Add a dummy nftables kube-proxy backend which is just a copy of iptables

cmd/kube-proxy/app/server_others.go

@@ -50,6 +50,7 @@ import (
 	utilipset "k8s.io/kubernetes/pkg/proxy/ipvs/ipset"
 	utilipvs "k8s.io/kubernetes/pkg/proxy/ipvs/util"
 	proxymetrics "k8s.io/kubernetes/pkg/proxy/metrics"
+	"k8s.io/kubernetes/pkg/proxy/nftables"
 	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
 	utiliptables "k8s.io/kubernetes/pkg/util/iptables"
@@ -282,6 +283,67 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
 				initOnly,
 			)
 		}
+		if err != nil {
+			return nil, fmt.Errorf("unable to create proxier: %v", err)
+		}
+	} else if config.Mode == proxyconfigapi.ProxyModeNFTables {
+		klog.InfoS("Using nftables Proxier")
+
+		if dualStack {
+			// Always ordered to match []ipt
+			var localDetectors [2]proxyutiliptables.LocalTrafficDetector
+			localDetectors, err = getDualStackLocalDetectorTuple(config.DetectLocalMode, config, s.podCIDRs)
+			if err != nil {
+				return nil, fmt.Errorf("unable to create proxier: %v", err)
+			}
+
+			// TODO this has side effects that should only happen when Run() is invoked.
+			proxier, err = nftables.NewDualStackProxier(
+				ipt,
+				utilsysctl.New(),
+				execer,
+				config.NFTables.SyncPeriod.Duration,
+				config.NFTables.MinSyncPeriod.Duration,
+				config.NFTables.MasqueradeAll,
+				*config.NFTables.LocalhostNodePorts,
+				int(*config.NFTables.MasqueradeBit),
+				localDetectors,
+				s.Hostname,
+				s.NodeIPs,
+				s.Recorder,
+				s.HealthzServer,
+				config.NodePortAddresses,
+				initOnly,
+			)
+		} else {
+			// Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support).
+			var localDetector proxyutiliptables.LocalTrafficDetector
+			localDetector, err = getLocalDetector(s.PrimaryIPFamily, config.DetectLocalMode, config, s.podCIDRs)
+			if err != nil {
+				return nil, fmt.Errorf("unable to create proxier: %v", err)
+			}
+
+			// TODO this has side effects that should only happen when Run() is invoked.
+			proxier, err = nftables.NewProxier(
+				s.PrimaryIPFamily,
+				iptInterface,
+				utilsysctl.New(),
+				execer,
+				config.NFTables.SyncPeriod.Duration,
+				config.NFTables.MinSyncPeriod.Duration,
+				config.NFTables.MasqueradeAll,
+				*config.NFTables.LocalhostNodePorts,
+				int(*config.NFTables.MasqueradeBit),
+				localDetector,
+				s.Hostname,
+				s.NodeIPs[s.PrimaryIPFamily],
+				s.Recorder,
+				s.HealthzServer,
+				config.NodePortAddresses,
+				initOnly,
+			)
+		}
+
 		if err != nil {
 			return nil, fmt.Errorf("unable to create proxier: %v", err)
 		}
@@ -492,6 +554,7 @@ func cleanupAndExit() error {
 	for _, ipt := range ipts {
 		encounteredError = iptables.CleanupLeftovers(ipt) || encounteredError
 		encounteredError = ipvs.CleanupLeftovers(ipvsInterface, ipt, ipsetInterface) || encounteredError
+		encounteredError = nftables.CleanupLeftovers(ipt) || encounteredError
 	}
 	if encounteredError {
 		return errors.New("encountered an error while tearing down rules")

cmd/kube-proxy/app/server_test.go

@@ -74,6 +74,12 @@ ipvs:
   excludeCIDRs:
     - "10.20.30.40/16"
     - "fd00:1::0/64"
+nftables:
+  masqueradeAll: true
+  masqueradeBit: 18
+  minSyncPeriod: 10s
+  syncPeriod: 60s
+  localhostNodePorts: false
 kind: KubeProxyConfiguration
 metricsBindAddress: "%s"
 mode: "%s"
@@ -218,6 +224,13 @@ nodePortAddresses:
 				SyncPeriod:    metav1.Duration{Duration: 60 * time.Second},
 				ExcludeCIDRs:  []string{"10.20.30.40/16", "fd00:1::0/64"},
 			},
+			NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{
+				MasqueradeAll:      true,
+				MasqueradeBit:      ptr.To[int32](18),
+				LocalhostNodePorts: ptr.To(false),
+				MinSyncPeriod:      metav1.Duration{Duration: 10 * time.Second},
+				SyncPeriod:         metav1.Duration{Duration: 60 * time.Second},
+			},
 			MetricsBindAddress: tc.metricsBindAddress,
 			Mode:               kubeproxyconfig.ProxyMode(tc.mode),
 			OOMScoreAdj:        ptr.To[int32](17),