From c7e48f1ebf521e4ba84db04be38c781d5cc408e2 Mon Sep 17 00:00:00 2001 From: Quan Tian Date: Wed, 7 Feb 2024 00:06:51 +0800 Subject: [PATCH 1/2] kube-proxy: flush nftables base chains on startup Do an extra "add+delete" once to ensure all previous base chains in the table will be recreated. Otherwise, altering properties (e.g. priority) of these chains would fail the transaction. Signed-off-by: Quan Tian --- pkg/proxy/nftables/proxier.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/pkg/proxy/nftables/proxier.go b/pkg/proxy/nftables/proxier.go index 998143ad258..a27591e82aa 100644 --- a/pkg/proxy/nftables/proxier.go +++ b/pkg/proxy/nftables/proxier.go @@ -162,6 +162,7 @@ type Proxier struct { initialized int32 syncRunner *async.BoundedFrequencyRunner // governs calls to syncProxyRules syncPeriod time.Duration + flushed bool // These are effectively const and do not need the mutex to be held. nftables knftables.Interface @@ -399,6 +400,20 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) { Comment: ptr.To("rules for kube-proxy"), }) + // Do an extra "add+delete" once to ensure all previous base chains in the table + // will be recreated. Otherwise, altering properties (e.g. priority) of these + // chains would fail the transaction. + if !proxier.flushed { + for _, bc := range nftablesBaseChains { + chain := &knftables.Chain{ + Name: bc.name, + } + tx.Add(chain) + tx.Delete(chain) + } + proxier.flushed = true + } + // Create and flush base chains for _, bc := range nftablesBaseChains { chain := &knftables.Chain{ From 42672ee2ea15ad97dfe1c4fec3414b7076380080 Mon Sep 17 00:00:00 2001 From: Quan Tian Date: Wed, 7 Feb 2024 22:27:53 +0800 Subject: [PATCH 2/2] Make comment about reject action more accurate Signed-off-by: Quan Tian --- pkg/proxy/nftables/proxier.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/proxy/nftables/proxier.go b/pkg/proxy/nftables/proxier.go index a27591e82aa..3e54e7ee4c9 100644 --- a/pkg/proxy/nftables/proxier.go +++ b/pkg/proxy/nftables/proxier.go @@ -353,7 +353,7 @@ type nftablesJumpChain struct { var nftablesJumpChains = []nftablesJumpChain{ // We can't jump to endpointsCheckChain from filter-prerouting like // firewallCheckChain because reject action is only valid in chains using the - // input, forward or output hooks. + // input, forward or output hooks with kernels before 5.9. {nodePortEndpointsCheckChain, filterInputChain, "ct state new"}, {serviceEndpointsCheckChain, filterInputChain, "ct state new"}, {serviceEndpointsCheckChain, filterForwardChain, "ct state new"},