Remove conntrack entries after rules

When service is deleted, we were removing the conntrack entries before removing the flows/iptable rules. It's safer to do the reverse so that in the nano second interim the conntrack entries don't get recreated before the rules/flows get deleted. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com> (cherry picked from commit 58b23ea)
tssurya · Jul 29, 2022 · 525e7f1 · 525e7f1
1 parent 8e01a85
commit 525e7f1
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/go-controller/pkg/node/gateway_shared_intf.go b/go-controller/pkg/node/gateway_shared_intf.go
@@ -587,18 +587,18 @@ func (npw *nodePortWatcher) DeleteService(service *kapi.Service) {
 
 	klog.V(5).Infof("Deleting service %s in namespace %s", service.Name, service.Namespace)
 	name := ktypes.NamespacedName{Namespace: service.Namespace, Name: service.Name}
+	if svcConfig, exists := npw.getAndDeleteServiceInfo(name); exists {
+		delServiceRules(svcConfig.service, npw)
+	} else {
+		klog.Warningf("Deletion failed No service found in cache for endpoint %s in namespace %s", service.Name, service.Namespace)
+	}
 	// Remove all conntrack entries for the serviceVIPs of this service irrespective of protocol stack
 	// since service deletion is considered as unplugging the network cable and hence graceful termination
 	// is not guaranteed. See https://github.com/kubernetes/kubernetes/issues/108523#issuecomment-1074044415.
 	err := npw.deleteConntrackForService(service)
 	if err != nil {
 		klog.Errorf("Failed to delete conntrack entry for service %v: %v", name, err)
 	}
-	if svcConfig, exists := npw.getAndDeleteServiceInfo(name); exists {
-		delServiceRules(svcConfig.service, npw)
-	} else {
-		klog.Warningf("Deletion failed No service found in cache for endpoint %s in namespace %s", service.Name, service.Namespace)
-	}
 
 }