Merge pull request #27555 from l0rd/iptables-rm

openshift-merge-bot[bot] · web-flow · commit 91816d9042b1 · 2025-11-21T10:45:03.000Z
Remove iptables references from tests, docs and WSL config
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -1090,7 +1090,9 @@ upgrade_test_task:
     depends_on: *build
     matrix:
         - env:
-              PODMAN_UPGRADE_FROM: v4.8.0
+              PODMAN_UPGRADE_FROM: v5.3.1
+        - env:
+              PODMAN_UPGRADE_FROM: v5.6.2
     gce_instance: *standardvm
     env:
         TEST_FLAVOR: upgrade_test
diff --git a/docs/source/locale/ja/LC_MESSAGES/markdown.po b/docs/source/locale/ja/LC_MESSAGES/markdown.po
@@ -20503,9 +20503,9 @@ msgstr ""
 
 #: ../../source/markdown/podman-network-reload.1.md:13
 msgid ""
-"Rootful Podman relies on iptables rules in order to provide network "
-"connectivity. If the iptables rules are deleted, this happens for example"
-" with `firewall-cmd --reload`, the container loses network connectivity. "
+"Rootful Podman relies on firewall rules in order to provide network "
+"connectivity. If the firewall rules are deleted, as can happen"
+" with the `firewall-cmd --reload` command, the container loses network connectivity. "
 "This command restores the network connectivity."
 msgstr ""
 
diff --git a/docs/source/markdown/podman-network-reload.1.md.in b/docs/source/markdown/podman-network-reload.1.md.in
@@ -9,7 +9,7 @@ podman\-network\-reload - Reload network configuration for containers
 ## DESCRIPTION
 Reload one or more container network configurations.
 
-Rootful Podman relies on iptables rules in order to provide network connectivity. If the iptables rules are deleted,
+Rootful Podman relies on the firewall rules in order to provide network connectivity. If the firewall rules are deleted,
 this happens for example with `firewall-cmd --reload`, the container loses network connectivity. This command restores
 the network connectivity.
 
diff --git a/pkg/machine/wsl/declares.go b/pkg/machine/wsl/declares.go
@@ -12,11 +12,6 @@ const containersConf = `[containers]
 
 [engine]
 cgroup_manager = "cgroupfs"
-
-# Using iptables until we fix nftables on WSL:
-# https://github.com/containers/podman/issues/25201
-[network]
-firewall_driver="iptables"
 `
 
 const registriesConf = `unqualified-search-registries=["docker.io"]
diff --git a/rpm/podman.spec b/rpm/podman.spec
@@ -349,12 +349,6 @@ ln -s ../virtiofsd %{buildroot}%{_libexecdir}/%{name}
 %{_tmpfilesdir}/%{name}.conf
 %{_systemdgeneratordir}/%{name}-system-generator
 %{_systemdusergeneratordir}/%{name}-user-generator
-# iptables modules are only needed with iptables-legacy,
-# as of f41 netavark will default to nftables so do not load unessary modules
-# https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault
-%if %{defined fedora} && 0%{?fedora} < 41
-%{_modulesloaddir}/%{name}-iptables.conf
-%endif
 
 %files docker
 %{_bindir}/docker
diff --git a/test/README.md b/test/README.md
@@ -41,7 +41,6 @@ The test currently depend on:
  - xz
  - htpasswd
  - iproute2
- - iptables
  - util-linux
  - tar
  - docker
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
@@ -320,7 +320,7 @@ load helpers.network
     run_podman 1 network rm $mynetname
 }
 
-# CANNOT BE PARALLELIZED due to iptables/nft commands
+# CANNOT BE PARALLELIZED due to nft commands
 @test "podman network reload" {
     skip_if_remote "podman network reload does not have remote support"
 
@@ -356,20 +356,17 @@ load helpers.network
     # rootless cannot modify the host firewall
     if ! is_rootless; then
         # for debugging only
-        iptables -t nat -nvL || true
         nft list ruleset     || true
 
         # flush the firewall rule here to break port forwarding
-        # netavark can use either iptables or nftables, so try flushing both
-        iptables -t nat -F "NETAVARK-HOSTPORT-DNAT" || true
         nft delete table inet netavark              || true
 
         # check that we cannot curl (timeout after 1 sec)
         run curl --max-time 1 -s $SERVER/index.txt
         assert $status -eq 28 "curl did not time out"
     fi
 
-    # reload the network to recreate the iptables rules
+    # reload the network to recreate the nftables rules
     run_podman network reload $cid
     is "$output" "$cid" "Output does match container ID"
 
@@ -400,7 +397,7 @@ load helpers.network
     mac2="${lines[2]}"
 
     # make sure --all is working and that this
-    # cmd also works if the iptables still exists
+    # cmd also works if the nftables still exists
     run_podman network reload --all
     is "$output" "$cid" "Output does match container ID"
 
diff --git a/test/upgrade/README.md b/test/upgrade/README.md
@@ -21,22 +21,19 @@ container image from quay.io/podman, uses it to create and run
 a number of containers, then uses new-podman to interact with
 those containers.
 
-As of 2024-02-05 the available old-podman versions are:
+Testing updates from versions earlier than v5.3.1 fails. Testing updates from
+tags that do not respect semantic versioning fails too (e.g. v5.6.0-immutable or
+v5.6). As of 2025-11-18 the available old-podman versions to test against are:
 
 ```console
-$ bin/podman search --list-tags --limit=400 quay.io/podman/stable | awk '$2 ~ /^v/ { print $2}' | sort | column -c 75
-v1.4.2  v1.9.1  v3.2.0  v3.4.0  v4.1.0  v4.3.1  v4.5.1  v4.8
-v1.4.4  v2.0.2  v3.2.1  v3.4.1  v4.1.1  v4.4    v4.6    v4.8.0
-v1.5.0  v2.0.6  v3.2.2  v3.4.2  v4.2    v4.4.1  v4.6.1  v4.8.1
-v1.5.1  v2.1.1  v3.2.3  v3.4.4  v4.2.0  v4.4.2  v4.6.2  v4.8.2
-v1.6    v2.2.1  v3.3.0  v3.4.7  v4.2.1  v4.4.4  v4.7    v4.8.3
-v1.6.2  v3      v3.3.1  v4      v4.3    v4.5    v4.7.0  v4.9
-v1.9.0  v3.1.2  v3.4    v4.1    v4.3.0  v4.5.0  v4.7.2  v4.9.0
+$ bin/podman search --list-tags --limit=400 quay.io/podman/stable | awk '$2 ~ /^v[0-9]+\.[0-9]+\.[0-9]+$/ { print $2}' | sort | awk '/v5.3.1/,0' | column -c 75
+v5.3.1  v5.4.0  v5.4.2  v5.5.1  v5.6.0  v5.6.2
+v5.3.2  v5.4.1  v5.5.0  v5.5.2  v5.6.1
 ```
 
 Test invocation is:
 ```console
-$ sudo env PODMAN=bin/podman PODMAN_UPGRADE_FROM=v4.1.0 PODMAN_UPGRADE_TEST_DEBUG= bats test/upgrade
+$ sudo env PODMAN=bin/podman PODMAN_UPGRADE_FROM=v5.3.1 PODMAN_UPGRADE_TEST_DEBUG= bats test/upgrade
 ```
 (Path assumes you're cd'ed to top-level podman repo). `PODMAN_UPGRADE_FROM`
 can be any of the versions above. `PODMAN_UPGRADE_TEST_DEBUG` is empty
diff --git a/test/upgrade/test-upgrade.bats b/test/upgrade/test-upgrade.bats
@@ -49,9 +49,9 @@ setup() {
     # the default c/storage behavior is to make the mount propagation private.
     export _PODMAN_TEST_OPTS="--storage-opt=skip_mount_home=true --cgroup-manager=cgroupfs --root=$PODMAN_UPGRADE_WORKDIR/root --runroot=$PODMAN_UPGRADE_WORKDIR/runroot --tmpdir=$PODMAN_UPGRADE_WORKDIR/tmp"
 
-    # Old netavark used iptables but newer versions might uses nftables.
-    # Networking can only work correctly if both use the same firewall driver so force iptables.
-    printf "[network]\nfirewall_driver=\"iptables\"\n" > $PODMAN_UPGRADE_WORKDIR/containers.conf
+
+    # Starting with v6.0.0 we only test upgrade from versions that support nftables.
+    printf "[network]\nfirewall_driver=\"nftables\"\n" > $PODMAN_UPGRADE_WORKDIR/containers.conf
     export CONTAINERS_CONF_OVERRIDE=$PODMAN_UPGRADE_WORKDIR/containers.conf
 }
 
@@ -64,21 +64,6 @@ setup() {
     OLD_PODMAN=quay.io/podman/stable:$PODMAN_UPGRADE_FROM
     $PODMAN pull $OLD_PODMAN
 
-    # Can't mix-and-match iptables.
-    # This can only fail when we bring in new CI VMs. If/when it does fail,
-    # we'll need to figure out how to solve it. Until then, punt.
-    iptables_old_version=$($PODMAN run --rm $OLD_PODMAN iptables -V)
-    run -0 expr "$iptables_old_version" : ".*(\(.*\))"
-    iptables_old_which="$output"
-
-    iptables_new_version=$(iptables -V)
-    run -0 expr "$iptables_new_version" : ".*(\(.*\))"
-    iptables_new_which="$output"
-
-    if [[ "$iptables_new_which" != "$iptables_old_which" ]]; then
-        die "Cannot mix iptables; $PODMAN_UPGRADE_FROM container uses $iptables_old_which, host uses $iptables_new_which"
-    fi
-
     # Shortcut name, because we're referencing it a lot
     pmroot=$PODMAN_UPGRADE_WORKDIR
 
@@ -223,8 +208,10 @@ EOF
 
 @test "images" {
     run_podman images -a --format '{{.Names}}'
-    assert "${lines[0]}" =~ "\[localhost/podman-pause:${PODMAN_UPGRADE_FROM##v}-.*\]" "podman images, line 0"
-    assert "${lines[1]}" = "[$IMAGE]" "podman images, line 1"
+    # Filter out the podman-pause image which isn't present for
+    # versions >= 5.5.0
+    run -0 grep -v "localhost/podman-pause" <<< "$output"
+    assert "${lines[0]}" = "[$IMAGE]" "podman images, line 0"
 }
 
 @test "ps : one container running" {
