Install iptables-nft explicitly

docker/base/Dockerfile.j2

@@ -160,7 +160,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \
     {% set base_centos_yum_repos_to_disable = [
         'centos-ceph-squid',
         'centos-nfv-openvswitch',
-        'epel',
         'influxdb',
         'opensearch-2.x',
         'opensearch-dashboards-2.x',
@@ -170,7 +169,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \
         'centos-ceph-reef',
         'centos-nfv-openvswitch',
         'centos-opstools',
-        'epel',
         'influxdb',
         'opensearch-2.x',
         'opensearch-dashboards-2.x',
@@ -194,8 +192,8 @@ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("cen
 
 {% block base_redhat_binary_versionlock %}{% endblock %}
 
-{# NOTE(mnasiadka): In EL10 we install dumb-init from epel #}
-{% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %}
+{# NOTE(mnasiadka): In EL10 we install dumb-init from epel. In EL9 we install iptables-legacy. #}
+{% if base_package_type == 'rpm' %}
 RUN dnf config-manager --enable epel
 {% endif %}
 

docker/neutron/neutron-base/Dockerfile.j2

@@ -12,6 +12,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {% if base_package_type == 'rpm' %}
 
+    # FIXME(wszumski): iptables-nft is deprecated. We need to advise users
+    # to migrate to some other firewall driver as we cannot rely on this
+    # package forever, see: https://access.redhat.com/solutions/6739041
     {% set neutron_base_packages = [
         'conntrack-tools',
         'dnsmasq',
@@ -21,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
         'iproute-tc',
         'ipset',
         'iptables',
+        'iptables-nft',
         'iputils',
         'keepalived',
         'net-tools',
@@ -33,9 +37,12 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
             'python3-openvswitch3.5'
         ] %}
     {% else %}
+	# NOTE(wszumski): iptables-legacy lets us check and clear out legacy
+	# iptables rules due to LP#2144562
         {% set neutron_base_packages = neutron_base_packages + [
             'openvswitch',
-            'python3-openvswitch'
+            'python3-openvswitch',
+            'iptables-legacy',
         ] %}
     {% endif %}
 
@@ -64,6 +71,18 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {{ macros.install_packages(neutron_base_packages | customizable("packages")) }}
 
+{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %}
+# NOTE(wszumski): Without this iptables-legacy is selected as default. This
+# increases the priority from 10 to 200.
+RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \
+  --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \
+  --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \
+  --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \
+  --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \
+  --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save \
+  && update-alternatives --auto iptables
+{% endif %}
+
 ADD neutron-base-archive /neutron-base-source
 ADD plugins-archive /
 

releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml

@@ -0,0 +1,37 @@
+upgrade:
+  - |
+    On Rocky9 on CentOS Stream 9 based installations, VMs may be using legacy
+    iptables rules if you installed or upgraded before this release. You can
+    check by running ``iptables-legacy-save`` inside of the
+    ``neutron_openvswitch_agent`` container and looking for neutron rules.
+
+    After upgrading you will need to clear out the old iptables rules to
+    prevent conflicts::
+
+      iptables-legacy -P INPUT ACCEPT
+      iptables-legacy -P FORWARD ACCEPT
+      iptables-legacy -P OUTPUT ACCEPT
+      iptables-legacy -t nat -F
+      iptables-legacy -t nat -X
+      iptables-legacy -t mangle -F
+      iptables-legacy -t mangle -X
+      iptables-legacy -t raw -F
+      iptables-legacy -t raw -X
+      iptables-legacy -t filter -F
+      iptables-legacy -t filter -X
+      iptables-legacy -F
+      iptables-legacy -X
+
+    If you are updating to this release or newer, no action is required.
+
+    For more information, please see
+    `LP#2144562 <https://bugs.launchpad.net/kolla/+bug/2144562>`__.
+
+fixes:
+  - |
+    Fixes an issue where firewall rules were being implemented via legacy
+    iptables rules. This differed from the behaviour in previous releases,
+    where iptables-nft was used to create these as nftables rules. On upgrade,
+    this could lead to mixture of iptables and nftables rules based on whether
+    the VM was booted before or after the upgrade. For more information, please
+    see `LP#2144562 <https://bugs.launchpad.net/kolla/+bug/2144562>`__.