Skip to content

Commit 7d5f3c5

Browse files
npinaevanpinaeva
committed
[kube-proxy:nftables] Read map/set elements on setup.
We used to flush and re-add all map/set elements on nftables setup, but it is faster to read the existing elements and only transact the diff. Signed-off-by: Nadia Pinaeva <[email protected]>
1 parent 77d7f63 commit 7d5f3c5

File tree

1 file changed

+29
-18
lines changed

1 file changed

+29
-18
lines changed

pkg/proxy/nftables/proxier.go

Lines changed: 29 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -712,13 +712,13 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
712712
})
713713
}
714714

715-
// flush containers
716-
proxier.clusterIPs.reset(tx)
717-
proxier.serviceIPs.reset(tx)
718-
proxier.firewallIPs.reset(tx)
719-
proxier.noEndpointServices.reset(tx)
720-
proxier.noEndpointNodePorts.reset(tx)
721-
proxier.serviceNodePorts.reset(tx)
715+
// read or flush containers
716+
proxier.clusterIPs.readOrReset(tx, proxier.nftables, proxier.logger)
717+
proxier.serviceIPs.readOrReset(tx, proxier.nftables, proxier.logger)
718+
proxier.firewallIPs.readOrReset(tx, proxier.nftables, proxier.logger)
719+
proxier.noEndpointServices.readOrReset(tx, proxier.nftables, proxier.logger)
720+
proxier.noEndpointNodePorts.readOrReset(tx, proxier.nftables, proxier.logger)
721+
proxier.serviceNodePorts.readOrReset(tx, proxier.nftables, proxier.logger)
722722
}
723723

724724
// CleanupLeftovers removes all nftables rules and chains created by the Proxier
@@ -1082,19 +1082,30 @@ func newNFTElementStorage(containerType, containerName string) *nftElementStorag
10821082
return c
10831083
}
10841084

1085-
// reset clears the internal state and flushes the nftables map/set.
1086-
func (s *nftElementStorage) reset(tx *knftables.Transaction) {
1085+
// readOrReset updates the existing elements from the nftables map/set.
1086+
// If reading fails, it clears the internal state and flushes the nftables map/set.
1087+
func (s *nftElementStorage) readOrReset(tx *knftables.Transaction, nftables knftables.Interface, logger klog.Logger) {
10871088
clear(s.elements)
1088-
if s.containerType == "set" {
1089-
tx.Flush(&knftables.Set{
1090-
Name: s.containerName,
1091-
})
1092-
} else {
1093-
tx.Flush(&knftables.Map{
1094-
Name: s.containerName,
1095-
})
1089+
defer s.resetLeftoverKeys()
1090+
elems, err := nftables.ListElements(context.TODO(), s.containerType, s.containerName)
1091+
if err != nil && !knftables.IsNotFound(err) {
1092+
if s.containerType == "set" {
1093+
tx.Flush(&knftables.Set{
1094+
Name: s.containerName,
1095+
})
1096+
} else {
1097+
tx.Flush(&knftables.Map{
1098+
Name: s.containerName,
1099+
})
1100+
}
1101+
logger.Error(err, "Failed to list nftables elements", "containerName", s.containerName, "containerType", s.containerType)
1102+
return
1103+
}
1104+
for _, elem := range elems {
1105+
newKey := joinNFTSlice(elem.Key)
1106+
newValue := joinNFTSlice(elem.Value)
1107+
s.elements[newKey] = newValue
10961108
}
1097-
s.resetLeftoverKeys()
10981109
}
10991110

11001111
// resetLeftoverKeys is only called internally by nftElementStorage methods.

0 commit comments

Comments
 (0)