Include nftables information in Agent supportbundle

Signed-off-by: molegit9 <[email protected]>

Author: molegit9

pkg/support/dump_others.go

@@ -18,15 +18,38 @@
 package support
 
 import (
+	"bytes"
 	"fmt"
 	"path"
 	"path/filepath"
 	"strings"
+	"sync"
+
+	"k8s.io/klog/v2"
 
 	"antrea.io/antrea/pkg/agent/util/iptables"
+	nftclient "antrea.io/antrea/pkg/agent/util/nftables"
 	"antrea.io/antrea/pkg/util/logdir"
 )
 
+// nftablesIPv4Supported and nftablesIPv6Supported check if the kernel supports nftables.
+// They initialize the client once to verify support, but the returned clients are not used.
+var nftablesIPv4Supported = sync.OnceValue(func() bool {
+	if _, err := nftclient.New(true, false); err != nil {
+		klog.ErrorS(err, "nftables IPv4 not supported on this Node")
+		return false
+	}
+	return true
+})
+
+var nftablesIPv6Supported = sync.OnceValue(func() bool {
+	if _, err := nftclient.New(false, true); err != nil {
+		klog.ErrorS(err, "nftables IPv6 not supported on this Node")
+		return false
+	}
+	return true
+})
+
 func (d *agentDumper) DumpLog(basedir string) error {
 	logDir := logdir.GetLogDir()
 	timeFilter := timestampFilter(d.since)
@@ -41,6 +64,9 @@ func (d *agentDumper) DumpHostNetworkInfo(basedir string) error {
 	if err := d.dumpIPTables(basedir); err != nil {
 		return err
 	}
+	if err := d.dumpNFTables(basedir); err != nil {
+		return err
+	}
 	if err := d.dumpIPToolInfo(basedir); err != nil {
 		return err
 	}
@@ -59,6 +85,46 @@ func (d *agentDumper) dumpIPTables(basedir string) error {
 	return writeFile(d.fs, filepath.Join(basedir, "iptables"), "iptables", data)
 }
 
+func (d *agentDumper) dumpNFTables(basedir string) error {
+	isV4Supported := d.v4Enabled && nftablesIPv4Supported()
+	isV6Supported := d.v6Enabled && nftablesIPv6Supported()
+
+	var data bytes.Buffer
+
+	if isV4Supported {
+		output, err := d.executor.Command("nft", "list", "table", "ip", "antrea").CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("failed to dump nftables table 'ip antrea': %w", err)
+		}
+		if len(output) > 0 {
+			data.Write(output)
+			data.WriteString("\n")
+		}
+	}
+
+	if isV6Supported {
+		output, err := d.executor.Command("nft", "list", "table", "ip6", "antrea").CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("failed to dump nftables table 'ip6 antrea': %w", err)
+		}
+		if len(output) > 0 {
+			data.Write(output)
+			data.WriteString("\n")
+		}
+	}
+
+	if data.Len() == 0 {
+		return nil
+	}
+
+	fileName := "nftables"
+	if err := writeFile(d.fs, filepath.Join(basedir, fileName), fileName, data.Bytes()); err != nil {
+		return fmt.Errorf("failed to write nftables file: %w", err)
+	}
+
+	return nil
+}
+
 func (d *agentDumper) dumpIPToolInfo(basedir string) error {
 	dump := func(name string) error {
 		output, err := d.executor.Command("ip", name).CombinedOutput()

pkg/support/dump_others_test.go

@@ -18,6 +18,7 @@
 package support
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@@ -27,6 +28,8 @@ import (
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"k8s.io/utils/exec"
+	testingexec "k8s.io/utils/exec/testing"
 )
 
 func TestDumpLog(t *testing.T) {
@@ -49,3 +52,156 @@ func TestDumpLog(t *testing.T) {
 	require.NoError(t, err)
 	assert.True(t, ok)
 }
+
+func TestDumpNFTables(t *testing.T) {
+	const nftV4Output = "table ip antrea { chain antrea-chain { type filter hook input priority 0; } }"
+	const nftV6Output = "table ip6 antrea { chain antrea-chain6 { type filter hook input priority 0; } }"
+
+	v4ErrorAction := func() ([]byte, []byte, error) {
+		return nil, nil, fmt.Errorf("v4 error")
+	}
+	v4SuccessAction := func() ([]byte, []byte, error) {
+		return []byte(nftV4Output), nil, nil
+	}
+	v6SuccessAction := func() ([]byte, []byte, error) {
+		return []byte(nftV6Output), nil, nil
+	}
+	emptySuccessAction := func() ([]byte, []byte, error) {
+		return []byte(""), nil, nil
+	}
+
+	originalV4Check := nftablesIPv4Supported
+	originalV6Check := nftablesIPv6Supported
+	defer func() {
+		nftablesIPv4Supported = originalV4Check
+		nftablesIPv6Supported = originalV6Check
+	}()
+
+	nftablesIPv4Supported = func() bool { return true }
+	nftablesIPv6Supported = func() bool { return true }
+
+	tests := []struct {
+		name            string
+		v4Enabled       bool
+		v6Enabled       bool
+		commandActions  []testingexec.FakeCommandAction
+		expectedContent string
+		expectFile      bool
+		expectErr       bool
+	}{
+		{
+			name:      "v4 enabled only",
+			v4Enabled: true,
+			v6Enabled: false,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v4SuccessAction},
+					}
+				},
+			},
+			expectedContent: nftV4Output + "\n",
+			expectFile:      true,
+		},
+		{
+			name:      "v6 enabled only",
+			v4Enabled: false,
+			v6Enabled: true,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v6SuccessAction},
+					}
+				},
+			},
+			expectedContent: nftV6Output + "\n",
+			expectFile:      true,
+		},
+		{
+			name:      "v4 and v6 enabled",
+			v4Enabled: true,
+			v6Enabled: true,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v4SuccessAction},
+					}
+				},
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v6SuccessAction},
+					}
+				},
+			},
+			expectedContent: nftV4Output + "\n" + nftV6Output + "\n",
+			expectFile:      true,
+		},
+		{
+			name:      "v4 command error",
+			v4Enabled: true,
+			v6Enabled: true,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{
+						CombinedOutputScript: []testingexec.FakeAction{v4ErrorAction},
+					}
+				},
+			},
+			expectFile: false,
+			expectErr:  true,
+		},
+		{
+			name:      "no rules found (empty output)",
+			v4Enabled: true,
+			v6Enabled: true,
+			commandActions: []testingexec.FakeCommandAction{
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{CombinedOutputScript: []testingexec.FakeAction{emptySuccessAction}}
+				},
+				func(cmd string, args ...string) exec.Cmd {
+					return &testingexec.FakeCmd{CombinedOutputScript: []testingexec.FakeAction{emptySuccessAction}}
+				},
+			},
+			expectFile: false,
+			expectErr:  false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			fs := afero.NewMemMapFs()
+			fs.MkdirAll(baseDir, os.ModePerm)
+
+			fakeExecutor := &testingexec.FakeExec{}
+			fakeExecutor.CommandScript = tc.commandActions
+
+			dumper := &agentDumper{
+				fs:        fs,
+				executor:  fakeExecutor,
+				v4Enabled: tc.v4Enabled,
+				v6Enabled: tc.v6Enabled,
+			}
+
+			err := dumper.dumpNFTables(baseDir)
+
+			if tc.expectErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+
+			filePath := filepath.Join(baseDir, "nftables")
+
+			ok, err := afero.Exists(fs, filePath)
+			require.NoError(t, err)
+			assert.Equal(t, tc.expectFile, ok, "Expected nftables file existence to be %t", tc.expectFile)
+
+			if tc.expectFile {
+				content, err := afero.ReadFile(fs, filePath)
+				require.NoError(t, err)
+				assert.Equal(t, tc.expectedContent, string(content), "File content does not match")
+			}
+		})
+	}
+}