From fa880b6bcc836a315a7bd442eae9635e513c07a7 Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Mon, 16 Jun 2025 09:54:58 +0800
Subject: [PATCH] Feat: add nftable mode in calico (#12255)

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 roles/network_plugin/calico/templates/calico-node.yml.j2 | 4 ++++
 roles/network_plugin/calico_defaults/defaults/main.yml   | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index d5b509bba..ad3eefc40 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -275,6 +275,10 @@ spec:
             # Enable or disable usage report
             - name: FELIX_USAGEREPORTINGENABLED
               value: "{{ calico_usage_reporting }}"
+{% if calico_version is version('3.29.0', '>=') %}
+            - name: FELIX_NFTABLESMODE
+              value: "{{ calico_nftable_mode }}"
+{% endif %}
             # Set MTU for tunnel device used if ipip is enabled
 {% if calico_mtu is defined %}
             # Set MTU for tunnel device used if ipip is enabled
diff --git a/roles/network_plugin/calico_defaults/defaults/main.yml b/roles/network_plugin/calico_defaults/defaults/main.yml
index da899546b..cf5550faa 100644
--- a/roles/network_plugin/calico_defaults/defaults/main.yml
+++ b/roles/network_plugin/calico_defaults/defaults/main.yml
@@ -101,6 +101,10 @@ calico_iptables_lock_timeout_secs: 10
 # Choose Calico iptables backend: "Legacy", "Auto" or "NFT" (FELIX_IPTABLESBACKEND)
 calico_iptables_backend: "Auto"
 
+# Calico NFTable Mode Support (tech preview 3.29)
+# Valid option: Disabled (default), Enabled
+calico_nftable_mode: "Disabled"
+
 # Calico Wireguard support
 calico_wireguard_enabled: false
 calico_wireguard_packages: []