feat: enable Flannel nftables mode

smira · smira · commit ecb7d45883bc · 2026-05-18T19:07:23.000+04:00
Use native nftables (it uses `nft` CLI internally) instead of going via
`iptables-nft` shim.

Signed-off-by: Andrey Smirnov &lt;andrey.smirnov@siderolabs.com&gt;
diff --git a/hack/release.toml b/hack/release.toml
@@ -115,6 +115,12 @@ The DNS protocol can be configured on a per-name server basis in the `ResolverCo
         description = """\
 Talos now supports a new `ImageCacheConfig` document for configuring the Image Cache feature, replacing the old `machine.features.imageCache` field in the v1alpha1 config.
 Old configuration is still supported for backwards compatibility.
+"""
+
+    [notes.flannel]
+        title = "Flannel CNI"
+        description = """\
+Talos now configures Flannel with the `EnableNFTables` option enabled, which uses nftables native backend instead of `iptables-nft` compatibility layer.
 """
 
 [make_deps]
diff --git a/internal/app/machined/pkg/controllers/k8s/internal/k8stemplates/flannel.go b/internal/app/machined/pkg/controllers/k8s/internal/k8stemplates/flannel.go
@@ -139,16 +139,18 @@ func FlannelConfigMapTemplate(spec *k8s.BootstrapManifestsConfigSpec) runtime.Ob
 	}
 
 	var netConf struct {
-		Network     string `json:"Network,omitempty"`
-		IPv6Network string `json:"IPv6Network,omitempty"`
-		EnableIPv6  *bool  `json:"EnableIPv6,omitempty"`
-		EnableIPv4  *bool  `json:"EnableIPv4,omitempty"`
-		Backend     struct {
+		Network        string `json:"Network,omitempty"`
+		IPv6Network    string `json:"IPv6Network,omitempty"`
+		EnableIPv6     *bool  `json:"EnableIPv6,omitempty"`
+		EnableIPv4     *bool  `json:"EnableIPv4,omitempty"`
+		EnableNFTables *bool  `json:"EnableNFTables,omitempty"`
+		Backend        struct {
 			Type string `json:"Type"`
 			Port int    `json:"Port"`
 		} `json:"Backend"`
 	}
 
+	netConf.EnableNFTables = new(true)
 	netConf.Backend.Type = "vxlan"
 	netConf.Backend.Port = 4789
 
diff --git a/internal/app/machined/pkg/controllers/k8s/internal/k8stemplates/testdata/flannel-configmap-dual.yaml b/internal/app/machined/pkg/controllers/k8s/internal/k8stemplates/testdata/flannel-configmap-dual.yaml
@@ -25,6 +25,7 @@ data:
       "Network": "10.96.0.0/12",
       "IPv6Network": "fd00::/112",
       "EnableIPv6": true,
+      "EnableNFTables": true,
       "Backend": {
         "Type": "vxlan",
         "Port": 4789
diff --git a/internal/app/machined/pkg/controllers/k8s/internal/k8stemplates/testdata/flannel-configmap-v4.yaml b/internal/app/machined/pkg/controllers/k8s/internal/k8stemplates/testdata/flannel-configmap-v4.yaml
@@ -23,6 +23,7 @@ data:
   net-conf.json: |-
     {
       "Network": "10.96.0.0/12",
+      "EnableNFTables": true,
       "Backend": {
         "Type": "vxlan",
         "Port": 4789
diff --git a/internal/app/machined/pkg/controllers/k8s/internal/k8stemplates/testdata/flannel-configmap-v6.yaml b/internal/app/machined/pkg/controllers/k8s/internal/k8stemplates/testdata/flannel-configmap-v6.yaml
@@ -25,6 +25,7 @@ data:
       "IPv6Network": "fd00::/112",
       "EnableIPv6": true,
       "EnableIPv4": false,
+      "EnableNFTables": true,
       "Backend": {
         "Type": "vxlan",
         "Port": 4789

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ data:`
`23`	`23`	`net-conf.json: \|-`
`24`	`24`	`{`
`25`	`25`	`"Network": "10.96.0.0/12",`
	`26`	`+ "EnableNFTables": true,`
`26`	`27`	`"Backend": {`
`27`	`28`	`"Type": "vxlan",`
`28`	`29`	`"Port": 4789`