github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 01:06:27 +00:00
Code Issues Projects Releases Wiki Activity

[kube-proxy:nftables] Read map/set elements on setup.

Browse Source 
We used to flush and re-add all map/set elements on nftables
setup, but it is faster to read the existing elements and only
transact the diff.

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
This commit is contained in:
Nadia Pinaeva 2025-02-11 16:38:47 +01:00
parent 77d7f63800
commit 7d5f3c5723
1 changed files with 29 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
pkg/proxy/nftables/proxier.go
View File

@ -712,13 +712,13 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
}) })
} }
// flush containers // read or flush containers
proxier.clusterIPs.reset(tx) proxier.clusterIPs.readOrReset(tx, proxier.nftables, proxier.logger)
proxier.serviceIPs.reset(tx) proxier.serviceIPs.readOrReset(tx, proxier.nftables, proxier.logger)
proxier.firewallIPs.reset(tx) proxier.firewallIPs.readOrReset(tx, proxier.nftables, proxier.logger)
proxier.noEndpointServices.reset(tx) proxier.noEndpointServices.readOrReset(tx, proxier.nftables, proxier.logger)
proxier.noEndpointNodePorts.reset(tx) proxier.noEndpointNodePorts.readOrReset(tx, proxier.nftables, proxier.logger)
proxier.serviceNodePorts.reset(tx) proxier.serviceNodePorts.readOrReset(tx, proxier.nftables, proxier.logger)
} }
// CleanupLeftovers removes all nftables rules and chains created by the Proxier // CleanupLeftovers removes all nftables rules and chains created by the Proxier
@ -1082,9 +1082,13 @@ func newNFTElementStorage(containerType, containerName string) *nftElementStorag
return c return c
} }
// reset clears the internal state and flushes the nftables map/set. // readOrReset updates the existing elements from the nftables map/set.
func (s *nftElementStorage) reset(tx *knftables.Transaction) { // If reading fails, it clears the internal state and flushes the nftables map/set.
func (s *nftElementStorage) readOrReset(tx *knftables.Transaction, nftables knftables.Interface, logger klog.Logger) {
clear(s.elements) clear(s.elements)
defer s.resetLeftoverKeys()
elems, err := nftables.ListElements(context.TODO(), s.containerType, s.containerName)
if err != nil && !knftables.IsNotFound(err) {
if s.containerType == "set" { if s.containerType == "set" {
tx.Flush(&knftables.Set{ tx.Flush(&knftables.Set{
Name: s.containerName, Name: s.containerName,
@ -1094,7 +1098,14 @@ func (s *nftElementStorage) reset(tx *knftables.Transaction) {
Name: s.containerName, Name: s.containerName,
}) })
} }
s.resetLeftoverKeys() logger.Error(err, "Failed to list nftables elements", "containerName", s.containerName, "containerType", s.containerType)
return
}
for _, elem := range elems {
newKey := joinNFTSlice(elem.Key)
newValue := joinNFTSlice(elem.Value)
s.elements[newKey] = newValue
}
} }
// resetLeftoverKeys is only called internally by nftElementStorage methods. // resetLeftoverKeys is only called internally by nftElementStorage methods.