proxy/iptables: reorganize cluster/local chain creation

Part of reorganizing the syncProxyRules loop to do:
  1. figure out what chains are needed, mark them in activeNATChains
  2. write servicePort jump rules to KUBE-SERVICES/KUBE-NODEPORTS
  3. write servicePort-specific chains (SVC, SVL, EXT, FW, SEP)

This fixes the handling of the SVC and SVL chains. We were already
filling them in at the end of the loop; this fixes it to create them
at the bottom of the loop as well.

pkg/proxy/iptables/proxier.go

@@ -998,10 +998,19 @@ func (proxier *Proxier) syncProxyRules() {
 			}
 		}
 
-		// These chains represent the sets of endpoints to use when internal or
+		// clusterPolicyChain contains the endpoints used with "Cluster" traffic policy
-		// external traffic policy is "Cluster" vs "Local".
 		clusterPolicyChain := svcInfo.clusterPolicyChainName
+		usesClusterPolicyChain := len(clusterEndpoints) > 0 && svcInfo.UsesClusterEndpoints()
+		if usesClusterPolicyChain {
+			activeNATChains[clusterPolicyChain] = true
+		}
+
+		// localPolicyChain contains the endpoints used with "Local" traffic policy
 		localPolicyChain := svcInfo.localPolicyChainName
+		usesLocalPolicyChain := len(localEndpoints) > 0 && svcInfo.UsesLocalEndpoints()
+		if usesLocalPolicyChain {
+			activeNATChains[localPolicyChain] = true
+		}
 
 		// internalPolicyChain is the chain containing the endpoints for
 		// "internal" (ClusterIP) traffic. internalTrafficChain is the chain that
@@ -1069,19 +1078,6 @@ func (proxier *Proxier) syncProxyRules() {
 			}
 		}
 
-		// Declare the clusterPolicyChain if needed.
-		if len(clusterEndpoints) > 0 && svcInfo.UsesClusterEndpoints() {
-			// Create the Cluster traffic policy chain
-			proxier.natChains.Write(utiliptables.MakeChainLine(clusterPolicyChain))
-			activeNATChains[clusterPolicyChain] = true
-		}
-
-		// Declare the localPolicyChain if needed.
-		if len(localEndpoints) > 0 && svcInfo.UsesLocalEndpoints() {
-			proxier.natChains.Write(utiliptables.MakeChainLine(localPolicyChain))
-			activeNATChains[localPolicyChain] = true
-		}
-
 		// If any "external" destinations are enabled, set up external traffic
 		// handling.  All captured traffic for all external destinations should
 		// jump to externalTrafficChain, which will handle some special-cases
@@ -1337,13 +1333,17 @@ func (proxier *Proxier) syncProxyRules() {
 			)
 		}
 
-		if svcInfo.UsesClusterEndpoints() {
+		// If Cluster policy is in use, create the chain and create rules jumping
-			// Write rules jumping from clusterPolicyChain to clusterEndpoints
+		// from clusterPolicyChain to the clusterEndpoints
+		if usesClusterPolicyChain {
+			proxier.natChains.Write(utiliptables.MakeChainLine(clusterPolicyChain))
 			proxier.writeServiceToEndpointRules(svcPortNameString, svcInfo, clusterPolicyChain, clusterEndpoints, args)
 		}
 
-		if svcInfo.UsesLocalEndpoints() {
+		// If Local policy is in use, create the chain and create rules jumping
-			// Write rules jumping from localPolicyChain to localEndpointChains
+		// from localPolicyChain to the localEndpoints
+		if usesLocalPolicyChain {
+			proxier.natChains.Write(utiliptables.MakeChainLine(localPolicyChain))
 			proxier.writeServiceToEndpointRules(svcPortNameString, svcInfo, localPolicyChain, localEndpoints, args)
 		}