Merge pull request #55606 from Lion-Wei/proxier-1

Automatic merge from submit-queue (batch tested with PRs 55606, 59185, 58763, 59072, 59251). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. make ipvs 'cleanupIptablesLeftovers' simplier Since there are only four iptables chains in ipvs mode, no need to restore all chains when cleanup iptables chain created by ipvs. **What this PR does / why we need it**: Make ipvs `cleanupIptablesLeftovers` function much simplier. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #56689 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
2025-07-27 13:37:30 +00:00 · 2018-02-02 18:26:32 -08:00 · 2018-02-02 18:26:32 -08:00 · 6c23b920b7
commit 6c23b920b7
parent 4edb82f0e8 e661a23d16
1 changed files with 21 additions and 39 deletions
--- a/pkg/proxy/ipvs/proxier.go
+++ b/pkg/proxy/ipvs/proxier.go
@ -79,6 +79,15 @@ const (
 	DefaultDummyDevice = "kube-ipvs0"
 )
 // tableChainsWithJumpService is the iptables chains ipvs proxy mode used.
 var tableChainsWithJumpService = []struct {
 	table utiliptables.Table
 	chain utiliptables.Chain
 }{
 	{utiliptables.TableNAT, utiliptables.ChainOutput},
 	{utiliptables.TableNAT, utiliptables.ChainPrerouting},
 }
 var ipvsModules = []string{
 	"ip_vs",
 	"ip_vs_rr",
@ -768,7 +777,6 @@ func CanUseIPVSProxier(handle KernelHandler, ipsetver IPSetVersioner) (bool, err
 	return true, nil
 }
 // TODO: make it simpler.
 // CleanupIptablesLeftovers removes all iptables rules and chains created by the Proxier
 // It returns true if an error was encountered. Errors are logged.
 func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
@ -777,14 +785,7 @@ func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool
 		"-m", "comment", "--comment", "kubernetes service portals",
 		"-j", string(kubeServicesChain),
 	}
-	tableChainsWithJumpServices := []struct {
+	for _, tc := range tableChainsWithJumpService {
 		table utiliptables.Table
 		chain utiliptables.Chain
 	}{
 		{utiliptables.TableNAT, utiliptables.ChainOutput},
 		{utiliptables.TableNAT, utiliptables.ChainPrerouting},
 	}
 	for _, tc := range tableChainsWithJumpServices {
 		if err := ipt.DeleteRule(tc.table, tc.chain, args...); err != nil {
 			if !utiliptables.IsNotFoundError(err) {
 				glog.Errorf("Error removing pure-iptables proxy rule: %v", err)
@ -806,32 +807,20 @@ func cleanupIptablesLeftovers(ipt utiliptables.Interface) (encounteredError bool
 	}
 	// Flush and remove all of our chains.
-	iptablesData := bytes.NewBuffer(nil)
+	for _, chain := range []utiliptables.Chain{kubeServicesChain, kubePostroutingChain} {
-	if err := ipt.SaveInto(utiliptables.TableNAT, iptablesData); err != nil {
+		if err := ipt.FlushChain(utiliptables.TableNAT, chain); err != nil {
-		glog.Errorf("Failed to execute iptables-save for %s: %v", utiliptables.TableNAT, err)
+			if !utiliptables.IsNotFoundError(err) {
 				glog.Errorf("Error removing ipvs Proxier iptables rule: %v", err)
 				encounteredError = true
 	} else {
 		existingNATChains := utiliptables.GetChainLines(utiliptables.TableNAT, iptablesData.Bytes())
 		natChains := bytes.NewBuffer(nil)
 		natRules := bytes.NewBuffer(nil)
 		writeLine(natChains, "*nat")
 		// Start with chains we know we need to remove.
 		for _, chain := range []utiliptables.Chain{kubeServicesChain, kubePostroutingChain, KubeMarkMasqChain, KubeServiceIPSetsChain} {
 			if _, found := existingNATChains[chain]; found {
 				chainString := string(chain)
 				writeLine(natChains, existingNATChains[chain]) // flush
 				writeLine(natRules, "-X", chainString)         // delete
 			}
 		}
-		writeLine(natRules, "COMMIT")
+		if err := ipt.DeleteChain(utiliptables.TableNAT, chain); err != nil {
-		natLines := append(natChains.Bytes(), natRules.Bytes()...)
+			if !utiliptables.IsNotFoundError(err) {
-		// Write it.
+				glog.Errorf("Error removing ipvs Proxier iptables rule: %v", err)
 		err = ipt.Restore(utiliptables.TableNAT, natLines, utiliptables.NoFlushTables, utiliptables.RestoreCounters)
 		if err != nil {
 			glog.Errorf("Failed to execute iptables-restore for %s: %v", utiliptables.TableNAT, err)
 				encounteredError = true
 			}
 		}
 	}
 	return encounteredError
 }
@ -1724,16 +1713,9 @@ func (proxier *Proxier) linkKubeServiceChain(existingNATChains map[utiliptables.
 	if _, err := proxier.iptables.EnsureChain(utiliptables.TableNAT, kubeServicesChain); err != nil {
 		return fmt.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, kubeServicesChain, err)
 	}
 	tableChainsNeedJumpServices := []struct {
 		table utiliptables.Table
 		chain utiliptables.Chain
 	}{
 		{utiliptables.TableNAT, utiliptables.ChainOutput},
 		{utiliptables.TableNAT, utiliptables.ChainPrerouting},
 	}
 	comment := "kubernetes service portals"
 	args := []string{"-m", "comment", "--comment", comment, "-j", string(kubeServicesChain)}
-	for _, tc := range tableChainsNeedJumpServices {
+	for _, tc := range tableChainsWithJumpService {
 		if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, tc.table, tc.chain, args...); err != nil {
 			return fmt.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", tc.table, tc.chain, kubeServicesChain, err)
 		}