From c7e48f1ebf521e4ba84db04be38c781d5cc408e2 Mon Sep 17 00:00:00 2001
From: Quan Tian <qtian@vmware.com>
Date: Wed, 7 Feb 2024 00:06:51 +0800
Subject: [PATCH] kube-proxy: flush nftables base chains on startup

Do an extra "add+delete" once to ensure all previous base chains in the
table will be recreated. Otherwise, altering properties (e.g. priority)
of these chains would fail the transaction.

Signed-off-by: Quan Tian <qtian@vmware.com>
---
 pkg/proxy/nftables/proxier.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pkg/proxy/nftables/proxier.go b/pkg/proxy/nftables/proxier.go
index 998143ad258..a27591e82aa 100644
--- a/pkg/proxy/nftables/proxier.go
+++ b/pkg/proxy/nftables/proxier.go
@@ -162,6 +162,7 @@ type Proxier struct {
 	initialized          int32
 	syncRunner           *async.BoundedFrequencyRunner // governs calls to syncProxyRules
 	syncPeriod           time.Duration
+	flushed              bool
 
 	// These are effectively const and do not need the mutex to be held.
 	nftables       knftables.Interface
@@ -399,6 +400,20 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
 		Comment: ptr.To("rules for kube-proxy"),
 	})
 
+	// Do an extra "add+delete" once to ensure all previous base chains in the table
+	// will be recreated. Otherwise, altering properties (e.g. priority) of these
+	// chains would fail the transaction.
+	if !proxier.flushed {
+		for _, bc := range nftablesBaseChains {
+			chain := &knftables.Chain{
+				Name: bc.name,
+			}
+			tx.Add(chain)
+			tx.Delete(chain)
+		}
+		proxier.flushed = true
+	}
+
 	// Create and flush base chains
 	for _, bc := range nftablesBaseChains {
 		chain := &knftables.Chain{