Merge pull request #123162 from tnqn/flush-on-startup

kube-proxy: flush nftables base chains on startup

pkg/proxy/nftables/proxier.go

@@ -162,6 +162,7 @@ type Proxier struct {
 	initialized          int32
 	syncRunner           *async.BoundedFrequencyRunner // governs calls to syncProxyRules
 	syncPeriod           time.Duration
+	flushed              bool
 
 	// These are effectively const and do not need the mutex to be held.
 	nftables       knftables.Interface
@@ -352,7 +353,7 @@ type nftablesJumpChain struct {
 var nftablesJumpChains = []nftablesJumpChain{
 	// We can't jump to endpointsCheckChain from filter-prerouting like
 	// firewallCheckChain because reject action is only valid in chains using the
-	// input, forward or output hooks.
+	// input, forward or output hooks with kernels before 5.9.
 	{nodePortEndpointsCheckChain, filterInputChain, "ct state new"},
 	{serviceEndpointsCheckChain, filterInputChain, "ct state new"},
 	{serviceEndpointsCheckChain, filterForwardChain, "ct state new"},
@@ -399,6 +400,20 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
 		Comment: ptr.To("rules for kube-proxy"),
 	})
 
+	// Do an extra "add+delete" once to ensure all previous base chains in the table
+	// will be recreated. Otherwise, altering properties (e.g. priority) of these
+	// chains would fail the transaction.
+	if !proxier.flushed {
+		for _, bc := range nftablesBaseChains {
+			chain := &knftables.Chain{
+				Name: bc.name,
+			}
+			tx.Add(chain)
+			tx.Delete(chain)
+		}
+		proxier.flushed = true
+	}
+
 	// Create and flush base chains
 	for _, bc := range nftablesBaseChains {
 		chain := &knftables.Chain{