Include nftables information in Agent supportbundle

molegit9 · molegit9 · commit 7cd8f1dc9675 · 2025-11-25T12:25:48.000+09:00
Signed-off-by: molegit9 &lt;jangfish0925@naver.com&gt;
diff --git a/pkg/support/dump_others.go b/pkg/support/dump_others.go
@@ -18,12 +18,16 @@
 package support
 
 import (
+	"bytes"
 	"fmt"
 	"path"
 	"path/filepath"
 	"strings"
 
+	"k8s.io/klog/v2"
+
 	"antrea.io/antrea/pkg/agent/util/iptables"
+	nftclient "antrea.io/antrea/pkg/agent/util/nftables"
 	"antrea.io/antrea/pkg/util/logdir"
 )
 
@@ -41,6 +45,9 @@ func (d *agentDumper) DumpHostNetworkInfo(basedir string) error {
 	if err := d.dumpIPTables(basedir); err != nil {
 		return err
 	}
+	if err := d.dumpNFTables(basedir); err != nil {
+		return err
+	}
 	if err := d.dumpIPToolInfo(basedir); err != nil {
 		return err
 	}
@@ -59,6 +66,48 @@ func (d *agentDumper) dumpIPTables(basedir string) error {
 	return writeFile(d.fs, filepath.Join(basedir, "iptables"), "iptables", data)
 }
 
+func (d *agentDumper) dumpNFTables(basedir string) error {
+	if _, err := nftclient.New(d.v4Enabled, d.v6Enabled); err != nil {
+		klog.ErrorS(err, "Skipping nftables dump because it is not supported on this Node")
+		return nil
+	}
+
+	var data bytes.Buffer
+
+	if d.v4Enabled {
+		output, err := d.executor.Command("nft", "list", "table", "ip", "antrea").CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("failed to dump nftables table 'ip antrea': %w", err)
+		}
+		if len(output) > 0 {
+			data.Write(output)
+			data.WriteString("\n")
+		}
+	}
+
+	if d.v6Enabled {
+		output, err := d.executor.Command("nft", "list", "table", "ip6", "antrea").CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("failed to dump nftables table 'ip6 antrea': %w", err)
+		}
+		if len(output) > 0 {
+			data.Write(output)
+			data.WriteString("\n")
+		}
+	}
+
+	if data.Len() == 0 {
+		return nil
+	}
+
+	fileName := "nftables"
+	if err := writeFile(d.fs, filepath.Join(basedir, fileName), fileName, data.Bytes()); err != nil {
+		return fmt.Errorf("failed to write nftables file: %w", err)
+	}
+
+	return nil
+}
+
 func (d *agentDumper) dumpIPToolInfo(basedir string) error {
 	dump := func(name string) error {
 		output, err := d.executor.Command("ip", name).CombinedOutput()
diff --git a/pkg/support/dump_others_test.go b/pkg/support/dump_others_test.go
@@ -18,6 +18,7 @@
 package support
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@@ -27,6 +28,8 @@ import (
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"k8s.io/utils/exec"
+	testingexec "k8s.io/utils/exec/testing"
 )
 
 func TestDumpLog(t *testing.T) {
@@ -49,3 +52,162 @@ func TestDumpLog(t *testing.T) {
 	require.NoError(t, err)
 	assert.True(t, ok)
 }
+
+func TestDumpNFTables(t *testing.T) {
+	const nftV4Output = "table ip antrea { chain antrea-chain { type filter hook input priority 0; } }"
+	const nftV6Output = "table ip6 antrea { chain antrea-chain6 { type filter hook input priority 0; } }"
+
+	v4ErrorAction := func() ([]byte, []byte, error) {
+		return nil, nil, fmt.Errorf("v4 error")
+	}
+	v4SuccessAction := func() ([]byte, []byte, error) {
+		return []byte(nftV4Output), nil, nil
+	}
+	v6SuccessAction := func() ([]byte, []byte, error) {
+		return []byte(nftV6Output), nil, nil
+	}
+	emptySuccessAction := func() ([]byte, []byte, error) {
+		return []byte(""), nil, nil
+	}
+
+	tests := []struct {
+		name            string
+		v4Enabled       bool
+		v6Enabled       bool
+		lookPathErr     error
+		commandActions  []testingexec.FakeCommandAction
+		expectedContent string
+		expectFile      bool
+		expectErr       bool
+	}{
+		{
+			name:        "nft command not found",
+			v4Enabled:   true,
+			v6Enabled:   true,
+			lookPathErr: fmt.Errorf("command 'nft' not found in PATH"),
+			expectFile:  false,
+			expectErr:   false,
+		},
+		{
+			name:      "v4 enabled only",
+			v4Enabled: true,
+			v6Enabled: false,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v4SuccessAction},
+					}
+				},
+			},
+			expectedContent: nftV4Output + "\n",
+			expectFile:      true,
+		},
+		{
+			name:      "v6 enabled only",
+			v4Enabled: false,
+			v6Enabled: true,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v6SuccessAction},
+					}
+				},
+			},
+			expectedContent: nftV6Output + "\n",
+			expectFile:      true,
+		},
+		{
+			name:      "v4 and v6 enabled",
+			v4Enabled: true,
+			v6Enabled: true,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v4SuccessAction},
+					}
+				},
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v6SuccessAction},
+					}
+				},
+			},
+			expectedContent: nftV4Output + "\n" + nftV6Output + "\n",
+			expectFile:      true,
+		},
+		{
+			name:      "v4 command error",
+			v4Enabled: true,
+			v6Enabled: true,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v4ErrorAction},
+					}
+				},
+			},
+			expectFile: false,
+			expectErr:  true,
+		},
+		{
+			name:      "no rules found (empty output)",
+			v4Enabled: true,
+			v6Enabled: true,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{CombinedOutputScript: []testingexec.FakeAction{emptySuccessAction}}
+				},
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{CombinedOutputScript: []testingexec.FakeAction{emptySuccessAction}}
+				},
+			},
+			expectFile: false,
+			expectErr:  false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			fs := afero.NewMemMapFs()
+			fs.MkdirAll(baseDir, os.ModePerm)
+
+			fakeExecutor := &testingexec.FakeExec{}
+
+			fakeExecutor.LookPathFunc = func(cmd string) (string, error) {
+				if cmd == "nft" {
+					return "/usr/bin/nft", tc.lookPathErr
+				}
+				return "", fmt.Errorf("command %s not expected", cmd)
+			}
+			fakeExecutor.CommandScript = tc.commandActions
+
+			dumper := &agentDumper{
+				fs:        fs,
+				executor:  fakeExecutor,
+				v4Enabled: tc.v4Enabled,
+				v6Enabled: tc.v6Enabled,
+			}
+
+			err := dumper.dumpNFTables(baseDir)
+
+			if tc.expectErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+
+			filePath := filepath.Join(baseDir, "nftables")
+
+			ok, err := afero.Exists(fs, filePath)
+			require.NoError(t, err)
+			assert.Equal(t, tc.expectFile, ok, "Expected nftables file existence to be %t", tc.expectFile)
+
+			if tc.expectFile {
+				content, err := afero.ReadFile(fs, filePath)
+				require.NoError(t, err)
+				assert.Equal(t, tc.expectedContent, string(content), "File content does not match")
+			}
+		})
+	}
+}
