Switch to iptables-wrappers

aznfs-mount.yaml

@@ -1,7 +1,7 @@
 package:
   name: aznfs-mount
   version: "2.0.12"
-  epoch: 4
+  epoch: 5
   description: AZNFS Mount Helper
   copyright:
     - license: Apache-2.0
@@ -12,7 +12,7 @@ package:
       - coreutils
       - findmnt
       - flock
-      - iptables
+      - iptables-wrappers
       - procps
       - util-linux
 

blob-csi-1.27.yaml

@@ -1,7 +1,7 @@
 package:
   name: blob-csi-1.27
   version: "1.27.0"
-  epoch: 2 # GHSA-j5w8-q4qc-rx2x
+  epoch: 3
   description: Azure Blob Storage CSI driver
   copyright:
     - license: Apache-2.0
@@ -23,7 +23,7 @@ environment:
       - curl
       - fuse3
       - iproute2
-      - iptables
+      - iptables-wrappers
       - kmod
       - procps
       - util-linux
@@ -96,7 +96,7 @@ subpackages:
         - dash-binsh
         - e2fsprogs
         - iproute2
-        - iptables
+        - iptables-wrappers
         - kmod
         - mount
         - netcat-openbsd

calico-3.31.yaml

@@ -1,7 +1,7 @@
 package:
   name: calico-3.31
   version: "3.31.2"
-  epoch: 1 # GHSA-j5w8-q4qc-rx2x
+  epoch: 2
   description: "Cloud native networking and network security"
   copyright:
     - license: Apache-2.0
@@ -157,10 +157,9 @@ subpackages:
         - bash # required for logging functionality to work since `start_runit` logging script uses #!/bin/bash
         - conntrack-tools
         - glibc
-        - ip6tables
         - iproute2
         - ipset
-        - iptables
+        - iptables-wrappers
         - libbpf
         # listed in Dockerfile, but not sure if they're build dependencies (for iptables) or runtime
         - libelf

docker.yaml

@@ -1,7 +1,7 @@
 package:
   name: docker
   version: "28.5.2"
-  epoch: 5 # GHSA-j5w8-q4qc-rx2x
+  epoch: 6
   description: A meta package for Docker Engine and Docker CLI
   copyright:
     - license: Apache-2.0
@@ -110,9 +110,8 @@ subpackages:
         - e2fsprogs-extra
         - fuse-overlayfs
         - git
-        - ip6tables
         - iproute2
-        - iptables
+        - iptables-wrappers
         - openssl
         - pigz
         - procps

flannel.yaml

@@ -1,17 +1,16 @@
 package:
   name: flannel
   version: "0.27.4"
-  epoch: 3 # GHSA-j5w8-q4qc-rx2x
+  epoch: 4
   description: flannel is a network fabric for containers, designed for Kubernetes
   copyright:
     - license: Apache-2.0
   dependencies:
     runtime:
       - ca-certificates
       - coreutils
-      - ip6tables
       - iproute2
-      - iptables
+      - iptables-wrappers
       - nftables
       - strongswan
       - wireguard-tools
@@ -36,8 +35,7 @@ pipeline:
       deps: |-
         golang.org/x/[email protected]
 
-  - if: ${{build.arch}} == 'aarch64'
-    uses: patch
+  - uses: patch
     with:
       patches: disableBrNetfilterCheck.patch
 
@@ -74,6 +72,7 @@ test:
         - etcd
         - jq
         - iproute2
+        - iptables-wrappers
   pipeline:
     - name: "Check flanneld version"
       runs: |
@@ -122,13 +121,8 @@ test:
         sleep 3
 
         # Run flanneld in background
-        if [ "${{build.arch}}" = "aarch64" ]; then
-          flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false --disable-br-netfilter-check > /tmp/flannel.log 2>&1 &
-          FLANNEL_PID=$!
-        else
-          flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false > /tmp/flannel.log 2>&1 &
-          FLANNEL_PID=$!
-        fi
+        flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false --disable-br-netfilter-check > /tmp/flannel.log 2>&1 &
+        FLANNEL_PID=$!
 
         # Save PID to environment file
         echo "export FLANNEL_PID=$FLANNEL_PID" >> /tmp/env.sh

jupyterhub-k8s-hub.yaml

@@ -1,14 +1,14 @@
 package:
   name: jupyterhub-k8s-hub
   version: "4.3.1"
-  epoch: 0
+  epoch: 1
   description: Zero to JupyterHub with Kubernetes
   copyright:
     - license: BSD-3-Clause
   dependencies:
     runtime:
       - configurable-http-proxy
-      - iptables
+      - iptables-wrappers
       - py3-jupyterhub
       - py3-jupyterhub-firstuseauthenticator
       - py3-jupyterhub-hmacauthenticator

jupyterhub-k8s-network-tools.yaml

@@ -2,13 +2,13 @@
 package:
   name: jupyterhub-k8s-network-tools
   version: "4.3.1"
-  epoch: 0
+  epoch: 1
   description: Network diagnostic tools for use within a JupyterHub Kubernetes cluster
   copyright:
     - license: BSD-3-Clause
   dependencies:
     runtime:
-      - iptables
+      - iptables-wrappers
 
 environment:
   contents:

k3s-1.32.yaml

@@ -1,7 +1,7 @@
 package:
   name: k3s-1.32
   version: "1.32.10.1"
-  epoch: 0
+  epoch: 1
   description:
   copyright:
     - license: Apache-2.0
@@ -10,8 +10,8 @@ package:
       - busybox
       - conntrack-tools
       - containerd-shim-runc-v2
-      - ip6tables # this pulls in iptables as well
       - ipset # required for network policy controller
+      - iptables-wrappers
       - kmod
       - libseccomp
       - merged-bin
@@ -120,8 +120,8 @@ subpackages:
         - busybox
         - conntrack-tools
         - containerd-shim-runc-v2
-        - ip6tables
         - ipset
+        - iptables-wrappers
         - kmod
         - libseccomp
         - merged-bin
@@ -165,8 +165,8 @@ subpackages:
       runtime:
         - busybox
         - conntrack-tools
-        - ip6tables
         - ipset
+        - iptables-wrappers
         - kmod
         - merged-bin
         - mount

k3s-1.33.yaml

@@ -1,7 +1,7 @@
 package:
   name: k3s-1.33
   version: "1.33.6.1"
-  epoch: 0
+  epoch: 1
   description:
   copyright:
     - license: Apache-2.0
@@ -10,8 +10,8 @@ package:
       - busybox
       - conntrack-tools
       - containerd-shim-runc-v2
-      - ip6tables # this pulls in iptables as well
       - ipset # required for network policy controller
+      - iptables-wrappers
       - kmod
       - libseccomp
       - merged-bin
@@ -116,8 +116,8 @@ subpackages:
         - busybox
         - conntrack-tools
         - containerd-shim-runc-v2
-        - ip6tables
         - ipset
+        - iptables-wrappers
         - kmod
         - libseccomp
         - merged-bin
@@ -161,8 +161,8 @@ subpackages:
       runtime:
         - busybox
         - conntrack-tools
-        - ip6tables
         - ipset
+        - iptables-wrappers
         - kmod
         - merged-bin
         - mount

k3s.yaml

@@ -1,7 +1,7 @@
 package:
   name: k3s
   version: "1.34.2.1"
-  epoch: 0 # GHSA-j5w8-q4qc-rx2x
+  epoch: 1
   description:
   copyright:
     - license: Apache-2.0
@@ -10,8 +10,8 @@ package:
       - busybox
       - conntrack-tools
       - containerd-shim-runc-v2
-      - ip6tables # this pulls in iptables as well
       - ipset # required for network policy controller
+      - iptables-wrappers
       - kmod
       - libseccomp
       - merged-bin
@@ -116,8 +116,8 @@ subpackages:
         - busybox
         - conntrack-tools
         - containerd-shim-runc-v2
-        - ip6tables
         - ipset
+        - iptables-wrappers
         - kmod
         - libseccomp
         - merged-bin
@@ -161,8 +161,8 @@ subpackages:
       runtime:
         - busybox
         - conntrack-tools
-        - ip6tables
         - ipset
+        - iptables-wrappers
         - kmod
         - merged-bin
         - mount

kubernetes-1.34.yaml

@@ -1,7 +1,7 @@
 package:
   name: kubernetes-1.34
   version: "1.34.2"
-  epoch: 1 # GHSA-j5w8-q4qc-rx2x
+  epoch: 2
   description: Production-Grade Container Scheduling and Management
   copyright:
     - license: Apache-2.0
@@ -162,7 +162,7 @@ subpackages:
     description: An agent that runs on each node in a Kubernetes cluster making sure that containers are running in a Pod
     dependencies:
       runtime:
-        - ip6tables
+        - iptables-wrappers
     pipeline:
       - runs: |
           mkdir -p ${{targets.subpkgdir}}/usr/bin
@@ -201,8 +201,7 @@ subpackages:
     description: Kubernetes network proxy that runs on each node
     dependencies:
       runtime:
-        - iptables
-        - ip6tables
+        - iptables-wrappers
         - nftables
         - kmod
         - conntrack-tools
@@ -386,7 +385,7 @@ test:
         - iproute2
         - socat
         - conntrack-tools
-        - iptables
+        - iptables-wrappers
         - crictl
   pipeline:
     - uses: test/kwok/cluster

linkerd2-proxy-init.yaml

@@ -1,14 +1,15 @@
 package:
   name: linkerd2-proxy-init
   version: "2.4.3"
-  epoch: 4 # CVE-2025-47906
+  epoch: 5
   description: "Init container that sets up the iptables rules to forward traffic into the Linkerd2 sidecar proxy"
   copyright:
     - license: Apache-2.0
   dependencies:
     runtime:
-      - ip6tables
-      - iptables-xtables-privileged
+      # Is something needed to handle the iptables-xtables-privileged dep
+      # removed in the switch to iptables-wrappers?
+      - iptables-wrappers
       - libcap
       - libcap-utils
   # Required because the -compat subpackage creates a file in /run

linkerd2.yaml

@@ -1,7 +1,7 @@
 package:
   name: linkerd2
   version: "25.11.3"
-  epoch: 0 # GHSA-xwfj-jgwm-7wp5
+  epoch: 1
   description: "meta linkerd package"
   copyright:
     - license: Apache-2.0
@@ -218,7 +218,7 @@ subpackages:
         - grep
         - iproute2
         - iptables
-        - iptables-xtables-privileged
+        - iptables-xtables-privileged # WHAT TO DO about iptables-wrappers change?
         - jq
         - libcap
         - libcap-utils

nerdctl.yaml

@@ -1,7 +1,7 @@
 package:
   name: nerdctl
   version: "2.2.0"
-  epoch: 2 # GHSA-j5w8-q4qc-rx2x
+  epoch: 3
   description: Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...
   copyright:
     - license: Apache-2.0
@@ -44,7 +44,7 @@ test:
     contents:
       packages:
         - containerd
-        - iptables
+        - iptables-wrappers
         - curl
         - coreutils
   pipeline: