From bc638acab491f6f4e0c46a958ccc43fa8982ff4d Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Mon, 16 Mar 2026 13:39:16 +0000
Subject: [PATCH] Install iptables-nft in Rocky 9 containers

There was a regression in 2025.1 where we switched back to using
iptables-legacy. Explicitly installing iptables-nft restores the
old behaviour.

Closes-Bug: #2144562
Change-Id: I2bba43407a10edb283d8605d579667cb8d8e3126
Signed-off-by: Will Szumski <will@stackhpc.com>
---
 docker/neutron/neutron-base/Dockerfile.j2     | 25 ++++++++++++-
 ...missing-iptables-nft-fd71eeee04c9345e.yaml | 37 +++++++++++++++++++
 2 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml

diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2
index 1224a2b495..04547a5c6b 100644
--- a/docker/neutron/neutron-base/Dockerfile.j2
+++ b/docker/neutron/neutron-base/Dockerfile.j2
@@ -7,11 +7,15 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {% import "macros.j2" as macros with context %}
 
-{{ macros.enable_extra_repos(['docker-ce', 'openvswitch']) }}
+{{ macros.enable_extra_repos(['docker-ce', 'openvswitch', 'epel']) }}
 {{ macros.configure_user(name='neutron') }}
 
 {% if base_package_type == 'rpm' %}
 
+    # FIXME(wszumski): iptables-nft is deprecated. We need to advise users
+    # to migrate to some other firewall driver as we cannot rely on this
+    # package forever, see: https://access.redhat.com/solutions/6739041.
+    # iptables-legacy is not available from EPEL 10.
     {% set neutron_base_packages = [
         'conntrack-tools',
         'dnsmasq',
@@ -21,6 +25,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
         'iproute-tc',
         'ipset',
         'iptables',
+        'iptables-nft',
         'iputils',
         'keepalived',
         'net-tools',
@@ -33,9 +38,13 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
             'python3-openvswitch3.5'
         ] %}
     {% else %}
+	# NOTE(wszumski): iptables-legacy lets us check and clear out legacy
+	# iptables rules due to LP#2144562. This package is installed from the
+	# EPEL repository.
         {% set neutron_base_packages = neutron_base_packages + [
             'openvswitch',
-            'python3-openvswitch'
+            'python3-openvswitch',
+            'iptables-legacy',
         ] %}
     {% endif %}
 
@@ -64,6 +73,18 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {{ macros.install_packages(neutron_base_packages | customizable("packages")) }}
 
+{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %}
+# NOTE(wszumski): Without this iptables-legacy is selected as default. This
+# increases the priority from 10 to 200.
+RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \
+  --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \
+  --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \
+  --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \
+  --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \
+  --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save \
+  && update-alternatives --auto iptables
+{% endif %}
+
 ADD neutron-base-archive /neutron-base-source
 ADD plugins-archive /
 
diff --git a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml
new file mode 100644
index 0000000000..b4c5bc88a3
--- /dev/null
+++ b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml
@@ -0,0 +1,37 @@
+upgrade:
+  - |
+    On Rocky9 or CentOS Stream 9 based installations, VMs may be using legacy
+    iptables rules if you installed or upgraded before this release. You can
+    check by running ``iptables-legacy-save`` inside of the
+    ``neutron_openvswitch_agent`` container and looking for neutron rules.
+
+    After upgrading you will need to clear out the old iptables rules to
+    prevent conflicts::
+
+      iptables-legacy -P INPUT ACCEPT
+      iptables-legacy -P FORWARD ACCEPT
+      iptables-legacy -P OUTPUT ACCEPT
+      iptables-legacy -t nat -F
+      iptables-legacy -t nat -X
+      iptables-legacy -t mangle -F
+      iptables-legacy -t mangle -X
+      iptables-legacy -t raw -F
+      iptables-legacy -t raw -X
+      iptables-legacy -t filter -F
+      iptables-legacy -t filter -X
+      iptables-legacy -F
+      iptables-legacy -X
+
+    If you are updating to this release or newer, no action is required.
+
+    For more information, please see
+    `LP#2144562 <https://bugs.launchpad.net/kolla/+bug/2144562>`__.
+
+fixes:
+  - |
+    Fixes an issue where firewall rules were being implemented via legacy
+    iptables rules. This differed from the behaviour in previous releases,
+    where iptables-nft was used to create these as nftables rules. On upgrade,
+    this could lead to mixture of iptables and nftables rules based on whether
+    the VM was booted before or after the upgrade. For more information, please
+    see `LP#2144562 <https://bugs.launchpad.net/kolla/+bug/2144562>`__.