diff --git a/test/e2e/operator_test.go b/test/e2e/operator_test.go index fc75cde03c..bf7ce06954 100644 --- a/test/e2e/operator_test.go +++ b/test/e2e/operator_test.go @@ -3367,13 +3367,13 @@ func TestConnectTimeout(t *testing.T) { t.Fatal("failed to determine ingress operator deployment's image: ", err) } - iptablesImage, err := getIptablesImage(t, kclient, 1*time.Minute) + nftImage, err := getNftImage(t, kclient, 1*time.Minute) if err != nil { - t.Fatal("failed to determine image with iptables tool: ", err) + t.Fatal("failed to determine image with nft tool: ", err) } // Create a pod with an HTTP application that delays the connection and sends echo responses. - httpdPod := buildDelayConnectHTTPPod("connect-timeout-http", operatorcontroller.DefaultOperandNamespace, iptablesImage, operatorImage) + httpdPod := buildDelayConnectHTTPPod("connect-timeout-http", operatorcontroller.DefaultOperandNamespace, nftImage, operatorImage) if err := kclient.Create(context.Background(), httpdPod); err != nil { t.Fatalf("failed to create pod %s/%s: %v", httpdPod.Namespace, httpdPod.Name, err) } diff --git a/test/e2e/util_test.go b/test/e2e/util_test.go index b5f63d20c7..f39f15f492 100644 --- a/test/e2e/util_test.go +++ b/test/e2e/util_test.go @@ -276,13 +276,13 @@ func buildDelayConnectHTTPPod(name, namespace, initImage, image string) *corev1. InitContainers: []corev1.Container{ { Image: initImage, - Name: "init-iptables", - // Integrate with the iptables rules to handle incoming traffic for the echo container. + Name: "init-nftables", + // Set up nftables rules to redirect incoming SYN packets to a netfilter queue. // The echo container opens the netfilter queue with the same number to delay incoming SYN packets. Command: []string{ "/bin/sh", "-c", - "iptables -I INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j NFQUEUE --queue-num 100", + "nft add table inet cio_test && nft add chain inet cio_test input '{ type filter hook input priority 0; policy accept; }' && nft add rule inet cio_test input tcp dport 8080 ct state new queue num 100", }, SecurityContext: &corev1.SecurityContext{ Privileged: &t, @@ -442,8 +442,8 @@ func getIngressOperatorDeploymentImage(t *testing.T, client client.Client, timeo return "", fmt.Errorf("image not found") } -// getIptablesImage returns the image with the iptables tool installed in it. -func getIptablesImage(t *testing.T, client client.Client, timeout time.Duration) (string, error) { +// getNftImage returns an image with the nft tool installed in it. +func getNftImage(t *testing.T, client client.Client, timeout time.Duration) (string, error) { t.Helper() daemonset, err := getDaemonSet(t, client, types.NamespacedName{Namespace: "openshift-ovn-kubernetes", Name: "ovnkube-node"}, timeout) if err != nil { diff --git a/test/http/serve-delay-connect.go b/test/http/serve-delay-connect.go index c4754f1683..6e8adb987b 100644 --- a/test/http/serve-delay-connect.go +++ b/test/http/serve-delay-connect.go @@ -52,10 +52,10 @@ func NewServeDelayConnectCommand() *cobra.Command { // serveDelayConnect registers a handler on the specified netfilter queue and // starts an HTTP server on the given port. The handler delays SYN packet -// acceptance by the specified delay. Use the following iptables command to configure the handler: -// iptables -I INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j NFQUEUE --queue-num 100 -// or this one for ipv6 stack: -// ip6tables -I INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j NFQUEUE --queue-num 100 +// acceptance by the specified delay. Use the following nft commands to configure the handler: +// nft add table inet cio_test +// nft add chain inet cio_test input '{ type filter hook input priority 0; policy accept; }' +// nft add rule inet cio_test input tcp dport 8080 ct state new queue num 100 func serveDelayConnect(queueNum uint16, delay time.Duration, port string) error { ctx, cancel := context.WithCancel(context.Background()) defer cancel()