Add `iptablesMode` flag to proxy-init (#8887)

This change introduces a new value to be used at install (or upgrade)
time. The value (`proxyInit.iptablesMode=nft|legacy`) is responsible
for starting the proxy-init container in nft or legacy mode.

By default, the init container will use iptables-nft. When the mode is set to
`nft`, it will instead use iptables-nft. Most modern Linux distributions
support both, but a subset (such as RHEL based families) only support
iptables-nft and nf_tables.

Signed-off-by: Matei David <matei@buoyant.io>

charts/linkerd-control-plane/README.md

@@ -228,6 +228,7 @@ Kubernetes: `>=1.21.0-0`
 | proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
 | proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container Docker image |
 | proxyInit.image.version | string | `"v1.6.2"` | Tag for the proxy-init container Docker image |
+| proxyInit.iptablesMode | string | `"nft"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
 | proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |
 | proxyInit.logLevel | string | info | Log level for the proxy-init |
 | proxyInit.resources.cpu.limit | string | `"100m"` | Maximum amount of CPU units that the proxy-init container can use |

charts/linkerd-control-plane/values.yaml

@@ -175,6 +175,11 @@ proxy:
 
 # proxy-init configuration
 proxyInit:
+  # -- Variant of iptables that will be used to configure routing. Currently,
+  # proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will
+  # control which utility binary will be called. The host must support
+  # whichever mode will be used
+  iptablesMode: "nft"
   # -- Default set of inbound ports to skip via iptables
   # - Galera (4567,4568)
   ignoreInboundPorts: "4567,4568"

charts/partials/templates/_proxy-init.tpl

@@ -1,5 +1,13 @@
 {{- define "partials.proxy-init" -}}
 args:
+{{- if (eq .Values.proxyInit.iptablesMode "nft") }}
+- --firewall-bin-path
+- "iptables-nft"
+- --firewall-save-bin-path
+- "iptables-nft-save"
+{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }}
+{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }}
+{{- end }}
 - --incoming-proxy-port
 - {{.Values.proxy.ports.inbound | quote}}
 - --outgoing-proxy-port

cli/cmd/install_test.go

@@ -101,6 +101,7 @@ func TestRender(t *testing.T) {
 			OpaquePorts: "25,443,587,3306,5432,11211",
 		},
 		ProxyInit: &charts.ProxyInit{
+			IptablesMode: "nft",
 			Image: &charts.Image{
 				Name:       "ProxyInitImageName",
 				PullPolicy: "ImagePullPolicy",

cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml

@@ -149,6 +149,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml

@@ -149,6 +149,10 @@ spec:
           name: server
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -347,6 +351,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml

@@ -149,6 +149,10 @@ spec:
           name: server
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_contour.golden.yml

@@ -189,6 +189,10 @@ spec:
         - mountPath: /config
           name: contour-config
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml

@@ -160,6 +160,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -369,6 +373,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -578,6 +586,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -787,6 +799,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment.golden.yml

@@ -160,6 +160,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_access_log.golden.yml

@@ -163,6 +163,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_automountServiceAccountToken_false.golden.yml

@@ -152,6 +152,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_capabilities.golden.yml

@@ -173,6 +173,10 @@ spec:
           runAsUser: 33
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_config_overrides.golden.yml

@@ -177,6 +177,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml

@@ -160,6 +160,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -369,6 +373,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml

@@ -165,6 +165,10 @@ spec:
         terminationMessagePolicy: FallbackToLogsOnError
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml

@@ -160,6 +160,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml

@@ -161,6 +161,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_opaque_ports.golden.yml

@@ -161,6 +161,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml

@@ -161,6 +161,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_proxyignores.golden.yml

@@ -162,6 +162,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml

@@ -162,6 +162,10 @@ spec:
           protocol: UDP
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_list.golden.yml

@@ -162,6 +162,10 @@ items:
             name: http
         initContainers:
         - args:
+          - --firewall-bin-path
+          - iptables-nft
+          - --firewall-save-bin-path
+          - iptables-nft-save
           - --incoming-proxy-port
           - "4143"
           - --outgoing-proxy-port
@@ -365,6 +369,10 @@ items:
             protocol: TCP
         initContainers:
         - args:
+          - --firewall-bin-path
+          - iptables-nft
+          - --firewall-save-bin-path
+          - iptables-nft-save
           - --incoming-proxy-port
           - "4143"
           - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml

@@ -162,6 +162,10 @@ items:
             name: http
         initContainers:
         - args:
+          - --firewall-bin-path
+          - iptables-nft
+          - --firewall-save-bin-path
+          - iptables-nft-save
           - --incoming-proxy-port
           - "4143"
           - --outgoing-proxy-port
@@ -365,6 +369,10 @@ items:
             protocol: TCP
         initContainers:
         - args:
+          - --firewall-bin-path
+          - iptables-nft
+          - --firewall-save-bin-path
+          - iptables-nft-save
           - --incoming-proxy-port
           - "4143"
           - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_pod.golden.yml

@@ -144,6 +144,10 @@ spec:
     name: vote-bot
   initContainers:
   - args:
+    - --firewall-bin-path
+    - iptables-nft
+    - --firewall-save-bin-path
+    - iptables-nft-save
     - --incoming-proxy-port
     - "4143"
     - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_pod_ingress.golden.yml

@@ -147,6 +147,10 @@ spec:
     name: vote-bot
   initContainers:
   - args:
+    - --firewall-bin-path
+    - iptables-nft
+    - --firewall-save-bin-path
+    - iptables-nft-save
     - --incoming-proxy-port
     - "4143"
     - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_pod_proxyignores.golden.yml

@@ -146,6 +146,10 @@ spec:
     name: vote-bot
   initContainers:
   - args:
+    - --firewall-bin-path
+    - iptables-nft
+    - --firewall-save-bin-path
+    - iptables-nft-save
     - --incoming-proxy-port
     - "4143"
     - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml

@@ -155,6 +155,10 @@ spec:
     name: vote-bot
   initContainers:
   - args:
+    - --firewall-bin-path
+    - iptables-nft
+    - --firewall-save-bin-path
+    - iptables-nft-save
     - --incoming-proxy-port
     - "4143"
     - --outgoing-proxy-port

cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml

@@ -161,6 +161,10 @@ spec:
           name: http
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_gettest_deployment.good.golden.yml

@@ -162,6 +162,10 @@ spec:
         - containerPort: 9090
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -373,6 +377,10 @@ spec:
         - containerPort: 9090
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/inject_tap_deployment_debug.golden.yml

@@ -214,6 +214,10 @@ spec:
       dnsPolicy: ClusterFirst
       initContainers:
       - args:
+        - --firewall-bin-path
+        - iptables-nft
+        - --firewall-save-bin-path
+        - iptables-nft-save
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_controlplane_tracing_output.golden

@@ -564,6 +564,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -881,6 +882,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1296,6 +1301,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1597,6 +1606,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_custom_domain.golden

@@ -564,6 +564,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -880,6 +881,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1294,6 +1299,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1595,6 +1604,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_custom_registry.golden

@@ -564,6 +564,7 @@ data:
         name: my.custom.registry/linkerd-io/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -880,6 +881,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1294,6 +1299,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1595,6 +1604,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_default.golden

@@ -564,6 +564,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -880,6 +881,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1294,6 +1299,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1595,6 +1604,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_default_override_dst_get_nets.golden

@@ -564,6 +564,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -880,6 +881,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1294,6 +1299,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1595,6 +1604,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_default_token.golden

@@ -564,6 +564,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -878,6 +879,10 @@ spec:
           name: linkerd-identity-end-entity
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1283,6 +1288,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1575,6 +1584,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_ha_output.golden

@@ -591,6 +591,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -962,6 +963,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1422,6 +1427,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1759,6 +1768,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_ha_with_overrides_output.golden

@@ -591,6 +591,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -962,6 +963,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1422,6 +1427,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1759,6 +1768,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_heartbeat_disabled_output.golden

@@ -495,6 +495,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -811,6 +812,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1225,6 +1230,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1476,6 +1485,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_helm_control_plane_output.golden

@@ -540,6 +540,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: test-proxy-init-version
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -850,6 +851,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1267,6 +1272,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1573,6 +1582,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_helm_control_plane_output_ha.golden

@@ -567,6 +567,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: test-proxy-init-version
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -932,6 +933,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1395,6 +1400,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1737,6 +1746,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_helm_output_ha_labels.golden

@@ -571,6 +571,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: test-proxy-init-version
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -940,6 +941,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1407,6 +1412,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1757,6 +1766,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden

@@ -562,6 +562,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: test-proxy-init-version
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -922,6 +923,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1385,6 +1390,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1727,6 +1736,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_no_init_container.golden

@@ -564,6 +564,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:

cli/cmd/testdata/install_output.golden

@@ -557,6 +557,7 @@ data:
         name: ProxyInitImageName
         pullPolicy: ImagePullPolicy
         version: ProxyInitVersion
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -871,6 +872,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1290,6 +1295,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1591,6 +1600,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_proxy_ignores.golden

@@ -564,6 +564,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -880,6 +881,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1294,6 +1299,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1595,6 +1604,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

cli/cmd/testdata/install_values_file.golden

@@ -564,6 +564,7 @@ data:
         name: cr.l5d.io/linkerd/proxy-init
         pullPolicy: ""
         version: v1.6.2
+      iptablesMode: nft
       logFormat: ""
       logLevel: ""
       resources:
@@ -880,6 +881,10 @@ spec:
           name: linkerd-identity-token
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1294,6 +1299,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port
@@ -1595,6 +1604,10 @@ spec:
           readOnly: true
       initContainers:
       - args:
+        - --firewall-bin-path
+        - "iptables-nft"
+        - --firewall-save-bin-path
+        - "iptables-nft-save"
         - --incoming-proxy-port
         - "4143"
         - --outgoing-proxy-port

controller/proxy-injector/fake/data/pod-with-debug.patch.json

@@ -42,6 +42,10 @@
     "path": "/spec/initContainers/-",
     "value": {
       "args": [
+        "--firewall-bin-path",
+        "iptables-nft",
+        "--firewall-save-bin-path",
+        "iptables-nft-save",
         "--incoming-proxy-port",
         "4143",
         "--outgoing-proxy-port",

controller/proxy-injector/fake/data/pod-with-ns-annotations.patch.json

@@ -52,6 +52,10 @@
     "path": "/spec/initContainers/-",
     "value": {
       "args": [
+        "--firewall-bin-path",
+        "iptables-nft",
+        "--firewall-save-bin-path",
+        "iptables-nft-save",
         "--incoming-proxy-port",
         "4143",
         "--outgoing-proxy-port",

controller/proxy-injector/fake/data/pod.patch.json

@@ -42,6 +42,10 @@
     "path": "/spec/initContainers/-",
     "value": {
       "args": [
+        "--firewall-bin-path",
+        "iptables-nft",
+        "--firewall-save-bin-path",
+        "iptables-nft-save",
         "--incoming-proxy-port",
         "4143",
         "--outgoing-proxy-port",

pkg/charts/linkerd2/values.go

@@ -129,6 +129,7 @@ type (
 		Resources            *Resources       `json:"resources"`
 		CloseWaitTimeoutSecs int64            `json:"closeWaitTimeoutSecs"`
 		RunAsRoot            bool             `json:"runAsRoot"`
+		IptablesMode         string           `json:"iptablesMode"`
 	}
 
 	// DebugContainer contains the fields to set the debugging sidecar

pkg/charts/linkerd2/values_test.go

@@ -116,6 +116,7 @@ func TestNewValues(t *testing.T) {
 			Await:                  true,
 		},
 		ProxyInit: &ProxyInit{
+			IptablesMode:        "nft",
 			IgnoreInboundPorts:  "4567,4568",
 			IgnoreOutboundPorts: "4567,4568",
 			LogLevel:            "",