mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-01 15:58:37 +00:00
Merge pull request #123162 from tnqn/flush-on-startup
kube-proxy: flush nftables base chains on startup
This commit is contained in:
commit
9b3d8a9063
@ -162,6 +162,7 @@ type Proxier struct {
|
||||
initialized int32
|
||||
syncRunner *async.BoundedFrequencyRunner // governs calls to syncProxyRules
|
||||
syncPeriod time.Duration
|
||||
flushed bool
|
||||
|
||||
// These are effectively const and do not need the mutex to be held.
|
||||
nftables knftables.Interface
|
||||
@ -352,7 +353,7 @@ type nftablesJumpChain struct {
|
||||
var nftablesJumpChains = []nftablesJumpChain{
|
||||
// We can't jump to endpointsCheckChain from filter-prerouting like
|
||||
// firewallCheckChain because reject action is only valid in chains using the
|
||||
// input, forward or output hooks.
|
||||
// input, forward or output hooks with kernels before 5.9.
|
||||
{nodePortEndpointsCheckChain, filterInputChain, "ct state new"},
|
||||
{serviceEndpointsCheckChain, filterInputChain, "ct state new"},
|
||||
{serviceEndpointsCheckChain, filterForwardChain, "ct state new"},
|
||||
@ -399,6 +400,20 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
|
||||
Comment: ptr.To("rules for kube-proxy"),
|
||||
})
|
||||
|
||||
// Do an extra "add+delete" once to ensure all previous base chains in the table
|
||||
// will be recreated. Otherwise, altering properties (e.g. priority) of these
|
||||
// chains would fail the transaction.
|
||||
if !proxier.flushed {
|
||||
for _, bc := range nftablesBaseChains {
|
||||
chain := &knftables.Chain{
|
||||
Name: bc.name,
|
||||
}
|
||||
tx.Add(chain)
|
||||
tx.Delete(chain)
|
||||
}
|
||||
proxier.flushed = true
|
||||
}
|
||||
|
||||
// Create and flush base chains
|
||||
for _, bc := range nftablesBaseChains {
|
||||
chain := &knftables.Chain{
|
||||
|
Loading…
Reference in New Issue
Block a user