Merge pull request #123162 from tnqn/flush-on-startup

kube-proxy: flush nftables base chains on startup
2025-07-31 23:37:01 +00:00 · 2024-02-07 14:25:37 -08:00 · 2024-02-07 14:25:37 -08:00 · 9b3d8a9063
commit 9b3d8a9063
parent e7d84c9f08 42672ee2ea
1 changed files with 16 additions and 1 deletions
--- a/pkg/proxy/nftables/proxier.go
+++ b/pkg/proxy/nftables/proxier.go
@ -162,6 +162,7 @@ type Proxier struct {
 	initialized          int32
 	syncRunner           *async.BoundedFrequencyRunner // governs calls to syncProxyRules
 	syncPeriod           time.Duration
+	flushed              bool

 	// These are effectively const and do not need the mutex to be held.
 	nftables       knftables.Interface
@ -352,7 +353,7 @@ type nftablesJumpChain struct {
 var nftablesJumpChains = []nftablesJumpChain{
 	// We can't jump to endpointsCheckChain from filter-prerouting like
 	// firewallCheckChain because reject action is only valid in chains using the
-	// input, forward or output hooks.
+	// input, forward or output hooks with kernels before 5.9.
 	{nodePortEndpointsCheckChain, filterInputChain, "ct state new"},
 	{serviceEndpointsCheckChain, filterInputChain, "ct state new"},
 	{serviceEndpointsCheckChain, filterForwardChain, "ct state new"},
@ -399,6 +400,20 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
 		Comment: ptr.To("rules for kube-proxy"),
 	})

+	// Do an extra "add+delete" once to ensure all previous base chains in the table
+	// will be recreated. Otherwise, altering properties (e.g. priority) of these
+	// chains would fail the transaction.
+	if !proxier.flushed {
+		for _, bc := range nftablesBaseChains {
+			chain := &knftables.Chain{
+				Name: bc.name,
+			}
+			tx.Add(chain)
+			tx.Delete(chain)
+		}
+		proxier.flushed = true
+	}
+
 	// Create and flush base chains
 	for _, bc := range nftablesBaseChains {
 		chain := &knftables.Chain{