projectcalico · caseydavenport · Mar 18, 2024 · May 2, 2024 · May 20, 2024 · May 21, 2024
@@ -52,6 +52,13 @@ const (
 	IptablesBackendAuto        = "Auto"
 )
 
+type NFTablesMode string
+
+const (
+	NFTablesModeEnabled  = "Enabled"
+	NFTablesModeDisabled = "Disabled"
+)
+
 // +kubebuilder:validation:Enum=DoNothing;Enable;Disable
 type AWSSrcDstCheckOption string
 
@@ -439,8 +446,8 @@ type FelixConfigurationSpec struct {
 	// iptables. [Default: false]
 	GenericXDPEnabled *bool `json:"genericXDPEnabled,omitempty" confignamev1:"GenericXDPEnabled"`
 
-	// NFTablesEnabled enables nftables in Felix. When false, iptables is used. [Default: false]
-	NFTablesEnabled *bool `json:"nftablesEnabled,omitempty"`
+	// NFTablesMode configures nftables support in Felix. [Default: Disabled]
+	NFTablesMode *NFTablesMode `json:"nftablesMode,omitempty"`
 
 	// BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]
 	BPFEnabled *bool `json:"bpfEnabled,omitempty" validate:"omitempty"`

@@ -287,7 +287,7 @@ func NewCalculationGraph(callbacks PipelineCallbacks, conf *config.Config, liveC
 	//                   |
 	//               <dataplane>
 	//
-	ipsetMemberIndex := labelindex.NewSelectorAndNamedPortIndex()
+	ipsetMemberIndex := labelindex.NewSelectorAndNamedPortIndex(conf.NFTablesMode == "Enabled")
 	ipsetMemberIndex.OnAlive = liveCallback
 	// Wire up the inputs to the IP set member index.
 	ipsetMemberIndex.RegisterWith(allUpdDispatcher)

@@ -175,7 +175,7 @@ type Config struct {
 	WireguardPersistentKeepAlive   time.Duration `config:"seconds;0"`
 
 	// nftables configuration.
-	NFTablesEnabled bool `config:"bool;false"`
+	NFTablesMode string `config:"oneof(Enabled,Disabled);Disabled"`
 
 	// BPF configuration.
 	BPFEnabled                         bool              `config:"bool;false"`

@@ -207,7 +207,7 @@ func StartDataplaneDriver(configParams *config.Config,
 				NetlinkTimeout:    configParams.NetlinkTimeoutSecs,
 			},
 			RulesConfig: rules.Config{
-				NFTables:              configParams.NFTablesEnabled,
+				NFTables:              configParams.NFTablesMode == "Enabled",
 				WorkloadIfacePrefixes: configParams.InterfacePrefixes(),
 
 				IPSetConfigV4: ipsets.NewIPVersionConfig(

@@ -136,7 +136,7 @@ type endpointManager struct {
 	osStat       func(path string) (os.FileInfo, error)
 	epMarkMapper rules.EndpointMarkMapper
 	newMatch     func() generictables.MatchCriteria
-	actions      generictables.ActionSet
+	actions      generictables.ActionFactory
 
 	// Pending updates, cleared in CompleteDeferredWork as the data is copied to the activeXYZ
 	// fields.
@@ -277,10 +277,10 @@ func newEndpointManagerWithShims(
 	wlIfacesRegexp := regexp.MustCompile(wlIfacesPattern)
 
 	newMatchFn := iptables.Match
-	actions := iptables.ActionSet()
+	actions := iptables.Actions()
 	if nft {
 		newMatchFn = nftables.Match
-		actions = nftables.ActionSet()
+		actions = nftables.Actions()
 	}
 
 	return &endpointManager{
@@ -911,7 +911,7 @@ func (m *endpointManager) updateRPFSkipChain() {
 		for _, addr := range addresses {
 			chain.Rules = append(chain.Rules, generictables.Rule{
 				Match:  m.newMatch().InInterface(interfaceName).SourceNet(addr),
-				Action: m.actions.AllowAction(),
+				Action: m.actions.Allow(),
 			})
 		}
 	}

@@ -357,7 +357,7 @@ type InternalDataplane struct {
 	linkUpdateBatchSize  int
 	addrsUpdateBatchSize int
 
-	actionSet generictables.ActionSet
+	actionSet generictables.ActionFactory
 	newMatch  func() generictables.MatchCriteria
 }
 
@@ -401,10 +401,10 @@ func NewIntDataplaneDriver(config Config) *InternalDataplane {
 	)
 
 	// Determine the action set and new match function based on the underlying generictables implementation.
-	actionSet := iptables.ActionSet()
+	actionSet := iptables.Actions()
 	newMatchFn := iptables.Match
 	if config.RulesConfig.NFTables {
-		actionSet = nftables.ActionSet()
+		actionSet = nftables.Actions()
 		newMatchFn = nftables.Match
 	}
 
@@ -1509,7 +1509,7 @@ func (d *InternalDataplane) bpfMarkPreestablishedFlowsRules() []generictables.Ru
 	return []generictables.Rule{{
 		Match:   d.newMatch().ConntrackState("ESTABLISHED,RELATED"),
 		Comment: []string{"Mark pre-established flows."},
-		Action: d.actionSet.SetMaskedMarkAction(
+		Action: d.actionSet.SetMaskedMark(
 			tcdefs.MarkLinuxConntrackEstablished,
 			tcdefs.MarkLinuxConntrackEstablishedMask,
 		),
@@ -1531,7 +1531,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 				// by the program at both ingress and egress.
 				Comment: []string{"Pre-approved by BPF programs."},
 				Match:   d.newMatch().MarkMatchesWithMask(tcdefs.MarkSeenBypass, tcdefs.MarkSeenBypassMask),
-				Action:  d.actionSet.AllowAction(),
+				Action:  d.actionSet.Allow(),
 			},
 		}
 
@@ -1545,7 +1545,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 					MarkMatchesWithMask(tcdefs.MarkSeenFallThrough, tcdefs.MarkSeenFallThroughMask).
 					ConntrackState("ESTABLISHED,RELATED"),
 				Comment: []string{"Accept packets from flows that pre-date BPF."},
-				Action:  d.actionSet.AllowAction(),
+				Action:  d.actionSet.Allow(),
 			},
 			generictables.Rule{
 				Match:   d.newMatch().MarkMatchesWithMask(tcdefs.MarkSeenFallThrough, tcdefs.MarkSeenFallThroughMask),
@@ -1572,7 +1572,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 				// RETURN would be a no-op since there's nothing to RETURN from.
 				inputRules = append(inputRules, generictables.Rule{
 					Match:  d.newMatch().InInterface(prefix+wildcard).MarkMatchesWithMask(tcdefs.MarkSeen, tcdefs.MarkSeenMask),
-					Action: d.actionSet.AllowAction(),
+					Action: d.actionSet.Allow(),
 				})
 			}
 
@@ -1588,7 +1588,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 			// SEEN traffic, so it was policed and accepted at a HEP. If the default INPUT
 			// chain policy was DROP, it would get dropped now, therefore an explicit accept
 			// is needed.
-			inputRules = append(inputRules, d.ruleRenderer.FilterInputChainAllowWG(t.IPVersion(), rulesConfig, d.actionSet.AllowAction())...)
+			inputRules = append(inputRules, d.ruleRenderer.FilterInputChainAllowWG(t.IPVersion(), rulesConfig, d.actionSet.Allow())...)
 		}
 
 		if t.IPVersion() == 6 {
@@ -1618,7 +1618,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 				fwdRules = append(fwdRules,
 					generictables.Rule{
 						Match:   d.newMatch().OutInterface(prefix + wildcard),
-						Action:  d.actionSet.JumpAction(rules.ChainToWorkloadDispatch),
+						Action:  d.actionSet.Jump(rules.ChainToWorkloadDispatch),
 						Comment: []string{"To workload, check workload is known."},
 					},
 				)
@@ -1632,15 +1632,15 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 				fwdRules = append(fwdRules,
 					generictables.Rule{
 						Match:   d.newMatch().InInterface(prefix + wildcard),
-						Action:  d.actionSet.AllowAction(),
+						Action:  d.actionSet.Allow(),
 						Comment: []string{"To workload, mark has already been verified."},
 					},
 				)
 			}
 			fwdRules = append(fwdRules,
 				generictables.Rule{
 					Match:   d.newMatch().InInterface(bpfOutDev),
-					Action:  d.actionSet.AllowAction(),
+					Action:  d.actionSet.Allow(),
 					Comment: []string{"From ", bpfOutDev, " device, mark verified, accept."},
 				},
 			)
@@ -1655,7 +1655,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 		t.UpdateChains(d.ruleRenderer.StaticNATPostroutingChains(t.IPVersion()))
 		t.InsertOrAppendRules("POSTROUTING", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainNATPostrouting),
+			Action: d.actionSet.Jump(rules.ChainNATPostrouting),
 		}})
 	}
 
@@ -1665,11 +1665,11 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 		))
 		t.InsertOrAppendRules("PREROUTING", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainRawPrerouting),
+			Action: d.actionSet.Jump(rules.ChainRawPrerouting),
 		}})
 		t.InsertOrAppendRules("OUTPUT", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainRawOutput),
+			Action: d.actionSet.Jump(rules.ChainRawOutput),
 		}})
 	}
 
@@ -1682,7 +1682,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 					tcdefs.MarkSeenMask|mark,
 				),
 				Comment: []string{"Mark connections with ExtToServiceConnmark"},
-				Action:  d.actionSet.SetConnmarkAction(mark, mark),
+				Action:  d.actionSet.SetConnmark(mark, mark),
 			}})
 		}
 	}
@@ -1730,27 +1730,27 @@ func (d *InternalDataplane) setUpIptablesNormal() {
 		t.UpdateChains(rawChains)
 		t.InsertOrAppendRules("PREROUTING", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainRawPrerouting),
+			Action: d.actionSet.Jump(rules.ChainRawPrerouting),
 		}})
 		t.InsertOrAppendRules("OUTPUT", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainRawOutput),
+			Action: d.actionSet.Jump(rules.ChainRawOutput),
 		}})
 	}
 	for _, t := range d.filterTables {
 		filterChains := d.ruleRenderer.StaticFilterTableChains(t.IPVersion())
 		t.UpdateChains(filterChains)
 		t.InsertOrAppendRules("FORWARD", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainFilterForward),
+			Action: d.actionSet.Jump(rules.ChainFilterForward),
 		}})
 		t.InsertOrAppendRules("INPUT", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainFilterInput),
+			Action: d.actionSet.Jump(rules.ChainFilterInput),
 		}})
 		t.InsertOrAppendRules("OUTPUT", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainFilterOutput),
+			Action: d.actionSet.Jump(rules.ChainFilterOutput),
 		}})
 
 		// Include rules which should be appended to the filter table forward chain.
@@ -1760,26 +1760,26 @@ func (d *InternalDataplane) setUpIptablesNormal() {
 		t.UpdateChains(d.ruleRenderer.StaticNATTableChains(t.IPVersion()))
 		t.InsertOrAppendRules("PREROUTING", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainNATPrerouting),
+			Action: d.actionSet.Jump(rules.ChainNATPrerouting),
 		}})
 		t.InsertOrAppendRules("POSTROUTING", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainNATPostrouting),
+			Action: d.actionSet.Jump(rules.ChainNATPostrouting),
 		}})
 		t.InsertOrAppendRules("OUTPUT", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainNATOutput),
+			Action: d.actionSet.Jump(rules.ChainNATOutput),
 		}})
 	}
 	for _, t := range d.mangleTables {
 		t.UpdateChains(d.ruleRenderer.StaticMangleTableChains(t.IPVersion()))
 		t.InsertOrAppendRules("PREROUTING", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainManglePrerouting),
+			Action: d.actionSet.Jump(rules.ChainManglePrerouting),
 		}})
 		t.InsertOrAppendRules("POSTROUTING", []generictables.Rule{{
 			Match:  d.newMatch(),
-			Action: d.actionSet.JumpAction(rules.ChainManglePostrouting),
+			Action: d.actionSet.Jump(rules.ChainManglePostrouting),
 		}})
 	}
 	if d.xdpState != nil {

@@ -228,7 +228,7 @@ func RunFelix(infra DatastoreInfra, id int, options TopologyOptions) *Felix {
 			c.Exec("iptables", "-F", "-t", table)
 		}
 
-		// nftables mode requires that ipatbles be configured to allow by default. Otherwise, a default
+		// nftables mode requires that iptables be configured to allow by default. Otherwise, a default
 		// drop action will override any accept verdict made by nftables.
 		c.Exec("iptables",
 			"-w", "10", // Retry this for 10 seconds, e.g. if something else is holding the lock

@@ -16,24 +16,29 @@ package generictables
 
 import "github.com/projectcalico/calico/felix/environment"
 
-type ActionSet interface {
-	AllowAction() Action
-	DropAction() Action
-	GoToAction(target string) Action
-	ReturnAction() Action
-	SetMarkAction(mark uint32) Action
-	SetMaskedMarkAction(mark, mask uint32) Action
-	ClearMarkAction(mark uint32) Action
-	JumpAction(target string) Action
-	NoTrackAction() Action
-	LogAction(prefix string) Action
-	SNATAction(ip string) Action
-	DNATAction(ip string, port uint16) Action
-	MasqAction(toPorts string) Action
-	SetConnmarkAction(mark, mask uint32) Action
+type ActionFactory interface {
+	Allow() Action
+	Drop() Action
+	GoTo(target string) Action
+	Return() Action
+	SetMark(mark uint32) Action
+	SetMaskedMark(mark, mask uint32) Action
+	ClearMark(mark uint32) Action
+	Jump(target string) Action
+	NoTrack() Action
+	Log(prefix string) Action
+	SNAT(ip string) Action
+	DNAT(ip string, port uint16) Action
+	Masq(toPorts string) Action
+	SetConnmark(mark, mask uint32) Action
 }
 
 type Action interface {
 	ToFragment(features *environment.Features) string
 	String() string
 }
+
+// ReturnActionMarker is a marker interface for actions that return from a chain.
+type ReturnActionMarker interface {
+	IsReturnAction()
+}
@@ -71,17 +71,6 @@ type MatchCriteria interface {
 	NotICMPV6Type(t uint8) MatchCriteria
 	ICMPV6TypeAndCode(t, c uint8) MatchCriteria
 	NotICMPV6TypeAndCode(t, c uint8) MatchCriteria
-	VXLANVNI(vni uint32) MatchCriteria
-}
-
-// NFTMatchCriteria extends the generictables.MatchCriteria interface with nftables-specific methods.
-type NFTMatchCriteria interface {
-	MatchCriteria
-
-	IPVersion(version uint8) MatchCriteria
-
-	ConntrackStatus(statusNames string) MatchCriteria
-	NotConntrackStatus(statusNames string) MatchCriteria
 }
 
 type AddrType string