Azure NPM IPtables symlink #3777
Description
What happened:
When detecting which iptables rules to use, legacy or nft, we use the iptables command, and rely on the symlink for what the operating system has set. However, in the iptables-nft case, we explicitly use the iptables-nft command. If iptables-legacy is detected, and configured instead of iptables-nft, we should use the iptables-legacy command. Example output here:
I0708 16:14:16.001585 1 chain-management_linux.go:253] first attempt detecting iptables version. looking for hint/canary chain in iptables-nft
I0708 16:14:16.001722 1 chain-management_linux.go:523] executing iptables command [iptables-nft] with args [-w 60 -L KUBE-IPTABLES-HINT -t mangle -n]
2025/07/08 16:14:16 [1] error: There was an error running command: [iptables-nft -w 60 -L KUBE-IPTABLES-HINT -t mangle -n] Stderr: [exit status 1, # Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables: No chain/target/match by that name.]
2025/07/08 16:14:16 [1] error: There was an error running command: [iptables-nft -w 60 -L KUBE-KUBELET-CANARY -t mangle -n] Stderr: [exit status 1, # Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables: No chain/target/match by that name.]
I0708 16:14:16.005457 1 chain-management_linux.go:523] executing iptables command [iptables-nft] with args [-w 60 -L KUBE-KUBELET-CANARY -t mangle -n]
I0708 16:14:16.007212 1 chain-management_linux.go:259] second attempt detecting iptables version. looking for hint/canary chain in iptables-legacy
I0708 16:14:16.007218 1 chain-management_linux.go:523] executing iptables command [iptables] with args [-w 60 -L KUBE-IPTABLES-HINT -t mangle -n]
I0708 16:14:16.008471 1 const.go:276] setting iptables to legacy
I0708 16:14:16.008483 1 chain-management_linux.go:304] detected legacy iptables. cleaning up nft iptables
I0708 16:14:16.008487 1 const.go:269] setting iptables to nft
I0708 16:14:16.008492 1 chain-management_linux.go:523] executing iptables command [iptables-nft] with args [-w 60 -D FORWARD -j AZURE-NPM]
I0708 16:14:16.010705 1 chain-management_linux.go:535] in nft tables, didn't delete deprecated jump rule from FORWARD chain to AZURE-NPM chain likely because AZURE-NPM chain doesn't exist. not able to run iptables command [iptables-nft -w 60 -D FORWARD -j AZURE-NPM]. exit code: 2, output: iptables v1.8.4 (nf_tables): Chain 'AZURE-NPM' does not exist
Try iptables -h' or 'iptables --help' for more information. I0708 16:14:16.010716 1 chain-management_linux.go:523] executing iptables command [iptables-nft] with args [-w 60 -D FORWARD -j AZURE-NPM -m conntrack --ctstate NEW] 2025/07/08 16:14:16 [1] Acquiring process lock 2025/07/08 16:14:16 [1] Acquired process lock with timeout value of 10s 2025/07/08 16:14:16 [1] Released process lock I0708 16:14:16.013573 1 chain-management_linux.go:535] in nft tables, didn't delete deprecated jump rule from FORWARD chain to AZURE-NPM chain likely because AZURE-NPM chain doesn't exist. not able to run iptables command [iptables-nft -w 60 -D FORWARD -j AZURE-NPM -m conntrack --ctstate NEW]. exit code: 2, output: iptables v1.8.4 (nf_tables): Chain 'AZURE-NPM' does not exist Try iptables -h' or 'iptables --help' for more information.
I0708 16:14:16.017080 1 chain-management_linux.go:349] no chains to cleanup
I0708 16:14:16.017092 1 chain-management_linux.go:313] cleaned up nft tables
I0708 16:14:16.017097 1 const.go:276] setting iptables to legacy
What you expected to happen:
How to reproduce it:
Kubernetes Version:
Kernel (e.g. uname -a):
Anything else we need to know?:
[Miscellaneous information that will assist in solving the issue.]