From 1add22bc39b75953c5d76f1bf4e4397c683d9178 Mon Sep 17 00:00:00 2001
From: vardhaman22 <vardhaman.surana@suse.com>
Date: Fri, 28 Feb 2025 19:25:26 +0530
Subject: [PATCH] added enable_br_netfilter env var

---
 cluster/defaults.go |  6 ++++++
 cluster/plan.go     | 15 +++++++++++++++
 types/rke_types.go  |  2 ++
 3 files changed, 23 insertions(+)

diff --git a/cluster/defaults.go b/cluster/defaults.go
index 4e1f159e..40b65806 100644
--- a/cluster/defaults.go
+++ b/cluster/defaults.go
@@ -762,6 +762,12 @@ func (c *Cluster) setClusterDNSDefaults() error {
 func (c *Cluster) setClusterNetworkDefaults() {
 	setDefaultIfEmpty(&c.Network.Plugin, DefaultNetworkPlugin)
 
+	// set enable_br_netfilter to true by default since it is required for network plugins
+	if c.Network.EnableBrNetfilter == nil {
+		enableBrNetfilter := true
+		c.Network.EnableBrNetfilter = &enableBrNetfilter
+	}
+
 	if c.Network.Options == nil {
 		// don't break if the user didn't define options
 		c.Network.Options = make(map[string]string)
diff --git a/cluster/plan.go b/cluster/plan.go
index 0e2941a0..02ae23c2 100644
--- a/cluster/plan.go
+++ b/cluster/plan.go
@@ -68,6 +68,7 @@ const (
 	KubeletDualStackNameEnv          = "RKE_KUBELET_CRIDOCKERD_DUALSTACK"
 	CRIDockerdStreamServerAddressEnv = "CRIDOCKERD_STREAM_SERVER_ADDRESS"
 	CRIDockerdStreamServerPortEnv    = "CRIDOCKERD_STREAM_SERVER_PORT"
+	KubeProxyBrNetfilterNameEnv      = "RKE_KUBE_PROXY_BR_NETFILTER"
 )
 
 var (
@@ -775,6 +776,10 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, serviceOptions v3.Kube
 		Env = append(Env, c.getWindowsEnv(host)...)
 	}
 
+	if c.EnableBrNetfilter() {
+		Env = append(Env, fmt.Sprintf("%s=%s", KubeProxyBrNetfilterNameEnv, "true"))
+	}
+
 	for arg, value := range host.GetExtraArgs(kubeproxy.BaseService) {
 		CommandArgs[arg] = value
 	}
@@ -1324,6 +1329,16 @@ func (c *Cluster) IsCRIDockerdEnabled() bool {
 	return false
 }
 
+func (c *Cluster) EnableBrNetfilter() bool {
+	if c == nil {
+		return false
+	}
+	if c.Network.EnableBrNetfilter != nil && *c.Network.EnableBrNetfilter {
+		return true
+	}
+	return false
+}
+
 func (c *Cluster) multipleCIDRsConfigured() bool {
 	if c == nil {
 		logrus.Debug("multipleCIDRsConfigured: Returning false, cluster object is nil")
diff --git a/types/rke_types.go b/types/rke_types.go
index 3b54464c..7ee6152d 100644
--- a/types/rke_types.go
+++ b/types/rke_types.go
@@ -409,6 +409,8 @@ type NetworkConfig struct {
 	UpdateStrategy *DaemonSetUpdateStrategy `yaml:"update_strategy" json:"updateStrategy,omitempty"`
 	// Tolerations for Deployments
 	Tolerations []v1.Toleration `yaml:"tolerations" json:"tolerations,omitempty"`
+	// Enable/Disable br_netfilter on nodes
+	EnableBrNetfilter *bool `yaml:"enable_br_netfilter" json:"enableBrNetfilter" norman:"default=true"`
 }
 
 type AuthWebhookConfig struct {