NE-2692: Replace iptables with nftables in TestConnectTimeout e2e test

test/e2e/operator_test.go

@@ -3367,13 +3367,13 @@ func TestConnectTimeout(t *testing.T) {
 		t.Fatal("failed to determine ingress operator deployment's image: ", err)
 	}
 
-	iptablesImage, err := getIptablesImage(t, kclient, 1*time.Minute)
+	nftImage, err := getNftImage(t, kclient, 1*time.Minute)
 	if err != nil {
-		t.Fatal("failed to determine image with iptables tool: ", err)
+		t.Fatal("failed to determine image with nft tool: ", err)
 	}
 
 	// Create a pod with an HTTP application that delays the connection and sends echo responses.
-	httpdPod := buildDelayConnectHTTPPod("connect-timeout-http", operatorcontroller.DefaultOperandNamespace, iptablesImage, operatorImage)
+	httpdPod := buildDelayConnectHTTPPod("connect-timeout-http", operatorcontroller.DefaultOperandNamespace, nftImage, operatorImage)
 	if err := kclient.Create(context.Background(), httpdPod); err != nil {
 		t.Fatalf("failed to create pod %s/%s: %v", httpdPod.Namespace, httpdPod.Name, err)
 	}

test/e2e/util_test.go

@@ -276,13 +276,13 @@ func buildDelayConnectHTTPPod(name, namespace, initImage, image string) *corev1.
 			InitContainers: []corev1.Container{
 				{
 					Image: initImage,
-					Name:  "init-iptables",
-					// Integrate with the iptables rules to handle incoming traffic for the echo container.
+					Name:  "init-nftables",
+					// Set up nftables rules to redirect incoming SYN packets to a netfilter queue.
 					// The echo container opens the netfilter queue with the same number to delay incoming SYN packets.
 					Command: []string{
 						"/bin/sh",
 						"-c",
-						"iptables -I INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j NFQUEUE --queue-num 100",
+						"nft add table inet cio_test && nft add chain inet cio_test input '{ type filter hook input priority 0; policy accept; }' && nft add rule inet cio_test input tcp dport 8080 ct state new queue num 100",
 					},
 					SecurityContext: &corev1.SecurityContext{
 						Privileged: &t,
@@ -442,8 +442,8 @@ func getIngressOperatorDeploymentImage(t *testing.T, client client.Client, timeo
 	return "", fmt.Errorf("image not found")
 }
 
-// getIptablesImage returns the image with the iptables tool installed in it.
-func getIptablesImage(t *testing.T, client client.Client, timeout time.Duration) (string, error) {
+// getNftImage returns an image with the nft tool installed in it.
+func getNftImage(t *testing.T, client client.Client, timeout time.Duration) (string, error) {
 	t.Helper()
 	daemonset, err := getDaemonSet(t, client, types.NamespacedName{Namespace: "openshift-ovn-kubernetes", Name: "ovnkube-node"}, timeout)
 	if err != nil {

test/http/serve-delay-connect.go

@@ -52,10 +52,10 @@ func NewServeDelayConnectCommand() *cobra.Command {
 
 // serveDelayConnect registers a handler on the specified netfilter queue and
 // starts an HTTP server on the given port. The handler delays SYN packet
-// acceptance by the specified delay. Use the following iptables command to configure the handler:
-// iptables -I INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j NFQUEUE --queue-num 100
-// or this one for ipv6 stack:
-// ip6tables -I INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -j NFQUEUE --queue-num 100
+// acceptance by the specified delay. Use the following nft commands to configure the handler:
+// nft add table inet cio_test
+// nft add chain inet cio_test input '{ type filter hook input priority 0; policy accept; }'
+// nft add rule inet cio_test input tcp dport 8080 ct state new queue num 100
 func serveDelayConnect(queueNum uint16, delay time.Duration, port string) error {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()