Skip to content

ctmap: limit NAT purging to expected CT tuple types #28871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 10, 2023
Merged

ctmap: limit NAT purging to expected CT tuple types #28871

merged 1 commit into from
Nov 10, 2023

Conversation

julianwiedmann
Copy link
Member

@julianwiedmann julianwiedmann commented Oct 30, 2023
edited
Loading

There is only a limited number of CT tuple types that potentially have NAT
entries associated with them:

  1. DSR, for CT_EGRESS entries with dsr flag set
  2. legacy DSR, for CT_INGRESS entries with dsr flag set
  3. SNAT (eg. Masquerading), for CT_EGRESS entries. We don't need to
    consider TUPLE_F_RELATED here, as the SNAT code doesn't support any of
    the ICMP types where ct_extract_ports*() would set TUPLE_F_RELATED. So
    it will also never create NAT entries for such CT entries.

When we don't match any of these types, avoid falling through to
nat.DeleteMapping*(). In particular this means we're no longer trying to
apply NAT purging when GC removes a "related" ICMP entry or a CT_SERVICE
entry.

@julianwiedmann julianwiedmann added kind/enhancement This would improve or streamline existing functionality. area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. feature/conntrack feature/snat Relates to SNAT or Masquerading of traffic labels Oct 30, 2023
@julianwiedmann
Copy link
Member Author

For some more context, see #28857.

@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann marked this pull request as ready for review October 31, 2023 02:43
@julianwiedmann julianwiedmann requested a review from a team as a code owner October 31, 2023 02:43
@julianwiedmann julianwiedmann marked this pull request as draft October 31, 2023 05:57
@julianwiedmann julianwiedmann marked this pull request as ready for review October 31, 2023 06:19
dylandreimerink
dylandreimerink requested changes Oct 31, 2023
View reviewed changes
@julianwiedmann
ctmap: limit NAT purging to expected CT tuple types
dfe2c63 
There is only a limited number of CT tuple types that potentially have NAT
entries associated with them:
1. DSR, for CT_EGRESS entries with `dsr` flag set
2. legacy DSR, for CT_INGRESS entries with `dsr` flag set
3. SNAT (eg. Masquerading), for CT_EGRESS entries. We don't need to
   consider TUPLE_F_RELATED here, as the SNAT code doesn't support any of
   the ICMP types where ct_extract_ports*() would set TUPLE_F_RELATED. So
   it will also never create NAT entries for such CT entries.

When we don't match any of these types, avoid falling through to
nat.DeleteMapping*(). In particular this means we're no longer trying to
apply NAT purging when GC removes a "related" ICMP entry or a CT_SERVICE
entry.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann merged commit c5f777c into cilium:main Nov 10, 2023
@julianwiedmann julianwiedmann deleted the 1.15-ct-nat-gc branch November 10, 2023 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gentoo-root gentoo-root gentoo-root approved these changes

@dylandreimerink dylandreimerink dylandreimerink approved these changes

@brb brb Awaiting requested review from brb

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. feature/conntrack feature/snat Relates to SNAT or Masquerading of traffic kind/enhancement This would improve or streamline existing functionality. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@julianwiedmann @gentoo-root @dylandreimerink