downstream: Transition to nftables backend

.github/dependabot.yml

@@ -0,0 +1,15 @@
+---
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/ci.yml

@@ -0,0 +1,103 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - uses: golangci/golangci-lint-action@v7
+        with:
+          version: v2.0.2
+          args: -v
+
+  build:
+    needs: lint
+    strategy:
+      matrix:
+        os: [ ubuntu-latest ]
+        goos: [ linux ]
+        goarch: [amd64, arm64, ppc64le]
+    runs-on: ${{ matrix.os }}
+    env:
+      GO111MODULE: on
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Build test for ${{ matrix.goarch }}
+        env:
+          GOARCH: ${{ matrix.goarch }}
+          GOOS: ${{ matrix.goos }}
+        run: GOARCH="${TARGET}" go build ./cmd/main.go
+
+  test-unit:
+    name: Run tests on Linux amd64
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Run tests
+        run: sudo make test
+
+  test-e2e:
+    name: Run e2e tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install bats
+        run: sudo apt install bats
+      - name: Setup registry
+        run: docker run -d --restart=always -p "5000:5000" --name "kind-registry" registry:2
+
+      - name: Get tools
+        working-directory: ./e2e
+        run: ./get_tools.sh
+
+      - name: Setup cluster
+        working-directory: ./e2e
+        run: ./setup_cluster.sh
+
+      - name: "Test: simple"
+        working-directory: ./e2e
+        run: |
+          export TERM=dumb
+          # enable ip6_tables
+          sudo modprobe ip6_tables
+
+          ./run_all_tests.sh
+
+      - name: Upload logs
+        uses: actions/upload-artifact@v6
+        if: ${{ failure() }}
+        with:
+          name: kind-logs-e2e
+          path: ./e2e/artifacts/

.gitignore

@@ -1,18 +1,28 @@
-# Binary output dir
-bin/
-e2e/bin/
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+bin/*
+Dockerfile.cross
 
-# binary at the top
-/multi-networkpolicy-iptables
+# Test binary, built with `go test -c`
+*.test
 
-# GOPATH created by the build script
-gopath/
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+coverage.html
 
-# Editor paths
-.swp*
-.swo*
-.idea*
+# Go workspace file
+go.work
 
-# Test outputs
-*.out
-*.test
+# Kubernetes Generated files - skip generated files, except for vendored files
+!vendor/**/zz_generated.*
+
+# editor and IDE paraphernalia
+.idea
+.vscode
+*.swp
+*.swo
+*~

.golangci.yml

@@ -0,0 +1,63 @@
+
+version: "2"
+linters:
+  enable:
+    - contextcheck
+    - durationcheck
+    - forbidigo
+    - ginkgolinter
+    - gocritic
+    - misspell
+    - nonamedreturns
+    - predeclared
+    - revive
+    - unconvert
+    - unparam
+    - wastedassign
+  disable:
+    - errcheck
+  settings:
+    staticcheck:
+      checks:
+        - all
+        - '-QF1008'  # nested struct reference
+        - '-ST1005'  # capitalized error strings
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - revive
+          - staticcheck
+        text: use ALL_CAPS in Go names; use CamelCase
+      - linters:
+          - revive
+        text: ' and that stutters;'
+      - path: (.+)_test\.go
+        text: 'dot-imports: should not use dot imports'
+      - path: (.+)_test\.go
+        text: "ginkgo-linter: wrong comparison assertion. Consider using (.+)BeZero(.+)"
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gci
+    - gofumpt
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/k8snetworkplumbingwg/multi-network-policy-nftables)
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.snyk

@@ -4,10 +4,4 @@
 exclude:
   global:
     - "**/*_test.go"
-    - vendor/github.com/google/uuid
-    - vendor/github.com/Microsoft/go-winio/pkg/guid
-    - vendor/golang.org/x/tools/cmd/stringer
-    - vendor/golang.org/x/tools/internal/pkgbits
-    - vendor/k8s.io/client-go/util/cert
-    - vendor/k8s.io/klog
-    - vendor/k8s.io/klog/v2
+    - vendor/**

Dockerfile

@@ -1,17 +1,21 @@
-# This Dockerfile is used to build the image available on DockerHub
-FROM golang:1.24 as build
+FROM golang:1.24 as builder
+ARG TARGETOS
+ARG TARGETARCH
 
-# Add everything
-ADD . /usr/src/multi-networkpolicy-iptables
+WORKDIR /workspace
 
-RUN cd /usr/src/multi-networkpolicy-iptables && \
-    CGO_ENABLED=0 go build ./cmd/multi-networkpolicy-iptables/
+COPY go.mod go.mod
+COPY go.sum go.sum
+RUN go mod download
 
-FROM fedora:38
-LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables
-RUN dnf install -y iptables-utils iptables-legacy iptables-nft
-RUN alternatives --set iptables /usr/sbin/iptables-nft
-COPY --from=build /usr/src/multi-networkpolicy-iptables/multi-networkpolicy-iptables /usr/bin
-WORKDIR /usr/bin
+COPY cmd/main.go cmd/main.go
+COPY pkg/ pkg/
 
-ENTRYPOINT ["multi-networkpolicy-iptables"]
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o multi-networkpolicy-nftables cmd/main.go
+
+FROM fedora:42
+WORKDIR /
+
+RUN dnf install -y nftables
+COPY --from=builder /workspace/multi-networkpolicy-nftables .
+ENTRYPOINT ["/multi-networkpolicy-nftables"]

Dockerfile.openshift

@@ -2,19 +2,22 @@
 FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS build
 
 # Add everything
-ADD . /usr/src/multi-networkpolicy-iptables
-WORKDIR /usr/src/multi-networkpolicy-iptables
-RUN CGO_ENABLED=0 go build ./cmd/multi-networkpolicy-iptables/
+ADD . /usr/src/multus-networkpolicy
+WORKDIR /usr/src/multus-networkpolicy
+RUN CGO_ENABLED=0 go build -a -o multi-networkpolicy-nftables ./cmd/
 
 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
-LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables
-RUN dnf install -y iptables
-COPY --from=build /usr/src/multi-networkpolicy-iptables/multi-networkpolicy-iptables /usr/bin
+LABEL org.opencontainers.image.source https://github.com/openshift/multus-networkpolicy
+RUN dnf install -y nftables && dnf clean all
+COPY --from=build /usr/src/multus-networkpolicy/multi-networkpolicy-nftables /usr/bin
 WORKDIR /usr/bin
 
 LABEL io.k8s.display-name="Multus NetworkPolicy" \
       io.k8s.description="This is a component of OpenShift Container Platform and provides NetworkPolicy objects for secondary interfaces created with Multus CNI" \
       io.openshift.tags="openshift" \
       maintainer="Doug Smith <[email protected]>"
 
-ENTRYPOINT ["multi-networkpolicy-iptables"]
+# TODO: compatibility layer with the original multus-networkpolicy-iptables image. Remove this once the ClsuterNetworkOperator is updated to use the nftables implementation. 
+RUN ln -s /usr/bin/multi-networkpolicy-nftables /usr/bin/multi-networkpolicy-iptables
+
+ENTRYPOINT ["multi-networkpolicy-nftables"]