From 5e100c5994792cc71129078b70a189ae603f2b18 Mon Sep 17 00:00:00 2001
From: Patrick Donnelly <pdonnell@ibm.com>
Date: Mon, 17 Nov 2025 13:14:47 -0500
Subject: [PATCH] qa: use nft instead iptables

rocky.10 does not support iptables with MASQUERADE targets. (Or maybe it
does with more prodding but it's easier to just switch to nft.)

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---
 qa/tasks/cephfs/mount.py | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/qa/tasks/cephfs/mount.py b/qa/tasks/cephfs/mount.py
index 566d8988214..3b634f0fe92 100644
--- a/qa/tasks/cephfs/mount.py
+++ b/qa/tasks/cephfs/mount.py
@@ -308,9 +308,23 @@ class CephFSMountBase(object):
 
         self.run_shell_payload(f"""
             set -e
-            sudo iptables -A FORWARD -o {gw} -i ceph-brx -j ACCEPT
-            sudo iptables -A FORWARD -i {gw} -o ceph-brx -j ACCEPT
-            sudo iptables -t nat -A POSTROUTING -s {ip}/{mask} -o {gw} -j MASQUERADE
+
+            # Ensure filter table exists. Ignore error if it already does.
+            sudo nft add table ip filter > /dev/null 2>&1 || true
+            sudo nft add chain ip filter forward {{ type filter hook forward priority 0 \; }} > /dev/null 2>&1 || true
+
+            # Ensure nat table exists. Ignore error if it already does.
+            sudo nft add table ip nat > /dev/null 2>&1 || true
+
+            # Ensure postrouting chain exists. Ignore error if it already does.
+            sudo nft add chain ip nat postrouting {{ type nat hook postrouting priority 100 \; }} > /dev/null 2>&1 || true
+
+            # Add the forwarding rules (to filter table, forward chain)
+            sudo nft add rule ip filter forward iifname ceph-brx oifname {gw} accept
+            sudo nft add rule ip filter forward iifname {gw} oifname ceph-brx accept
+
+            # Add the NAT rule
+            sudo nft add rule ip nat postrouting ip saddr {ip}/{mask} oifname {gw} masquerade
         """, timeout=(5*60), omit_sudo=False, cwd='/')
 
     def _setup_netns(self):
@@ -450,9 +464,9 @@ class CephFSMountBase(object):
 
         self.run_shell_payload(f"""
             set -e
-            sudo iptables -D FORWARD -o {gw} -i ceph-brx -j ACCEPT
-            sudo iptables -D FORWARD -i {gw} -o ceph-brx -j ACCEPT
-            sudo iptables -t nat -D POSTROUTING -s {ip}/{mask} -o {gw} -j MASQUERADE
+            sudo nft delete rule ip filter forward iifname ceph-brx oifname {gw} accept > /dev/null 2>&1 || true
+            sudo nft delete rule ip filter forward iifname {gw} oifname ceph-brx accept > /dev/null 2>&1 || true
+            sudo nft delete rule ip nat postrouting ip saddr {ip}/{mask} oifname {gw} masquerade > /dev/null 2>&1 || true
         """, timeout=(5*60), omit_sudo=False, cwd='/')
 
     def setup_netns(self):
-- 
2.47.3