Fix that AntreaProxy could unintentionally delete conntrack entries in zone 0 #6193
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hongliangl
force-pushed
the
20240407-stale-udp-connection-delete
branch
from
4dbda3d
to
6fd4aec
Compare
hongliangl
added
the
area/proxy
tnqn
added
the
action/release-note
|
Some tests failed, can you check? |
hongliangl
changed the title
hongliangl
force-pushed
the
20240407-stale-udp-connection-delete
branch
from
6fd4aec
to
bb6ba90
Compare
Sure. Besides, I was wondering if we could promote the feature gate CleanupStaleUDPSvcConntrack to Beta stage? |
hongliangl
force-pushed
the
20240407-stale-udp-connection-delete
branch
2 times, most recently
from
09305f1
to
fc64dcc
Compare
How about running it for a while in CI first? I want to ensure this doesn't cause unexpected behaviors, though it doesn't seem to. Promoting a feature shouldn't be in the same PR as a bugfix, the former needs to be more careful and the latter can potentially be backported (though not this case) while the former will never. |
hongliangl
force-pushed
the
20240407-stale-udp-connection-delete
branch
from
fc64dcc
to
233faac
Compare
hongliangl
changed the title
hongliangl
force-pushed
the
20240407-stale-udp-connection-delete
branch
2 times, most recently
from
17bb6f3
to
68e1082
Compare
Got that. I have resolved the test failure of unit tests and integration tests, and I found that e2e test |
|
@tnqn I found that failure of test See L506-L516 in https://github.com/antrea-io/antrea/actions/runs/8643534991/job/23697191286?pr=6193 for more information. Got the same failure at L505-515 in attempt 2 https://github.com/antrea-io/antrea/actions/runs/8643534991/job/23700838340?pr=6193 Got the same failure at L564-574 in attempt 4 https://github.com/antrea-io/antrea/actions/runs/8643534991/job/23715419360?pr=6193 |
|
/test-e2e |
1 similar comment
|
/test-e2e |
hongliangl
force-pushed
the
20240407-stale-udp-connection-delete
branch
from
68e1082
to
3f5be8c
Compare
gran-vmv
reviewed
May 17, 2024
| @@ -33,6 +33,7 @@ import ( | |||
| utilnet "k8s.io/utils/net" | |||
|
|
|||
| "antrea.io/antrea/pkg/agent/config" | |||
| "antrea.io/antrea/pkg/agent/openflow" | |||
| "antrea.io/antrea/pkg/agent/servicecidr" | |||
| "antrea.io/antrea/pkg/agent/types" | |||
| "antrea.io/antrea/pkg/agent/util/ipset" | |||
There was a problem hiding this comment.
Also need to fix if r.Dst == nil in this file?
hongliangl
force-pushed
the
20240407-stale-udp-connection-delete
branch
2 times, most recently
from
bd253ea
to
d4928cd
Compare
|
/test-latest-conformance |
1 similar comment
|
/test-latest-conformance |
|
/skip-all |
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 28, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 29, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 29, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 30, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
|
@hongliangl Do we need to backport this PR? My PR #6321 rely on this and it cannot be backported without this PR. |
|
You could back them together. |
|
I meant multiple PRs could be backported together in a PR. |
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
tnqn
pushed a commit
that referenced
this pull request
Jun 6, 2024
…n zone 0 (#6193) (#6406) This is a subsequent PR for #5112. As mentioned in #5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
tnqn
pushed a commit
that referenced
this pull request
Jun 6, 2024
…n zone 0 (#6193) (#6404) This is a subsequent PR for #5112. As mentioned in #5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
tnqn
pushed a commit
that referenced
this pull request
Jun 6, 2024
…n zone 0 (#6193) (#6405) This is a subsequent PR for #5112. As mentioned in #5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 6, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 7, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 12, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
tnqn
pushed a commit
that referenced
this pull request
Jun 13, 2024
In #5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of #6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a subsequent PR for #5112. As mentioned in #5112:
This PR resolves the issue by integrating a CT zone filter, now available in
the latest Go library
netlink. Leveraging this feature, AntreaProxy canaccurately delete stale UDP conntrack entries.