Feat: add nftable mode in calico (#12255)

tico88612 · web-flow · commit fa880b6bcc83 · 2025-06-15T18:54:58.000-07:00
Signed-off-by: ChengHao Yang &lt;17496418+tico88612@users.noreply.github.com&gt;
diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -275,6 +275,10 @@ spec:
             # Enable or disable usage report
             - name: FELIX_USAGEREPORTINGENABLED
               value: "{{ calico_usage_reporting }}"
+{% if calico_version is version('3.29.0', '>=') %}
+            - name: FELIX_NFTABLESMODE
+              value: "{{ calico_nftable_mode }}"
+{% endif %}
             # Set MTU for tunnel device used if ipip is enabled
 {% if calico_mtu is defined %}
             # Set MTU for tunnel device used if ipip is enabled
diff --git a/roles/network_plugin/calico_defaults/defaults/main.yml b/roles/network_plugin/calico_defaults/defaults/main.yml
@@ -101,6 +101,10 @@ calico_iptables_lock_timeout_secs: 10
 # Choose Calico iptables backend: "Legacy", "Auto" or "NFT" (FELIX_IPTABLESBACKEND)
 calico_iptables_backend: "Auto"
 
+# Calico NFTable Mode Support (tech preview 3.29)
+# Valid option: Disabled (default), Enabled
+calico_nftable_mode: "Disabled"
+
 # Calico Wireguard support
 calico_wireguard_enabled: false
 calico_wireguard_packages: []
