NE-2692: Replace iptables with nftables in TestConnectTimeout e2e test

[Thealisyed]

Summary

RHEL 10 removes the iptables binary entirely, and the iptables-nft compatibility shim is deprecated in RHEL 9. The TestConnectTimeout e2e test uses iptables to set up an NFQUEUE rule for delaying SYN packets to simulate a slow backend. This PR replaces the iptables command with native nft equivalents.

A spike audit of all NID codebases (NE-2691) confirmed this is the only iptables dependency across all NID-owned components. No production code is affected.

Changes

• Replace iptables -I INPUT ... -j NFQUEUE with equivalent nft add rule commands in the init container
• Rename getIptablesImage() → getNftImage() and init-iptables → init-nftables
• Update documentation comments in serve-delay-connect.go to show nft syntax

The underlying NFQUEUE mechanism is unchanged — it's a netfilter kernel feature that works identically with both iptables and nftables.

Jira

• Epic: NE-1385 — Plan for iptables deprecation
• Spike: NE-2691 — Audit NID iptables dependencies
• Story: NE-2692 — Update CIO TestConnectTimeout

Test plan

• CI runs TestConnectTimeout and it passes with nft commands
• Verify NFQUEUE-based SYN delay still works (same test behavior, different rule insertion)
• Confirm no iptables references remain in non-vendor test code

[openshift-ci-robot]

@Thealisyed: This pull request references NE-2692 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

RHEL 10 removes the iptables binary entirely, and the iptables-nft compatibility shim is deprecated in RHEL 9. The TestConnectTimeout e2e test uses iptables to set up an NFQUEUE rule for delaying SYN packets to simulate a slow backend. This PR replaces the iptables command with native nft equivalents.

A spike audit of all NID codebases (NE-2691) confirmed this is the only iptables dependency across all NID-owned components. No production code is affected.

Changes

• Replace iptables -I INPUT ... -j NFQUEUE with equivalent nft add rule commands in the init container
• Rename getIptablesImage() → getNftImage() and init-iptables → init-nftables
• Update documentation comments in serve-delay-connect.go to show nft syntax

The underlying NFQUEUE mechanism is unchanged — it's a netfilter kernel feature that works identically with both iptables and nftables.

Jira

• Epic: NE-1385 — Plan for iptables deprecation
• Spike: NE-2691 — Audit NID iptables dependencies
• Story: NE-2692 — Update CIO TestConnectTimeout

Test plan

• CI runs TestConnectTimeout and it passes with nft commands
• Verify NFQUEUE-based SYN delay still works (same test behavior, different rule insertion)
• Confirm no iptables references remain in non-vendor test code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d57bb848-5113-4dbd-aa65-11f1b71ec288

📥 Commits

Reviewing files that changed from the base of the PR and between e43e50b and af19595.

📒 Files selected for processing (3)

• test/e2e/operator_test.go
• test/e2e/util_test.go
• test/http/serve-delay-connect.go

✅ Files skipped from review due to trivial changes (1)

• test/http/serve-delay-connect.go

🚧 Files skipped from review as they are similar to previous changes (2)

• test/e2e/operator_test.go
• test/e2e/util_test.go

---

📝 Walkthrough

Walkthrough

Packet-filtering in tests was migrated from iptables to nftables. TestConnectTimeout now uses getNftImage instead of getIptablesImage. buildDelayConnectHTTPPod replaces its init-iptables init container with init-nftables, installing an nft rule that enqueues new TCP SYN packets to destination port 8080 into queue 100. A new getNftImage helper provides the container image (sourced from the same daemonset as before). Documentation comments were updated to show equivalent nft commands.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: replacing iptables with nftables in the TestConnectTimeout e2e test, matching the primary intent of the changeset.
Description check	✅ Passed	The description is well-structured and directly related to the changeset, explaining the rationale for the change, listing specific modifications, and providing context about RHEL 10 deprecation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check not applicable. PR uses standard Go tests (not Ginkgo). All resource names are static and hardcoded with no dynamic values introduced.
Test Structure And Quality	✅ Passed	Code has proper timeouts, error messages, cleanup, and patterns. Custom check references Ginkgo which code doesn't use.
Microshift Test Compatibility	✅ Passed	This PR modifies existing tests only and does not add any new Ginkgo e2e tests. The custom check applies specifically to NEW Ginkgo tests (It(), Describe(), etc.), so it is not applicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	TestConnectTimeout does not assume multi-node cluster. Single pod, no affinity constraints, no multi-node scheduling. SNO compatible.
Topology-Aware Scheduling Compatibility	✅ Passed	This check does not apply. All changes are in test files only. No deployment manifests, operator code, or controllers modified. No scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	No new process-level stdout writes detected. Changes limited to test helpers and documentation. Existing fmt.Printf and log.Printf calls unchanged and compliant with OTE contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check applies only to new Ginkgo tests (It(), Describe(), Context(), When()). TestConnectTimeout is a standard Go test using *testing.T, not Ginkgo, so out of scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign knobunc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@Thealisyed: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-hypershift-conformance	af19595	link	true	/test e2e-aws-ovn-hypershift-conformance
ci/prow/hypershift-e2e-aks	af19595	link	true	/test hypershift-e2e-aks
ci/prow/e2e-hypershift	af19595	link	true	/test e2e-hypershift
ci/prow/e2e-vsphere-static-metallb-operator-gwapi-techpreview	af19595	link	false	/test e2e-vsphere-static-metallb-operator-gwapi-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rikatz]

/assign
/cc