From 478813bb63de8796ce2c560dddc162b06d21a6af Mon Sep 17 00:00:00 2001
From: Isaiah Raya <isaiahraya@microsoft.com>
Date: Wed, 18 Jun 2025 13:46:09 -0700
Subject: [PATCH 1/8] fix: [NPM] [Backport] Update Ubuntu Base Image to 24.04
 (#3743)

fix: [NPM] Update Ubuntu Base Image to 24.04 (#3741)

bump ubuntu to 24.04
---
 npm/linux.Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/npm/linux.Dockerfile b/npm/linux.Dockerfile
index 3c278d2467..0dcfbfc693 100644
--- a/npm/linux.Dockerfile
+++ b/npm/linux.Dockerfile
@@ -6,8 +6,8 @@ WORKDIR /usr/local/src
 COPY . .
 RUN CGO_ENABLED=0 go build -v -o /usr/local/bin/azure-npm -ldflags "-X main.version="$VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" -gcflags="-dwarflocationlists=true" npm/cmd/*.go
 
-FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as linux
+FROM mcr.microsoft.com/mirror/docker/library/ubuntu:24.04 as linux
 COPY --from=builder /usr/local/bin/azure-npm /usr/bin/azure-npm
-RUN apt-get update && apt-get install -y iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean
+RUN apt-get update && apt-get install -y libsystemd0=255.4-1ubuntu8.8 libudev1=255.4-1ubuntu8.8 iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean
 RUN chmod +x /usr/bin/azure-npm
 ENTRYPOINT ["/usr/bin/azure-npm", "start"]

From 273a2fea8e7b37736bb6dd35a1edb5ff3db880ce Mon Sep 17 00:00:00 2001
From: Keerthana Routhu <111544828+k-routhu@users.noreply.github.com>
Date: Wed, 25 Jun 2025 02:06:38 -0700
Subject: [PATCH 2/8] [Service Tags] ci: Backport service/virtual tag updates
 to release/v1.6 (#3754)

[Service Tags] ci: Update ACN to use Virtual Tags (#3745)

update to virtual tag
---
 hack/aks/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hack/aks/Makefile b/hack/aks/Makefile
index 1ec0b19f4f..0e9fd740ee 100644
--- a/hack/aks/Makefile
+++ b/hack/aks/Makefile
@@ -19,7 +19,7 @@ OS_SKU_WIN           ?= Windows2022
 REGION               ?= westus2
 VM_SIZE	             ?= Standard_B2s
 VM_SIZE_WIN          ?= Standard_B2s
-IP_TAG               ?= FirstPartyUsage=/DelegatedNetworkControllerTest
+IP_TAG               ?= FirstPartyUsage=/NonProd
 IP_PREFIX            ?= serviceTaggedIp
 PUBLIC_IP_ID         ?= /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/publicIPAddresses
 PUBLIC_IPv4          ?= $(PUBLIC_IP_ID)/$(IP_PREFIX)-$(CLUSTER)-v4

From dda6b0c5002d416d29e4c5e53d8bd214321b354e Mon Sep 17 00:00:00 2001
From: Isaiah Raya <isaiahraya@microsoft.com>
Date: Fri, 27 Jun 2025 14:08:31 -0700
Subject: [PATCH 3/8] [NPM] [CVE] Resolve CVE-2025-6020 (#3763)

fixed cve CVE-2025-6020
---
 npm/linux.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/npm/linux.Dockerfile b/npm/linux.Dockerfile
index 0dcfbfc693..d3165dd4db 100644
--- a/npm/linux.Dockerfile
+++ b/npm/linux.Dockerfile
@@ -8,6 +8,6 @@ RUN CGO_ENABLED=0 go build -v -o /usr/local/bin/azure-npm -ldflags "-X main.vers
 
 FROM mcr.microsoft.com/mirror/docker/library/ubuntu:24.04 as linux
 COPY --from=builder /usr/local/bin/azure-npm /usr/bin/azure-npm
-RUN apt-get update && apt-get install -y libsystemd0=255.4-1ubuntu8.8 libudev1=255.4-1ubuntu8.8 iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean
+RUN apt-get update && apt-get install -y libsystemd0=255.4-1ubuntu8.8 libudev1=255.4-1ubuntu8.8 libpam-modules=1.5.3-5ubuntu5.4 libpam-modules-bin=1.5.3-5ubuntu5.4 libpam-runtime=1.5.3-5ubuntu5.4 libpam0g=1.5.3-5ubuntu5.4 iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean
 RUN chmod +x /usr/bin/azure-npm
 ENTRYPOINT ["/usr/bin/azure-npm", "start"]

From 1ba39f7389eef1c6052a936cf5bbe634a0e38629 Mon Sep 17 00:00:00 2001
From: Isaiah Raya <isaiahraya@microsoft.com>
Date: Mon, 30 Jun 2025 09:50:16 -0700
Subject: [PATCH 4/8] [NPM] [Vulnerability] Resolve ghsa-fv92-fjc5-jj9h
 Vulnerability (#3767)

bump github.com/go-viper/mapstructure/v2
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index afd4ef27c8..85d009e2fc 100644
--- a/go.mod
+++ b/go.mod
@@ -150,7 +150,7 @@ require (
 	github.com/go-openapi/spec v0.20.11 // indirect
 	github.com/go-openapi/strfmt v0.21.9 // indirect
 	github.com/go-openapi/validate v0.22.3 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
 	github.com/google/gopacket v1.1.19 // indirect
 	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
diff --git a/go.sum b/go.sum
index 76d1ad29c2..b722773cf0 100644
--- a/go.sum
+++ b/go.sum
@@ -161,8 +161,8 @@ github.com/go-openapi/validate v0.22.3/go.mod h1:kVxh31KbfsxU8ZyoHaDbLBWU5CnMdqB
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
-github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
+github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
 github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=

From 58277d4e2609be5d24fb7910425c1f98361dcb86 Mon Sep 17 00:00:00 2001
From: Isaiah Raya <isaiahraya@microsoft.com>
Date: Thu, 10 Jul 2025 02:47:32 +0000
Subject: [PATCH 5/8] added legacy

---
 npm/util/const.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/npm/util/const.go b/npm/util/const.go
index 59ffa2ef05..b072beda64 100644
--- a/npm/util/const.go
+++ b/npm/util/const.go
@@ -36,9 +36,9 @@ const (
 	IptablesNft                string = "iptables-nft"
 	Ip6tablesLegacy            string = "ip6tables" //nolint (avoid warning to capitalize this p)
 	IptablesSaveNft            string = "iptables-nft-save"
-	IptablesRestoreNft         string = "iptables-nft-restore"
-	IptablesLegacy             string = "iptables"
-	IptablesSaveLegacy         string = "iptables-save"
+	IptablesRestoreNft         string = "iptables-legacy-nft-restore"
+	IptablesLegacy             string = "iptables-legacy"
+	IptablesSaveLegacy         string = "iptables-legacy-save"
 	IptablesRestoreLegacy      string = "iptables-restore"
 	IptablesRestoreNoFlushFlag string = "--noflush"
 	IptablesRestoreTableFlag   string = "-T"

From 14b0315f92528f6020aff8bb7ff1fd74052804ad Mon Sep 17 00:00:00 2001
From: Isaiah Raya <isaiahraya@microsoft.com>
Date: Thu, 10 Jul 2025 02:50:45 +0000
Subject: [PATCH 6/8] typo

---
 npm/util/const.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/npm/util/const.go b/npm/util/const.go
index b072beda64..e323d618b0 100644
--- a/npm/util/const.go
+++ b/npm/util/const.go
@@ -36,10 +36,10 @@ const (
 	IptablesNft                string = "iptables-nft"
 	Ip6tablesLegacy            string = "ip6tables" //nolint (avoid warning to capitalize this p)
 	IptablesSaveNft            string = "iptables-nft-save"
-	IptablesRestoreNft         string = "iptables-legacy-nft-restore"
+	IptablesRestoreNft         string = "iptables-nft-restore"
 	IptablesLegacy             string = "iptables-legacy"
 	IptablesSaveLegacy         string = "iptables-legacy-save"
-	IptablesRestoreLegacy      string = "iptables-restore"
+	IptablesRestoreLegacy      string = "iptables-legacy-restore"
 	IptablesRestoreNoFlushFlag string = "--noflush"
 	IptablesRestoreTableFlag   string = "-T"
 	IptablesRestoreCommit      string = "COMMIT"

From 38ff048401e3b6d6cc1483ee468067e8f421500c Mon Sep 17 00:00:00 2001
From: Isaiah Raya <isaiahraya@microsoft.com>
Date: Thu, 10 Jul 2025 02:59:29 +0000
Subject: [PATCH 7/8] updated tests

---
 .../policies/chain-management_linux_test.go   | 132 +++++++++---------
 1 file changed, 66 insertions(+), 66 deletions(-)

diff --git a/npm/pkg/dataplane/policies/chain-management_linux_test.go b/npm/pkg/dataplane/policies/chain-management_linux_test.go
index 1f92837f4b..d78576950f 100644
--- a/npm/pkg/dataplane/policies/chain-management_linux_test.go
+++ b/npm/pkg/dataplane/policies/chain-management_linux_test.go
@@ -936,7 +936,7 @@ func TestDetectIptablesVersion(t *testing.T) {
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-L", "KUBE-IPTABLES-HINT", "-t", "mangle", "-n"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-L", "KUBE-IPTABLES-HINT", "-t", "mangle", "-n"},
 					ExitCode: 0,
 				},
 			},
@@ -954,11 +954,11 @@ func TestDetectIptablesVersion(t *testing.T) {
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-L", "KUBE-IPTABLES-HINT", "-t", "mangle", "-n"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-L", "KUBE-IPTABLES-HINT", "-t", "mangle", "-n"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-L", "KUBE-KUBELET-CANARY", "-t", "mangle", "-n"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-L", "KUBE-KUBELET-CANARY", "-t", "mangle", "-n"},
 					ExitCode: 1,
 				},
 			},
@@ -976,11 +976,11 @@ func TestDetectIptablesVersion(t *testing.T) {
 					ExitCode: 2,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-L", "KUBE-IPTABLES-HINT", "-t", "mangle", "-n"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-L", "KUBE-IPTABLES-HINT", "-t", "mangle", "-n"},
 					ExitCode: 2,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-L", "KUBE-KUBELET-CANARY", "-t", "mangle", "-n"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-L", "KUBE-KUBELET-CANARY", "-t", "mangle", "-n"},
 					ExitCode: 2,
 				},
 			},
@@ -1027,12 +1027,12 @@ func TestCleanupOtherChains(t *testing.T) {
 			name:         "cleanup legacy jump no chains",
 			startWithNft: true,
 			calls: []testutils.TestCmd{
-				{Cmd: []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}}, // deprecated rule existed
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}}, // deprecated rule existed
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
 				{
 					Cmd:      []string{"grep", "Chain AZURE-NPM"},
 					ExitCode: 1,
@@ -1044,19 +1044,19 @@ func TestCleanupOtherChains(t *testing.T) {
 			name:         "cleanup legacy jump and chains",
 			startWithNft: true,
 			calls: []testutils.TestCmd{
-				{Cmd: []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}}, // deprecated rule existed
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}}, // deprecated rule existed
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
 				{
 					Cmd:    []string{"grep", "Chain AZURE-NPM"},
 					Stdout: grepOutputTwoAzureChains,
 				},
-				{Cmd: []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"}},
-				{Cmd: []string{"iptables", "-w", "60", "-X", "AZURE-NPM"}},
-				{Cmd: []string{"iptables", "-w", "60", "-X", "AZURE-NPM-INGRESS"}},
+				{Cmd: []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM-INGRESS"}},
 			},
 			expectedErr: false,
 		},
@@ -1065,30 +1065,30 @@ func TestCleanupOtherChains(t *testing.T) {
 			startWithNft: true,
 			calls: []testutils.TestCmd{
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
 				{
 					Cmd:    []string{"grep", "Chain AZURE-NPM"},
 					Stdout: grepOutputTwoAzureChains,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-F", "AZURE-NPM"}},
-				{Cmd: []string{"iptables", "-w", "60", "-F", "AZURE-NPM-INGRESS"}},
-				{Cmd: []string{"iptables", "-w", "60", "-X", "AZURE-NPM"}},
-				{Cmd: []string{"iptables", "-w", "60", "-X", "AZURE-NPM-INGRESS"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM-INGRESS"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM-INGRESS"}},
 			},
 			expectedErr: false,
 		},
@@ -1097,28 +1097,28 @@ func TestCleanupOtherChains(t *testing.T) {
 			startWithNft: true,
 			calls: []testutils.TestCmd{
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
 				{
 					Cmd:    []string{"grep", "Chain AZURE-NPM"},
 					Stdout: grepOutputTwoAzureChains,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-F", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM"},
 					ExitCode: 1,
 				},
 			},
@@ -1129,28 +1129,28 @@ func TestCleanupOtherChains(t *testing.T) {
 			startWithNft: true,
 			calls: []testutils.TestCmd{
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
 				{
 					Cmd:    []string{"grep", "Chain AZURE-NPM"},
 					Stdout: "Chain AZURE-NPM-INGRESS (1 references)\n",
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-F", "AZURE-NPM-INGRESS"}},
-				{Cmd: []string{"iptables", "-w", "60", "-X", "AZURE-NPM-INGRESS"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM-INGRESS"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM-INGRESS"}},
 			},
 			expectedErr: false,
 		},
@@ -1159,37 +1159,37 @@ func TestCleanupOtherChains(t *testing.T) {
 			startWithNft: true,
 			calls: []testutils.TestCmd{
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"}},
-				{Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
 				{
 					Cmd:    []string{"grep", "Chain AZURE-NPM"},
 					Stdout: grepOutputTwoAzureChains,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-F", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-F", "AZURE-NPM-INGRESS"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM-INGRESS"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-X", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-X", "AZURE-NPM-INGRESS"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM-INGRESS"},
 					ExitCode: 1,
 				},
 			},
@@ -1199,38 +1199,38 @@ func TestCleanupOtherChains(t *testing.T) {
 			name:         "cleanup legacy errors ok if deleted jump (deprecated)",
 			startWithNft: true,
 			calls: []testutils.TestCmd{
-				{Cmd: []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
 				{
 					Cmd:    []string{"grep", "Chain AZURE-NPM"},
 					Stdout: grepOutputTwoAzureChains,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-F", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM"},
 					ExitCode: 2,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-F", "AZURE-NPM-INGRESS"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM-INGRESS"},
 					ExitCode: 2,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-X", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM"},
 					ExitCode: 2,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-X", "AZURE-NPM-INGRESS"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM-INGRESS"},
 					ExitCode: 2,
 				},
 			},
@@ -1240,13 +1240,13 @@ func TestCleanupOtherChains(t *testing.T) {
 			name:         "cleanup legacy other flush errors ok",
 			startWithNft: true,
 			calls: []testutils.TestCmd{
-				{Cmd: []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
 					ExitCode: 1,
 				},
 				{
-					Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true,
+					Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true,
 					ExitCode: 1,
 				},
 				{
@@ -1254,21 +1254,21 @@ func TestCleanupOtherChains(t *testing.T) {
 					Stdout: grepOutputTwoAzureChains,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"},
+					Cmd:      []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-F", "AZURE-NPM"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM"}},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-F", "AZURE-NPM-INGRESS"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-F", "AZURE-NPM-INGRESS"},
 					ExitCode: 1,
 				},
-				{Cmd: []string{"iptables", "-w", "60", "-X", "AZURE-NPM"}},
+				{Cmd: []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM"}},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-X", "AZURE-NPM-INGRESS"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM-INGRESS"},
 					ExitCode: 1,
 				},
 			},
@@ -1279,15 +1279,15 @@ func TestCleanupOtherChains(t *testing.T) {
 			startWithNft: true,
 			calls: []testutils.TestCmd{
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"},
 					ExitCode: 1,
 				},
 				{
-					Cmd:      []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
+					Cmd:      []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"},
 					ExitCode: 1,
 				},
 				{
-					Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true, HasStartError: true,
+					Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true, HasStartError: true,
 					ExitCode: 1,
 				},
 				{Cmd: []string{"grep", "Chain AZURE-NPM"}},

From 59f1f4db167c9ae58144a4380c6e8bbbfc9de4fc Mon Sep 17 00:00:00 2001
From: Isaiah Raya <isaiahraya@microsoft.com>
Date: Thu, 10 Jul 2025 03:37:24 +0000
Subject: [PATCH 8/8] updated for all tests

---
 npm/pkg/dataplane/policies/testutils_linux.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/npm/pkg/dataplane/policies/testutils_linux.go b/npm/pkg/dataplane/policies/testutils_linux.go
index 112d020e47..01d0a22620 100644
--- a/npm/pkg/dataplane/policies/testutils_linux.go
+++ b/npm/pkg/dataplane/policies/testutils_linux.go
@@ -57,17 +57,17 @@ func GetBootupTestCalls() []testutils.TestCmd {
 			ExitCode: 0,
 		},
 		// legacy clean up
-		{Cmd: []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}, ExitCode: 2},                                        //nolint // AZURE-NPM chain didn't exist
-		{Cmd: []string{"iptables", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"}, ExitCode: 2}, //nolint // AZURE-NPM chain didn't exist
-		{Cmd: []string{"iptables", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
+		{Cmd: []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}, ExitCode: 2},                                        //nolint // AZURE-NPM chain didn't exist
+		{Cmd: []string{"iptables-legacy", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM", "-m", "conntrack", "--ctstate", "NEW"}, ExitCode: 2}, //nolint // AZURE-NPM chain didn't exist
+		{Cmd: []string{"iptables-legacy", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},
 		{
 			// 1 AZURE-NPM chain
 			Cmd: []string{"grep", "Chain AZURE-NPM"},
 			Stdout: `Chain AZURE-NPM (0 references)
 `,
 		},
-		{Cmd: []string{"iptables-restore", "-w", "60", "-T", "filter", "--noflush"}},
-		{Cmd: []string{"iptables", "-w", "60", "-X", "AZURE-NPM"}},
+		{Cmd: []string{"iptables-legacy-restore", "-w", "60", "-T", "filter", "--noflush"}},
+		{Cmd: []string{"iptables-legacy", "-w", "60", "-X", "AZURE-NPM"}},
 		// nft bootup
 		{Cmd: []string{"iptables-nft", "-w", "60", "-D", "FORWARD", "-j", "AZURE-NPM"}, ExitCode: 2}, //nolint // AZURE-NPM chain didn't exist
 		{Cmd: []string{"iptables-nft", "-w", "60", "-t", "filter", "-n", "-L"}, PipedToCommand: true},