Gradually migrate iptables and ipset to nftables #7495
Description
Describe what you are trying to solve
As we will introduce nftables in #7297, it would be beneficial to develop a gradual migration plan to replace iptables and ipset with nftables.
This transition will modernize Antrea’s datapath rule management, improve performance, and align Antrea with the current Linux networking stack direction.
Describe the solution you have in mind
We have several Antrea features currently depend on iptables and ipset. It is known to us that nftables provides its own independent table namespace, we can migrate features incrementally and safely.
Each migrated feature will use the dedicated nftables table named antrea (introduced in #7297), ensuring no conflict with the translated nftables rules generated from iptables (as iptables rules are internally represented in nftables).
To remove stale iptables rules after the migration:
- Reserve the iptables client temporarily.
- Use it only at startup to clean up stale rules, chains, and ipsets.
- Eventually, the iptables client will serve purely as a cleanup utility, after all features have been migrated.
The features using iptables and ipset to migrate to nftables:
- AntreaProxy proxyAll Support nftables in Node host network for AntreaProxy #7545
- NodeNetworkPolicy
- Egress
- Wireguard
- Multicast
- Rules for not tracking tunnel encapsulation packets
- FlexibleIPAM
- Rules for EKS
- Rules for SNATing Pod-to-external
- NodePortLocal
Test plan
Pass all Kind e2e tests after each feature migration.
Feel free to left your comments.