diff --git a/pkg/provider/ipvsdr/ipvsdr.go b/pkg/provider/ipvsdr/ipvsdr.go
index b0659e036..72516e494 100644
--- a/pkg/provider/ipvsdr/ipvsdr.go
+++ b/pkg/provider/ipvsdr/ipvsdr.go
@@ -313,6 +313,7 @@ func (f *ipvsdr) generateDeployment(lb *lbapi.LoadBalancer) *appsv1.Deployment {
 	terminationGracePeriodSeconds := int64(30)
 	hostNetwork := true
 	dnsPolicy := v1.DNSClusterFirstWithHostNet
+	hostPathFileOrCreate := v1.HostPathFileOrCreate
 	replicas, _ := lbutil.CalculateReplicas(lb)
 	privileged := true
 	maxSurge := intstr.FromInt(0)
@@ -448,6 +449,11 @@ func (f *ipvsdr) generateDeployment(lb *lbapi.LoadBalancer) *appsv1.Deployment {
 									MountPath: "/lib/modules",
 									ReadOnly:  true,
 								},
+								{
+									Name:      "xtables-lock",
+									MountPath: "/run/xtables.lock",
+									ReadOnly:  false,
+								},
 							},
 						},
 					},
@@ -460,6 +466,15 @@ func (f *ipvsdr) generateDeployment(lb *lbapi.LoadBalancer) *appsv1.Deployment {
 								},
 							},
 						},
+						{
+							Name: "xtables-lock",
+							VolumeSource: v1.VolumeSource{
+								HostPath: &v1.HostPathVolumeSource{
+									Path: "/run/xtables.lock",
+									Type: &hostPathFileOrCreate,
+								},
+							},
+						},
 					},
 				},
 			},
diff --git a/pkg/proxy/nginx/config.go b/pkg/proxy/nginx/config.go
index c0907ed12..2fcbb3dad 100644
--- a/pkg/proxy/nginx/config.go
+++ b/pkg/proxy/nginx/config.go
@@ -178,7 +178,8 @@ func (f *nginx) updateIfHasUnmanagedConfig(lb *lbapi.LoadBalancer, cm *v1.Config
 
 	var unmanagedConifgs map[string]string
 	// we consider that configs may contains unmanaged config only if cm is not marked (oldExternalConfigMaps is empty).
-	if len(oldExternalConfigMaps) == 0 {
+	if len(oldExternalConfigMaps) == 0 ||
+		(len(oldExternalConfigMaps) == 1 && oldExternalConfigMaps[0] == "") {
 		unmanagedConifgs = mapDel(cm.Data, defaultConfig, managedConfig)
 	}