diff --git a/hack/release.toml b/hack/release.toml index dfa5cabda7..f806f34a7c 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -212,6 +212,16 @@ machine: title = "Platforms" description = """\ Talos Linux now supports [Akamai Connected Cloud](https://www.linode.com/) provider (platform `akamai`). +""" + + [notes.iptables] + title = "IPTables" + description = """\ +Talos Linux now forces `kubelet` and `kube-proxy` to use `iptables-nft` instead of `iptables-legacy` (`xtables`) which was the default +before Talos 1.7.0. + +Container images based on `iptables-wrapper` should work without changes, but if there was a direct call to `legacy` mode of `iptables`, make sure +to update to use `iptables-nft`. """ [make_deps] diff --git a/internal/app/machined/pkg/controllers/network/nftables_chain.go b/internal/app/machined/pkg/controllers/network/nftables_chain.go index 26aa0f3b08..9fbbc70a10 100644 --- a/internal/app/machined/pkg/controllers/network/nftables_chain.go +++ b/internal/app/machined/pkg/controllers/network/nftables_chain.go @@ -65,6 +65,10 @@ func (ctrl *NfTablesChainController) Run(ctx context.Context, r controller.Runti var conn nftables.Conn + if err := ctrl.preCreateIptablesNFTable(logger, &conn); err != nil { + return fmt.Errorf("error pre-creating iptables-nft table: %w", err) + } + list, err := safe.ReaderListAll[*network.NfTablesChain](ctx, r) if err != nil { return fmt.Errorf("error listing nftables chains: %w", err) @@ -176,3 +180,34 @@ func (ctrl *NfTablesChainController) Run(ctx context.Context, r controller.Runti r.ResetRestartBackoff() } } + +func (ctrl *NfTablesChainController) preCreateIptablesNFTable(logger *zap.Logger, conn *nftables.Conn) error { + // Pre-create the iptables-nft table, if it doesn't exist. + // This is required to ensure that the iptables universal binary prefers iptables-nft over + // iptables-legacy can be used to manage the nftables rules. + tables, err := conn.ListTablesOfFamily(nftables.TableFamilyIPv4) + if err != nil { + return fmt.Errorf("error listing existing nftables tables: %w", err) + } + + if slices.IndexFunc(tables, func(t *nftables.Table) bool { return t.Name == "mangle" }) != -1 { + return nil + } + + table := &nftables.Table{ + Family: nftables.TableFamilyIPv4, + Name: "mangle", + } + conn.AddTable(table) + + chain := &nftables.Chain{ + Name: "KUBE-IPTABLES-HINT", + Table: table, + Type: nftables.ChainTypeNAT, + } + conn.AddChain(chain) + + logger.Info("pre-created iptables-nft table 'mangle'/'KUBE-IPTABLES-HINT'") + + return nil +}