logger.Info("Using nftables Proxier")

		if dualStack {
			// TODO this has side effects that should only happen when Run() is invoked.
			proxier, err = nftables.NewDualStackProxier(
				ctx,
				config.NFTables.SyncPeriod.Duration,
				config.NFTables.MinSyncPeriod.Duration,
				config.NFTables.MasqueradeAll,
				int(*config.NFTables.MasqueradeBit),
				localDetectors,
				s.Hostname,

		obj.OOMScoreAdj = &temp
	}
	if obj.IPTables.SyncPeriod.Duration == 0 {
		obj.IPTables.SyncPeriod = metav1.Duration{Duration: 30 * time.Second}
	}
	if obj.IPTables.MinSyncPeriod.Duration == 0 {
		obj.IPTables.MinSyncPeriod = metav1.Duration{Duration: 1 * time.Second}
	}
	if obj.IPTables.LocalhostNodePorts == nil {
		obj.IPTables.LocalhostNodePorts = ptr.To(true)
	}
	if obj.IPVS.SyncPeriod.Duration == 0 {

	{filterOutputChain, knftables.FilterType, knftables.OutputHook, knftables.DNATPriority + "-10"},
	{filterOutputPostDNATChain, knftables.FilterType, knftables.OutputHook, knftables.DNATPriority + "+10"},
	{natPreroutingChain, knftables.NATType, knftables.PreroutingHook, knftables.DNATPriority},
	{natOutputChain, knftables.NATType, knftables.OutputHook, knftables.DNATPriority},

	// IfNotLocal returns iptables arguments that will match traffic that is not from
	// a local pod.
	IfNotLocal() []string

	// IfLocalNFT returns nftables arguments that will match traffic from a local pod.
	IfLocalNFT() []string

	// IfNotLocalNFT returns nftables arguments that will match traffic that is not
	// from a local pod.
	IfNotLocalNFT() []string
}

type detectLocal struct {
	ifLocal       []string

# NFTables kube-proxy

This is an implementation of service proxying via the nftables API of
the kernel netfilter subsystem.

## General theory of netfilter

Packet flow through netfilter looks something like:

```text
             +================+      +=====================+
             | hostNetwork IP |      | hostNetwork process |
             +================+      +=====================+
                         ^                |

	Mode ProxyMode
	// iptables contains iptables-related configuration options.
	IPTables KubeProxyIPTablesConfiguration
	// ipvs contains ipvs-related configuration options.
	IPVS KubeProxyIPVSConfiguration
	// winkernel contains winkernel-related configuration options.
	Winkernel KubeProxyWinkernelConfiguration
	// nftables contains nftables-related configuration options.
	NFTables KubeProxyNFTablesConfiguration

logging:
  flushFrequency: 5s
  format: text
  options:
    json:
      infoBufferSize: "0"
    text:
      infoBufferSize: "0"
  verbosity: 0
metricsBindAddress: 127.0.0.1:10249
mode: ""
nftables:
  masqueradeAll: false
  masqueradeBit: 14
  minSyncPeriod: 1s
  syncPeriod: 30s
nodePortAddresses: null
oomScoreAdj: -999
portRange: ""
showHiddenMetricsForVersion: ""
winkernel:
  enableDSR: false

// limitations under the License.

package plugin

// InterceptRuleMgr configures networking tables (e.g. iptables or nftables) for
// redirecting traffic to an Istio proxy.
type InterceptRuleMgr interface {
	Program(podName, netns string, redirect *Redirect) error
}

// Constructor for iptables InterceptRuleMgr
func IptablesInterceptRuleMgr() InterceptRuleMgr {
	return newIPTables()

					MinSyncPeriod:      metav1.Duration{Duration: 1 * time.Second},
				},
				IPVS: kubeproxyconfigv1alpha1.KubeProxyIPVSConfiguration{
					SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
				},
				NFTables: kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{
					MasqueradeBit: ptr.To[int32](14),
					MasqueradeAll: false,
					SyncPeriod:    metav1.Duration{Duration: 30 * time.Second},

	// proxy has seen.
	NFTablesSyncFailuresTotal = metrics.NewCounter(
		&metrics.CounterOpts{
			Subsystem:      kubeProxySubsystem,
			Name:           "sync_proxy_rules_nftables_sync_failures_total",
			Help:           "Cumulative proxy nftables sync failures",
			StabilityLevel: metrics.ALPHA,
		},
	)

	// NFTablesCleanupFailuresTotal is the number of nftables stale chain cleanup