feat: ship nft binary with Talos rootfs

Fixes #11846 Also bump Linux to 6.16.7 via pkgs. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2026-05-05 20:36:18 +02:00 · 2025-09-17 18:41:52 +04:00 · 2025-09-17 18:41:52 +04:00 · 9cd2d794d0
commit 9cd2d794d0
parent b1416c9fe1
6 changed files with 26 additions and 5 deletions
--- a/6
+++ b/6
@ -48,6 +48,7 @@ ARG PKG_LINUX_FIRMWARE=scratch
 ARG PKG_LVM2=scratch
 ARG PKG_MTOOLS=scratch
 ARG PKG_MUSL=scratch
+ARG PKG_NFTABLES=scratch
 ARG PKG_OPENSSL=scratch
 ARG PKG_OPEN_VMDK=scratch
 ARG PKG_PCRE2=scratch
@ -151,6 +152,9 @@ FROM --platform=arm64 ${PKG_LVM2} AS pkg-lvm2-arm64
 FROM --platform=amd64 ${PKG_LIBAIO} AS pkg-libaio-amd64
 FROM --platform=arm64 ${PKG_LIBAIO} AS pkg-libaio-arm64

+FROM --platform=amd64 ${PKG_NFTABLES} AS pkg-nftables-amd64
+FROM --platform=arm64 ${PKG_NFTABLES} AS pkg-nftables-arm64
+
 FROM --platform=amd64 ${PKG_MUSL} AS pkg-musl-amd64
 FROM --platform=arm64 ${PKG_MUSL} AS pkg-musl-arm64

@ -694,6 +698,7 @@ COPY --link --from=pkg-openssl-amd64 / /rootfs
 COPY --link --from=pkg-lvm2-amd64 / /rootfs
 COPY --link --from=pkg-libaio-amd64 / /rootfs
 COPY --link --from=pkg-musl-amd64 / /rootfs
+COPY --link --from=pkg-nftables-amd64 / /rootfs
 COPY --link --from=pkg-runc-amd64 / /rootfs
 COPY --link --from=pkg-xfsprogs-amd64 / /rootfs
 COPY --link --from=pkg-util-linux-amd64 /usr/lib/libblkid.* /rootfs/usr/lib/
@ -775,6 +780,7 @@ COPY --link --from=pkg-openssl-arm64 / /rootfs
 COPY --link --from=pkg-lvm2-arm64 / /rootfs
 COPY --link --from=pkg-libaio-arm64 / /rootfs
 COPY --link --from=pkg-musl-arm64 / /rootfs
+COPY --link --from=pkg-nftables-arm64 / /rootfs
 COPY --link --from=pkg-runc-arm64 / /rootfs
 COPY --link --from=pkg-xfsprogs-arm64 / /rootfs
 COPY --link --from=pkg-util-linux-arm64 /usr/lib/libblkid.* /rootfs/usr/lib/
--- a/4
+++ b/4
@ -27,7 +27,7 @@ EMBED_TARGET ?= embed
 TOOLS_PREFIX ?= ghcr.io/siderolabs/tools
 TOOLS ?= v1.12.0-alpha.0-6-gc37ac80
 PKGS_PREFIX ?= ghcr.io/siderolabs
-PKGS ?= v1.12.0-alpha.0-21-g122fa66
+PKGS ?= v1.12.0-alpha.0-26-g7fe686d
 GENERATE_VEX_PREFIX ?= ghcr.io/siderolabs/generate-vex
 GENERATE_VEX ?= latest

@ -69,6 +69,7 @@ PKG_LINUX_FIRMWARE ?= $(PKGS_PREFIX)/linux-firmware:$(PKGS)
 PKG_LVM2 ?= $(PKGS_PREFIX)/lvm2:$(PKGS)
 PKG_MTOOLS ?= $(PKGS_PREFIX)/mtools:$(PKGS)
 PKG_MUSL ?= $(PKGS_PREFIX)/musl:$(PKGS)
+PKG_NFTABLES ?= $(PKGS_PREFIX)/nftables:$(PKGS)
 PKG_OPENSSL ?= $(PKGS_PREFIX)/openssl:$(PKGS)
 PKG_OPEN_VMDK ?= $(PKGS_PREFIX)/open-vmdk:$(PKGS)
 PKG_PCRE2 ?= $(PKGS_PREFIX)/pcre2:$(PKGS)
@ -219,6 +220,7 @@ COMMON_ARGS += --build-arg=PKG_LIBURCU=$(PKG_LIBURCU)
 COMMON_ARGS += --build-arg=PKG_LINUX_FIRMWARE=$(PKG_LINUX_FIRMWARE)
 COMMON_ARGS += --build-arg=PKG_LVM2=$(PKG_LVM2)
 COMMON_ARGS += --build-arg=PKG_MTOOLS=$(PKG_MTOOLS)
+COMMON_ARGS += --build-arg=PKG_NFTABLES=$(PKG_NFTABLES)
 COMMON_ARGS += --build-arg=PKG_MUSL=$(PKG_MUSL)
 COMMON_ARGS += --build-arg=PKG_OPENSSL=$(PKG_OPENSSL)
 COMMON_ARGS += --build-arg=PKG_OPEN_VMDK=$(PKG_OPEN_VMDK)
--- a/hack/release.toml
+++ b/hack/release.toml
@ -18,7 +18,7 @@ preface = """
    [notes.updates]
        title = "Component Updates"
        description = """\
-Linux: 6.16.6
+Linux: 6.16.7
 Kubernetes: 1.34.1
 CNI Plugins: 1.8.0
 cryptsetup: 2.8.1
@ -60,6 +60,12 @@ The currently used PCR's can be seen with `talosctl get volumestatus <volume> -o
        description = """\
 Talos now enables a stricter set of KSPP sysctl settings by default.
 The list of overridden settings is available with `talosctl get kernelparamstatus` command.
+"""
+
+    [notes.extra-binaries]
+        title = "Extra Binaries"
+        description = """\
+Talos Linux now ships with `nft` binary in the rootfs to support CNIs which shell out to `nft` command.
 """

 [make_deps]
--- a/internal/app/machined/pkg/controllers/network/nftables_chain_test.go
+++ b/internal/app/machined/pkg/controllers/network/nftables_chain_test.go
@ -29,6 +29,13 @@ type NfTablesChainSuite struct {

 func (s *NfTablesChainSuite) nftOutput() string {
 	out, err := exec.CommandContext(s.T().Context(), "nft", "list", "table", "inet", "talos-test").CombinedOutput()
+	if err != nil {
+		if strings.Contains(string(out), "No such file or directory") ||
+			strings.Contains(string(out), "No such table") {
+			return "table inet talos-test {\n}"
+		}
+	}
+
 	s.Require().NoError(err, "nft list table inet talos-test failed: %s", string(out))

 	return string(out)
@ -195,7 +202,7 @@ func (s *NfTablesChainSuite) TestConntrackCounter() {
 	s.checkNftOutput(`table inet talos-test {
 	chain test1 {
 		type filter hook input priority security; policy accept;
-		ct state { established, related } accept
+		ct state { 0x2000000, 0x4000000 } accept
 		ct state invalid counter packets 0 bytes 0 drop
 	}
 }`)
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@ -14,7 +14,7 @@ import (

 const (
 	// DefaultKernelVersion is the default Linux kernel version.
-	DefaultKernelVersion = "6.16.6-talos"
+	DefaultKernelVersion = "6.16.7-talos"

 	// KernelParamConfig is the kernel parameter name for specifying the URL.
 	// to the config.
--- a/pkg/machinery/gendata/data/pkgs
+++ b/pkg/machinery/gendata/data/pkgs
@ -1 +1 @@
-v1.12.0-alpha.0-21-g122fa66
+v1.12.0-alpha.0-26-g7fe686d