From aded3faa5336c9f8633d716c925172255ff031d2 Mon Sep 17 00:00:00 2001 From: Daman Arora Date: Mon, 23 Jun 2025 16:21:26 +0530 Subject: [PATCH] nftables: remove filter-output-post-dnat chain With filter-output chain already operating with priority post DNAT, we can merge both the chains together. Signed-off-by: Daman Arora --- pkg/proxy/nftables/proxier.go | 6 +----- pkg/proxy/nftables/proxier_test.go | 3 +-- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/pkg/proxy/nftables/proxier.go b/pkg/proxy/nftables/proxier.go index d6f3f438f68..16f14cac20d 100644 --- a/pkg/proxy/nftables/proxier.go +++ b/pkg/proxy/nftables/proxier.go @@ -68,7 +68,6 @@ const ( filterInputChain = "filter-input" filterForwardChain = "filter-forward" filterOutputChain = "filter-output" - filterOutputPostDNATChain = "filter-output-post-dnat" natPreroutingChain = "nat-prerouting" natOutputChain = "nat-output" natPostroutingChain = "nat-postrouting" @@ -401,9 +400,6 @@ var nftablesBaseChains = []nftablesBaseChain{ {filterForwardChain, knftables.FilterType, knftables.ForwardHook, knftables.FilterPriority}, {filterOutputChain, knftables.FilterType, knftables.OutputHook, knftables.FilterPriority}, - // filter base chain (post-dnat priority) - {filterOutputPostDNATChain, knftables.FilterType, knftables.OutputHook, knftables.DNATPriority + "+10"}, - // nat base chains (dnat priority) {natPreroutingChain, knftables.NATType, knftables.PreroutingHook, knftables.DNATPriority}, {natOutputChain, knftables.NATType, knftables.OutputHook, knftables.DNATPriority}, @@ -436,7 +432,7 @@ var nftablesJumpChains = []nftablesJumpChain{ {masqueradingChain, natPostroutingChain, ""}, {clusterIPsCheckChain, filterForwardChain, "ct state new"}, - {clusterIPsCheckChain, filterOutputPostDNATChain, "ct state new"}, + {clusterIPsCheckChain, filterOutputChain, "ct state new"}, } // ensureChain adds commands to tx to ensure that chain exists and doesn't contain diff --git a/pkg/proxy/nftables/proxier_test.go b/pkg/proxy/nftables/proxier_test.go index 3d5bd99de12..ec2f3c29827 100644 --- a/pkg/proxy/nftables/proxier_test.go +++ b/pkg/proxy/nftables/proxier_test.go @@ -165,7 +165,6 @@ var baseRules = dedent.Dedent(` add chain ip kube-proxy filter-forward { type filter hook forward priority 0 ; } add chain ip kube-proxy filter-input { type filter hook input priority 0 ; } add chain ip kube-proxy filter-output { type filter hook output priority 0 ; } - add chain ip kube-proxy filter-output-post-dnat { type filter hook output priority -90 ; } add chain ip kube-proxy firewall-check add chain ip kube-proxy mark-for-masquerade add chain ip kube-proxy masquerading @@ -186,7 +185,7 @@ var baseRules = dedent.Dedent(` add rule ip kube-proxy filter-input ct state new jump service-endpoints-check add rule ip kube-proxy filter-output ct state new jump service-endpoints-check add rule ip kube-proxy filter-output-pre-dnat ct state new jump firewall-check - add rule ip kube-proxy filter-output-post-dnat ct state new jump cluster-ips-check + add rule ip kube-proxy filter-output ct state new jump cluster-ips-check add rule ip kube-proxy firewall-check ip daddr . meta l4proto . th dport vmap @firewall-ips add rule ip kube-proxy mark-for-masquerade mark set mark or 0x4000 add rule ip kube-proxy masquerading mark and 0x4000 == 0 return