Added Nftables config option in runsc

This change adds a `nftables` flag, defaulting to false.
This option will be used to enable support for nftables instead of
iptables in the sandbox network setup.

PiperOrigin-RevId: 766487742

Author: kerumeto

runsc/config/config.go

@@ -394,6 +394,9 @@ type Config struct {
 
 	// SaveRestoreNetstack indicates whether netstack should be saved and restored.
 	SaveRestoreNetstack bool `flag:"save-restore-netstack"`
+
+	// Nftables enables support for nftables to be used instead of iptables.
+	Nftables bool `flag:"TESTONLY-nftables"`
 }
 
 func (c *Config) validate() error {

runsc/config/flags.go

@@ -134,6 +134,7 @@ func RegisterFlags(flagSet *flag.FlagSet) {
 	flagSet.Int("dcache", -1, "Set the global dentry cache size. This acts as a coarse-grained control on the number of host FDs simultaneously open by the sentry. If negative, per-mount caches are used.")
 	flagSet.Bool("iouring", false, "TEST ONLY; Enables io_uring syscalls in the sentry. Support is experimental and very limited.")
 	flagSet.Bool("directfs", true, "directly access the container filesystems from the sentry. Sentry runs with higher privileges.")
+	flagSet.Bool("TESTONLY-nftables", false, "TEST ONLY; Enables nftables support in the sentry.")
 
 	// Flags that control sandbox runtime behavior: network related.
 	flagSet.Var(networkTypePtr(NetworkSandbox), "network", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")