Skip to content

Fix rendering of NatPortRange in nftables mode#11736

Merged
marvin-tigera merged 3 commits into
projectcalico:masterfrom
nelljerram:nftables-nat-port-range
Jan 29, 2026
Merged

Fix rendering of NatPortRange in nftables mode#11736
marvin-tigera merged 3 commits into
projectcalico:masterfrom
nelljerram:nftables-nat-port-range

Conversation

@nelljerram
Copy link
Copy Markdown
Member

@nelljerram nelljerram commented Jan 28, 2026
edited
Loading

Fixes #11738

Release Note

Bugfix: fix rendering of NatPortRange option when using nftables.

Copilot AI review requested due to automatic review settings January 28, 2026 18:10
@nelljerram nelljerram requested a review from a team as a code owner January 28, 2026 18:10
@marvin-tigera marvin-tigera added this to the Calico v3.32.0 milestone Jan 28, 2026
@marvin-tigera marvin-tigera added release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Jan 28, 2026
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug in the nftables implementation where the MasqAction was generating incorrect syntax when a port range was specified. The missing colon before the port range has been corrected and corresponding test cases have been added.

Changes:

  • Fixed nftables MasqAction to include colon before port range (changed "masquerade to %s" to "masquerade to :%s")
  • Added test cases for MasqAction with ToPorts in both nftables and iptables test suites

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
felix/nftables/actions.go Fixed format string to include missing colon before port range in MasqAction.ToFragment()
felix/nftables/actions_test.go Added test case to verify MasqAction renders correctly with ToPorts parameter
felix/iptables/actions_test.go Added test case to verify MasqAction renders correctly with ToPorts parameter (for consistency)

Comment thread felix/nftables/actions_test.go
Entry("SNATAction", environment.Features{}, SNATAction{ToAddr: "10.0.0.1"}, "snat to 10.0.0.1"),
Entry("SNATAction fully random", environment.Features{SNATFullyRandom: true}, SNATAction{ToAddr: "10.0.0.1"}, "snat to 10.0.0.1 fully-random"),
Entry("MasqAction", environment.Features{}, MasqAction{}, "masquerade"),
Entry("MasqAction", environment.Features{}, MasqAction{ToPorts: "32768-65535"}, "masquerade to :32768-65535"),
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test entry name "MasqAction" is duplicated on lines 39, 40, and 41. While this follows an existing pattern in this file, Ginkgo test entries should have unique names for better test identification and reporting. Consider using more descriptive names like "MasqAction with ToPorts", "MasqAction fully random", etc.

Copilot uses AI. Check for mistakes.
Comment thread felix/iptables/actions_test.go
Entry("SNATAction", environment.Features{}, SNATAction{ToAddr: "10.0.0.1"}, "--jump SNAT --to-source 10.0.0.1"),
Entry("SNATAction fully random", environment.Features{SNATFullyRandom: true}, SNATAction{ToAddr: "10.0.0.1"}, "--jump SNAT --to-source 10.0.0.1 --random-fully"),
Entry("MasqAction", environment.Features{}, MasqAction{}, "--jump MASQUERADE"),
Entry("MasqAction", environment.Features{}, MasqAction{ToPorts: "32768-65535"}, "--jump MASQUERADE --to-ports 32768-65535"),
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test entry name "MasqAction" is duplicated on lines 39, 40, and 41. While this follows an existing pattern in this file, Ginkgo test entries should have unique names for better test identification and reporting. Consider using more descriptive names like "MasqAction with ToPorts", "MasqAction fully random", etc.

Copilot uses AI. Check for mistakes.
Comment thread felix/nftables/actions_test.go
Comment on lines +40 to 41
Entry("MasqAction", environment.Features{}, MasqAction{ToPorts: "32768-65535"}, "masquerade to :32768-65535"),
Entry("MasqAction", environment.Features{MASQFullyRandom: true}, MasqAction{}, "masquerade fully-random"),
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The MasqAction implementation supports both ToPorts and MASQFullyRandom features simultaneously (line 332 in actions.go appends fullyRand even when ToPorts is set), but there is no test case covering this combination. Consider adding a test case like: Entry("MasqAction with ToPorts and fully random", environment.Features{MASQFullyRandom: true}, MasqAction{ToPorts: "32768-65535"}, "masquerade to :32768-65535 fully-random")

Copilot uses AI. Check for mistakes.
Comment thread felix/iptables/actions_test.go
Comment on lines +40 to 41
Entry("MasqAction", environment.Features{}, MasqAction{ToPorts: "32768-65535"}, "--jump MASQUERADE --to-ports 32768-65535"),
Entry("MasqAction", environment.Features{MASQFullyRandom: true}, MasqAction{}, "--jump MASQUERADE --random-fully"),
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The MasqAction implementation supports both ToPorts and MASQFullyRandom features simultaneously (line 313 in actions.go appends fullyRand even when ToPorts is set), but there is no test case covering this combination. Consider adding a test case like: Entry("MasqAction with ToPorts and fully random", environment.Features{MASQFullyRandom: true}, MasqAction{ToPorts: "32768-65535"}, "--jump MASQUERADE --to-ports 32768-65535 --random-fully")

Copilot uses AI. Check for mistakes.
@nelljerram nelljerram added docs-not-required Docs not required for this change and removed docs-pr-required Change is not yet documented labels Jan 28, 2026
fasaxc
fasaxc approved these changes Jan 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@fasaxc fasaxc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we missed an FV test for this, otherwise it would have been failing but I suppose we've got a UT now

@nelljerram nelljerram force-pushed the nftables-nat-port-range branch from 1ed3d91 to 344b8b1 Compare January 29, 2026 10:45
@marvin-tigera marvin-tigera merged commit 3856883 into projectcalico:master Jan 29, 2026
5 checks passed
@marvin-tigera
Copy link
Copy Markdown
Contributor

marvin-tigera commented Jan 29, 2026

I'm sorry but I failed delete the branch after merging the pull request.

@nelljerram nelljerram deleted the nftables-nat-port-range branch January 29, 2026 11:35
@nelljerram nelljerram mentioned this pull request Jan 29, 2026
Merged
nelljerram pushed a commit to nelljerram/calico that referenced this pull request Jan 29, 2026
@marvin-tigera @nelljerram
Merge pull request projectcalico#11736 from nelljerram/nftables-nat-p…
c0bb7ad 
…ort-range

Fix rendering of NatPortRange in nftables mode

(cherry picked from commit 3856883)
nelljerram pushed a commit to nelljerram/calico that referenced this pull request Jan 29, 2026
@marvin-tigera @nelljerram
Merge pull request projectcalico#11736 from nelljerram/nftables-nat-p…
238cec3 
…ort-range

Fix rendering of NatPortRange in nftables mode

(cherry picked from commit 3856883)
@nelljerram nelljerram mentioned this pull request Jan 29, 2026
Merged
nelljerram added a commit to nelljerram/calico that referenced this pull request Jan 30, 2026
@nelljerram
Merge remote-tracking branch 'origin/release-v3.31' into auto-pick-of-p…
af88416 
…rojectcalico#11736-origin-release-v3.31
@hown3d hown3d mentioned this pull request Mar 10, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@fasaxc fasaxc fasaxc approved these changes

Assignees

No one assigned

Labels

delete-branch docs-not-required Docs not required for this change merge-when-ready release-note-required Change has user-facing impact (no matter how small)

Projects

None yet

Milestone

Calico v3.32.0

Development

Successfully merging this pull request may close these issues.

Providing a natPortRange when using Nftables leads to a parsing issue when applied

4 participants

@nelljerram @marvin-tigera @fasaxc