github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-02-21 22:57:15 +00:00
Code Issues Projects Releases Wiki Activity

nftables: remove filter-output-post-dnat chain

Browse Source 
With filter-output chain already operating with priority
post DNAT, we can merge both the chains together.

Signed-off-by: Daman Arora <aroradaman@gmail.com>
This commit is contained in:
Daman Arora
2025-06-23 16:21:26 +05:30
parent 7109ea0fd6
commit aded3faa53
2 changed files with 2 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/proxy/nftables/proxier.go
View File

@@ -68,7 +68,6 @@ const (
filterInputChain = "filter-input"
filterForwardChain = "filter-forward"
filterOutputChain = "filter-output"
filterOutputPostDNATChain = "filter-output-post-dnat"
natPreroutingChain = "nat-prerouting"
natOutputChain = "nat-output"
natPostroutingChain = "nat-postrouting"
@@ -401,9 +400,6 @@ var nftablesBaseChains = []nftablesBaseChain{
{filterForwardChain, knftables.FilterType, knftables.ForwardHook, knftables.FilterPriority},
{filterOutputChain, knftables.FilterType, knftables.OutputHook, knftables.FilterPriority},
// filter base chain (post-dnat priority)
{filterOutputPostDNATChain, knftables.FilterType, knftables.OutputHook, knftables.DNATPriority + "+10"},
// nat base chains (dnat priority)
{natPreroutingChain, knftables.NATType, knftables.PreroutingHook, knftables.DNATPriority},
{natOutputChain, knftables.NATType, knftables.OutputHook, knftables.DNATPriority},
@@ -436,7 +432,7 @@ var nftablesJumpChains = []nftablesJumpChain{
{masqueradingChain, natPostroutingChain, ""},
{clusterIPsCheckChain, filterForwardChain, "ct state new"},
{clusterIPsCheckChain, filterOutputPostDNATChain, "ct state new"},
{clusterIPsCheckChain, filterOutputChain, "ct state new"},
}
// ensureChain adds commands to tx to ensure that chain exists and doesn't contain

3
pkg/proxy/nftables/proxier_test.go
View File

@@ -165,7 +165,6 @@ var baseRules = dedent.Dedent(`
add chain ip kube-proxy filter-forward { type filter hook forward priority 0 ; }
add chain ip kube-proxy filter-input { type filter hook input priority 0 ; }
add chain ip kube-proxy filter-output { type filter hook output priority 0 ; }
add chain ip kube-proxy filter-output-post-dnat { type filter hook output priority -90 ; }
add chain ip kube-proxy firewall-check
add chain ip kube-proxy mark-for-masquerade
add chain ip kube-proxy masquerading
@@ -186,7 +185,7 @@ var baseRules = dedent.Dedent(`
add rule ip kube-proxy filter-input ct state new jump service-endpoints-check
add rule ip kube-proxy filter-output ct state new jump service-endpoints-check
add rule ip kube-proxy filter-output-pre-dnat ct state new jump firewall-check
add rule ip kube-proxy filter-output-post-dnat ct state new jump cluster-ips-check
add rule ip kube-proxy filter-output ct state new jump cluster-ips-check
add rule ip kube-proxy firewall-check ip daddr . meta l4proto . th dport vmap @firewall-ips
add rule ip kube-proxy mark-for-masquerade mark set mark or 0x4000
add rule ip kube-proxy masquerading mark and 0x4000 == 0 return