Migrate GitLab and NixOS runners from iptables to nftables #384
Description
Specification
Once the GitLab runner supports nftables we should migrate our iptables usage over to nftables. There are many reasons for doing this, including:
- iptables is becoming obsolete and is being replaced with nftables
- nftables is more customisable and has more options than iptables
- iptables uses a lock (xtables.lock) that is not restricted to individual namespaces (we've had problems with this in the past) - nftables doesn't use thisover xtables.lock so this can be removed
We already have nftables equivalents of the commands we're using in our NAT utils. They can be found here in our wiki: https://github.com/MatrixAI/js-polykey/wiki/nat-traversal#nat-traversal-testing
Additional context
- Tests for NAT-Traversal and Hole-Punching #381 - NAT traversal tests
- Tests for NAT-Traversal and Hole-Punching #357 (comment) - Discussion of bypassing xtables.lock issues in CI/CD
- https://github.com/MatrixAI/js-polykey/wiki/nat-traversal#nat-traversal-testing - nftables versions of our iptables commands
- https://gitlab.com/MatrixAI/Engineering/Maintenance/gitlab-runner/-/issues/22#note_989855213 - GitLab issue for updating the runners there
Tasks
- Change GitLab runner image from
iptables-legacytonftables - Change NAT utils to use
nftcommands instead ofiptablescommands - Remove
xtables.locktemp fixes from GitLab runner - Update the
describeIfandtestIfusage in the NAT tests to check for the existance of thenftcommand rather than theiptablescommand