Skip to content

[v1.17] cilium: fix socket termination for v4-in-v6 clients #40295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 1, 2025
Merged

[v1.17] cilium: fix socket termination for v4-in-v6 clients #40295

merged 1 commit into from
Jul 1, 2025

Conversation

borkmann
Copy link
Member

@borkmann borkmann commented Jul 1, 2025
edited
Loading

Manual backport of #39994 (only picked 1st commit)

Once this PR is merged, a GitHub action will update the labels of these PRs:

 39994

@borkmann
cilium, socklb: Terminate also v4-in-v6 mapped sockets
1a70144 
[ upstream commit b99a60b ]

@m0untains reported that v4-in-v6 mapped sockets connecting to a v4 UDP
backend are not properly terminated:

  - Bind a SOCK_DGRAM AF_INET socket in a server.
  - Create a corresponding kubernetes Service for this server.
  - In a client, create a SOCK_DGRAM AF_INET6 socket. Configure the address
    to use a v4-mapped-on-v6 address type. E.g. if the kubernetes service
    address is 10.2.3.4, configure the address the client will connect to
    as ::ffff:10.2.3.4.
  - Use the connect() + send() syscalls to create a long-lived udp socket,
    and send packets at some interval (e.g. every 10 seconds) from the client
    to the server. Note: using sendto(), i.e. a short-lived socket effectively
    works around the issue, and does not produce the undesired behavior.
  - Restart the server
  - Notice how the packets from the client are still sent to the old server
    IP address.

For the client v4-in-v6 case we store the revnat entry in cilium_lb4_reverse_sk
map. When the backend goes down, we iterate all clients and the current logic
derives where to iterate in netlink based on the backend's address family (in
this case v4). But given the client is a v6 socket, it will never be found from
the v4 iteration. So this means for all v4 backends, we also need to iterate
all v6 sockets in addition to try and find a match.

Closes: #39470
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann borkmann requested a review from a team as a code owner July 1, 2025 09:33
@borkmann borkmann requested a review from pippolo84 July 1, 2025 09:33
@borkmann borkmann added the backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. label Jul 1, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the kind/backports This PR provides functionality previously merged into master. label Jul 1, 2025
@borkmann
Copy link
Member Author

borkmann commented Jul 1, 2025

/test

@borkmann borkmann mentioned this pull request Jul 1, 2025
Closed
3 tasks
@tklauser tklauser enabled auto-merge July 1, 2025 13:48
@tklauser tklauser added this pull request to the merge queue Jul 1, 2025
Merged via the queue into v1.17 with commit 9946cfc Jul 1, 2025
293 of 295 checks passed
@tklauser tklauser deleted the pr/v1.17-v4-v6-sock branch July 1, 2025 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tklauser tklauser tklauser approved these changes

@pippolo84 pippolo84 Awaiting requested review from pippolo84 pippolo84 is a code owner automatically assigned from cilium/committers

Assignees
No one assigned
Labels
backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@borkmann @tklauser