bpf:nat: restore a NAT entry if its REV NAT is not found #35304
Merged
+251
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6314beb to
ac97018
Compare
sypakine
reviewed
Oct 9, 2024
|
/test |
|
Commit 50ad1eb does not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
50ad1eb to
08c7723
Compare
08c7723 to
980365f
Compare
|
Hi @joestringer, let me know if I need to add anything else to this PR. |
sypakine
approved these changes
Oct 21, 2024
|
/test |
cc029f0 to
d9934ce
Compare
|
@gentoo-root Do you have intentions to review this PR or can you find someone else from @cilium/sig-datapath ? |
julianwiedmann
requested changes
Oct 24, 2024
There was a problem hiding this comment.
Could you please also add the IPv6 part of the fix?
Agree with Tom that this needs tests. I could see a bpf_host test under bpf/tests/ that walks through the desired packet flow, and reproduces the whole scenario you're fixing:
- transmit a packet, have it SNATed
- receive a reply for that connection, check that it gets revSNATed
- manually delete the revSNAT entry
- receive a second reply, check that it no longer gets revSNATed
- transmit a second packet, validate that it re-creates the missing state
- receive a third reply, check that it gets revSNATed again
d9934ce to
2ceeeae
Compare
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Feb 20, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 10, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 10, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 10, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 11, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 19, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 19, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 19, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 20, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 21, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 21, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 21, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb
added a commit
to gyutaeb/cilium
that referenced
this pull request
Mar 21, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: cilium#35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 21, 2025
ORG NAT entry could be removed by LRU eviction. This commit restore the ORG NAT entry from REV NAT entry and tuple in snat_v4_rev_nat_handle_mapping(). Thus, it can mitigate network failures caused by LRU eviction. Relates: #35304 Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gentoo-root
added a commit
that referenced
this pull request
Aug 6, 2025
snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
gentoo-root
added a commit
that referenced
this pull request
Aug 7, 2025
snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
gentoo-root
added a commit
that referenced
this pull request
Aug 7, 2025
snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 14, 2025
snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
rabelmervin
pushed a commit
to rabelmervin/cilium
that referenced
this pull request
Aug 18, 2025
snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: cilium#35304 Ref: cilium#37747 Fixes: cilium#38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 25, 2025
[ upstream commit b1bdfdd ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 25, 2025
[ upstream commit b1bdfdd ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 25, 2025
[ upstream commit b1bdfdd ] [ backporter's notes: minor conflicts due to different map name and some missing tests in stable branch. ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 25, 2025
[ upstream commit b1bdfdd ] [ backporter's notes: minor conflicts due to different map name and some missing tests in stable branch. ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 25, 2025
[ upstream commit b1bdfdd ] [ backporter's notes: minor conflicts due to different map name and some missing tests in stable branch. ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 26, 2025
[ upstream commit b1bdfdd ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 26, 2025
[ upstream commit b1bdfdd ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 26, 2025
[ upstream commit b1bdfdd ] [ backporter's notes: minor conflicts due to different map name and some missing tests in stable branch. ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 26, 2025
[ upstream commit b1bdfdd ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 26, 2025
[ upstream commit b1bdfdd ] [ backporter's notes: minor conflicts due to different map name and some missing tests in stable branch. ] snat_v4_new_mapping creates a RevSNAT entry, then a SNAT entry for new connections. However, we also have a fallback mechanism in snat_v4_rev_nat_handle_mapping, which restores the SNAT entry if it was evicted by LRU, but the original RevSNAT entry still exists. There is a hypothesis that the above two functions may race with each other, and the following is possible: 1. snat_v4_new_mapping creates a RevSNAT entry. 2. snat_v4_rev_nat_handle_mapping finds the RevSNAT entry and "restores" the SNAT entry (which has never existed yet). 3. snat_v4_new_mapping goes on to create the SNAT entry, corresponding to the RevSNAT entry, created previously. 4. snat_v4_new_mapping fails because the SNAT entry already exists, created by snat_v4_rev_nat_handle_mapping. 5. snat_v4_new_mapping then removes the RevSNAT entry, trying to revert everything. The right outcome in this case would be to keep the SNAT entry, whoever created it first, so it makes sense not to fail on -EEXIST. It also makes the fallback mechanism more robust, because there is a time gap between __snat_lookup and __snat_create. Ref: #35304 Ref: #37747 Fixes: #38466 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NAT Map LRU behavior could evict any entry in the MAP. This change restore a reverse NAT entry when it is expected but not found. Previously, we were only relying on existence of forwarding NAT to determine if the NAT pair exists or not.
This fix is verified by using the same repro steps in #34833. After the fix, we saw much less timeout from the client, but the case like eviction happens between TCP SYN and TCP SYN ACK will still drop the returning packets.
Fixes: #34833