From e1837185dea61d286c72a52d4a652d8ee1392b2f Mon Sep 17 00:00:00 2001
From: Avesh Agarwal <avagarwa@redhat.com>
Date: Tue, 27 Oct 2015 13:08:16 -0400
Subject: [PATCH] Improves iptables cleanup for pure iptables based proxier.

---
 pkg/proxy/iptables/proxier.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go
index a45f2dcd441..cf870c75196 100644
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@@ -188,7 +188,7 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod
 // It returns true if an error was encountered. Errors are logged.
 func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
 	//TODO: actually tear down all rules and chains.
-	args := []string{"-j", "KUBE-SERVICES"}
+	args := []string{"-m", "comment", "--comment", "kubernetes service portals", "-j", string(iptablesServicesChain)}
 	if err := ipt.DeleteRule(utiliptables.TableNAT, utiliptables.ChainOutput, args...); err != nil {
 		glog.Errorf("Error removing pure-iptables proxy rule: %v", err)
 		encounteredError = true
@@ -197,6 +197,27 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
 		glog.Errorf("Error removing pure-iptables proxy rule: %v", err)
 		encounteredError = true
 	}
+
+	args = []string{"-m", "comment", "--comment", "kubernetes service traffic requiring SNAT", "-m", "mark", "--mark", iptablesMasqueradeMark, "-j", "MASQUERADE"}
+	if err := ipt.DeleteRule(utiliptables.TableNAT, utiliptables.ChainPostrouting, args...); err != nil {
+		glog.Errorf("Error removing pure-iptables proxy rule: %v", err)
+		encounteredError = true
+	}
+
+	// flush and delete chains.
+	chains := []utiliptables.Chain{iptablesServicesChain, iptablesNodePortsChain}
+	for _, c := range chains {
+		// flush chain, then if sucessful delete, delete will fail if flush fails.
+		if err := ipt.FlushChain(utiliptables.TableNAT, c); err != nil {
+			glog.Errorf("Error flushing pure-iptables proxy chain: %v", err)
+			encounteredError = true
+		} else {
+			if err = ipt.DeleteChain(utiliptables.TableNAT, c); err != nil {
+				glog.Errorf("Error deleting pure-iptables proxy chain: %v", err)
+				encounteredError = true
+			}
+		}
+	}
 	return encounteredError
 }