github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 01:06:27 +00:00
Code Issues Projects Releases Wiki Activity

kube-proxy: flush nftables base chains on startup

Browse Source 
Do an extra "add+delete" once to ensure all previous base chains in the
table will be recreated. Otherwise, altering properties (e.g. priority)
of these chains would fail the transaction.

Signed-off-by: Quan Tian <qtian@vmware.com>
This commit is contained in:
Quan Tian 2024-02-07 00:06:51 +08:00
parent e566bd7769
commit c7e48f1ebf
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/proxy/nftables/proxier.go
View File

@ -162,6 +162,7 @@ type Proxier struct {
initialized int32 initialized int32
syncRunner *async.BoundedFrequencyRunner // governs calls to syncProxyRules syncRunner *async.BoundedFrequencyRunner // governs calls to syncProxyRules
syncPeriod time.Duration syncPeriod time.Duration
flushed bool
// These are effectively const and do not need the mutex to be held. // These are effectively const and do not need the mutex to be held.
nftables knftables.Interface nftables knftables.Interface
@ -399,6 +400,20 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
Comment: ptr.To("rules for kube-proxy"), Comment: ptr.To("rules for kube-proxy"),
}) })
// Do an extra "add+delete" once to ensure all previous base chains in the table
// will be recreated. Otherwise, altering properties (e.g. priority) of these
// chains would fail the transaction.
if !proxier.flushed {
for _, bc := range nftablesBaseChains {
chain := &knftables.Chain{
Name: bc.name,
}
tx.Add(chain)
tx.Delete(chain)
}
proxier.flushed = true
}
// Create and flush base chains // Create and flush base chains
for _, bc := range nftablesBaseChains { for _, bc := range nftablesBaseChains {
chain := &knftables.Chain{ chain := &knftables.Chain{