Skip to content

Fix nats firewall test to check nftables instead of iptables#412

Merged
selzoc merged 2 commits intomainfrom
update-ipv6-nats-firewall-tests-nftables
Feb 26, 2026
Merged

Fix nats firewall test to check nftables instead of iptables#412
selzoc merged 2 commits intomainfrom
update-ipv6-nats-firewall-tests-nftables

Conversation

@selzoc
Copy link
Member

@selzoc selzoc commented Feb 26, 2026

Summary

The ipv6 nats firewall integration test was still querying ip6tables for
cgroup-based rules, but the firewall now uses nftables with UID-based matching.
This has been failing consistently since b791d6c changed the Mbus URL from
mbus:// to nats://, which activated the nftables code path for ipv6.

  • Query nft list chain inet bosh_agent nats_access instead of ip6tables -t mangle -L
  • Update regex expectations to match nftables UID-based output
  • Fix AfterEach cleanup (was using ip6tables -D with wrong port 8080 and nonexistent cgroup rules)

CI Failure

build 1092 — 47 Passed, 1 Failed

[FAILED] Expected
<string>: Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
to match regular expression
<string>: ACCEPT tcp anywhere 2001:db8::1 tcp dpt:http-alt cgroup 2958295042
In [It] at: /tmp/build/22f0b5c7/bosh-agent/integration/nats_firewall_test.go:99

The AfterEach also failed trying to delete the nonexistent iptables rules:

FAILED TO EXECUTE: sudo ip6tables -t mangle -D POSTROUTING -d 2001:db8::1
-p tcp --dport 8080 -m cgroup --cgroup 2958295042 -j ACCEPT --wait
Process exited with status 1

@aramprice @selzoc
Fix ipv6 firewall test to check nftables instead of iptables
341ac66 
The ipv6 test was still querying ip6tables for cgroup-based rules,
but the firewall now uses nftables with UID-based matching. Updates
the assertions and AfterEach cleanup accordingly.

ai-assisted=yes
[TNZ-60576]

Signed-off-by: Chris Selzo <chris.selzo@broadcom.com>
@aramprice aramprice mentioned this pull request Feb 26, 2026
Closed
@selzoc @aramprice
Update nats firewall ipv4 tests to check nftables
3b1ec24 
We no longer us the iptables helper on the stemcell

ai-assisted=yes
[TNZ-60576]

Signed-off-by: Aram Price <aram.price@broadcom.com>
@selzoc selzoc merged commit ee3d23b into main Feb 26, 2026
16 checks passed
@selzoc selzoc deleted the update-ipv6-nats-firewall-tests-nftables branch February 26, 2026 00:37
@selzoc selzoc changed the title Fix ipv6 firewall test to check nftables instead of iptables Fix nats firewall test to check nftables instead of iptables Feb 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aramprice aramprice aramprice approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@selzoc @aramprice