public void addChain(final AuthenticationChain chain) {
        chains = ArrayUtils.addAll(chains, chain);
    }

    protected StreamOf<AuthenticationChain> chains() {
        return stream(chains);
    }

	// Flush and delete the istio chains from NAT table.
	chains := []string{constants.ISTIOOUTPUT, constants.ISTIOINBOUND}
	flushAndDeleteChains(ext, iptV, constants.NAT, chains)
	// Flush and delete the istio chains from MANGLE table.
	chains = []string{constants.ISTIOINBOUND, constants.ISTIODIVERT, constants.ISTIOTPROXY}
	flushAndDeleteChains(ext, iptV, constants.MANGLE, chains)

	if cfg.InboundInterceptionMode == constants.TPROXY {

		}
		// Build the actual chain
		chains := lb.inboundChainForOpts(cc, mtls, opts)

		if cc.bindToPort {
			// If this config is for bindToPort, we want to actually create a real Listener.
			listeners = append(listeners, lb.inboundCustomListener(cc, chains))
		} else {
			// Otherwise, just append the filter chain to the virtual inbound chains.

// not match. This means an empty match (`{}`) may not match if another chain
// matches one criteria but not another.
func (sim *Simulation) matchFilterChain(chains []*listener.FilterChain, defaultChain *listener.FilterChain,
	input Call, hasTLSInspector bool,
) (*listener.FilterChain, error) {
	chains = filter("DestinationPort", chains, func(fc *listener.FilterChainMatch) bool {
		return fc.GetDestinationPort() == nil

	}

	return chains, nil
}

func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate {
	n := make([]*Certificate, len(chain)+1)
	copy(n, chain)
	n[len(chain)] = cert
	return n
}

// alreadyInChain checks whether a candidate certificate is present in a chain.
// Rather than doing a direct byte for byte equivalency check, we check if the

	// now, and record the time that they become stale in staleChains so they can be
	// deleted later.
	existingChains, err := proxier.nftables.List(context.TODO(), "chains")
	if err == nil {
		for _, chain := range existingChains {
			if isServiceChainName(chain) {
				if !activeChains.Has(chain) {
					tx.Flush(&knftables.Chain{
						Name: chain,
					})

    # clean the previous Istio iptables chains.
    "${ISTIO_BIN_BASE}/pilot-agent" istio-clean-iptables
  fi
  exit 0
fi

# Init option will only initialize iptables. set ISTIO_CUSTOM_IP_TABLES to true if you would like to ignore this step
if [ "${ISTIO_CUSTOM_IP_TABLES}" != "true" ] ; then
    if [[ ${1-} == "init" || ${1-} == "-p" ]] ; then
      # clean the previous Istio iptables chains. This part is different from the init image mode,

apiVersion: release-notes/v2
kind: bug-fix
area: traffic-management

releaseNotes:
- |

		}
		if !fullWildcardFound {
			chain.sniHosts = append([]string{}, chain.sniHosts...)
			sort.Stable(sort.StringSlice(chain.sniHosts))
			match.ServerNames = chain.sniHosts
		}
	}
	if len(chain.destinationCIDRs) > 0 {
		chain.destinationCIDRs = append([]string{}, chain.destinationCIDRs...)
		sort.Stable(sort.StringSlice(chain.destinationCIDRs))
		for _, d := range chain.destinationCIDRs {

				chain = fc
			}
		}
		if chain == nil {
			t.Fatalf("Failed to find http_connection_manager")
		}
		if len(chain.Filters) != 1 {
			t.Fatalf("Expected 1 filter in first filter chain, got %d", len(l.FilterChains))
		}
		filter := chain.Filters[0]
		if filter.Name != wellknown.HTTPConnectionManager {
			t.Fatalf("Expected HTTP connection, found %v", chain.Filters[0].Name)
		}