr {ip}/{mask} oifname {gw} masquerade
         """, timeout=(5*60), omit_sudo=False, cwd='/')
 
     def _setup_netns(self):
@@ -450,9 +464,9 @@ class CephFSMountBase(object):
 
         self.run_shell_payload(f"""
             set -e
-            sudo iptables -D FORWARD -o {gw} -i ceph-brx -j ACCEPT
-            sudo iptables -D FORWARD -i {gw} -o ceph-brx -j ACCEPT
-            sudo iptables -t nat -D POSTROUTING -s {ip}/{mask} -o {gw} -j MASQUERADE
+            sudo nft delete rule ip filter forward iifname ceph-brx oifname {gw} accept > /dev/null 2>&1 || true
+            sudo nft delete rule ip filter forward iifname {gw} oifname ceph-brx accept > /dev/null 2>&1 || true
+            sudo nft delete rule ip nat postrouting ip saddr {ip}/{mask} oifname {gw} masquerade > /dev/null 2>&1 || true
         """, timeout=(5*60), omit_sudo=False, cwd='/')
 
     def setup_netns(self):