From cf22523b519310a6871dcd8ad985ef4ff58b34f8 Mon Sep 17 00:00:00 2001 From: Chris Selzo Date: Thu, 26 Feb 2026 07:24:08 -0800 Subject: [PATCH] Flush old iptables rules before testing new ones The integration test setup basically launches an actual vm, then replaces the agent and re-runs the bootstrap process to add firewall rules. Since we're transitioning from iptables to nftables, we are in a transient state where the initial firewall rules setup when the vm was launched will still be in effect, but will be different than the ones intended to be tested. ai-assisted=yes [TNZ-60576] --- integration/nats_firewall_test.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/integration/nats_firewall_test.go b/integration/nats_firewall_test.go index 5ebdec1f5..e87394c3d 100644 --- a/integration/nats_firewall_test.go +++ b/integration/nats_firewall_test.go @@ -17,6 +17,13 @@ var _ = Describe("nats firewall", func() { // restore original settings of bosh from initial deploy of this VM. _, err := testEnvironment.RunCommand("sudo cp /settings-backup/*.json /var/vcap/bosh/") Expect(err).ToNot(HaveOccurred()) + + // Flush legacy iptables mangle rules left over from the initial agent deploy. + // The old agent used iptables cgroup-based rules in the mangle table; these + // conflict with the new nftables UID-based firewall and would drop traffic + // that doesn't match the old cgroup. + _, _ = testEnvironment.RunCommand("sudo iptables -t mangle -F") //nolint:errcheck + _, _ = testEnvironment.RunCommand("sudo ip6tables -t mangle -F") //nolint:errcheck }) It("sets up the outgoing nats firewall", func() {