proxy/iptables: remove last references to KUBE-MARK-DROP

pkg/proxy/iptables/proxier.go

@@ -70,9 +70,6 @@ const (
 	// kubeMarkMasqChain is the mark-for-masquerade chain
 	kubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
 
-	// kubeMarkDropChain is the mark-for-drop chain
-	kubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
-
 	// the kubernetes forward chain
 	kubeForwardChain utiliptables.Chain = "KUBE-FORWARD"
 
@@ -397,13 +394,6 @@ var iptablesJumpChains = []iptablesJumpChain{
 	{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
 }
 
-var iptablesEnsureChains = []struct {
-	table utiliptables.Table
-	chain utiliptables.Chain
-}{
-	{utiliptables.TableNAT, kubeMarkDropChain},
-}
-
 var iptablesCleanupOnlyChains = []iptablesJumpChain{
 	// Present in kube 1.13 - 1.19. Removed by #95252 in favor of adding reject rules for incoming/forwarding packets to kubeExternalServicesChain
 	{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
@@ -883,14 +873,6 @@ func (proxier *Proxier) syncProxyRules() {
 		}
 	}
 
-	// ensure KUBE-MARK-DROP chain exist but do not change any rules
-	for _, ch := range iptablesEnsureChains {
-		if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
-			klog.ErrorS(err, "Failed to ensure chain exists", "table", ch.table, "chain", ch.chain)
-			return
-		}
-	}
-
 	//
 	// Below this point we will not return until we try to write the iptables rules.
 	//

pkg/proxy/iptables/proxier_test.go

@@ -736,7 +736,6 @@ func checkIPTablesRuleJumps(ruleData string) error {
 		// Ignore jumps to chains that we expect to exist even if kube-proxy
 		// didn't create them itself.
 		jumpedChains.Delete("ACCEPT", "REJECT", "DROP", "MARK", "RETURN", "DNAT", "SNAT", "MASQUERADE")
-		jumpedChains.Delete(string(kubeMarkDropChain))
 
 		// Find cases where we have "-A FOO ... -j BAR" but no ":BAR", meaning
 		// that we are jumping to a chain that was not created.
@@ -1436,10 +1435,8 @@ type iptablesTracer struct {
 	// the return value of tracePacket.
 	outputs []string
 
-	// markMasq and markDrop track whether the packet has been marked for masquerading
+	// markMasq tracks whether the packet has been marked for masquerading
-	// or dropping.
 	markMasq bool
-	markDrop bool
 }
 
 // newIPTablesTracer creates an iptablesTracer. nodeIP is the IP to treat as the local
@@ -1525,10 +1522,6 @@ func (tracer *iptablesTracer) runChain(table utiliptables.Table, chain utiliptab
 			tracer.markMasq = true
 			continue
 
-		case "KUBE-MARK-DROP":
-			tracer.markDrop = true
-			continue
-
 		case "ACCEPT", "REJECT", "DROP":
 			// (only valid in filter)
 			tracer.outputs = append(tracer.outputs, rule.Jump.Value)
@@ -1580,11 +1573,6 @@ func tracePacket(t *testing.T, ipt *iptablestest.FakeIPTables, sourceIP, destIP,
 	// inbound, outbound, or intra-host packet, which we don't know. So we just run
 	// the interesting tables manually. (Theoretically this could cause conflicts in
 	// the future in which case we'd have to do something more complicated.)
-
-	// The DROP rule is created by kubelet, not us, so we have to simulate that manually.
-	if tracer.markDrop {
-		return tracer.matches, "DROP", false
-	}
 	tracer.runChain(utiliptables.TableFilter, kubeServicesChain, sourceIP, destIP, destPort)
 	tracer.runChain(utiliptables.TableFilter, kubeExternalServicesChain, sourceIP, destIP, destPort)
 	tracer.runChain(utiliptables.TableFilter, kubeNodePortsChain, sourceIP, destIP, destPort)