Skip to content

iptables: Fix data race in iptables manager #35902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2024
Merged

iptables: Fix data race in iptables manager #35902

merged 1 commit into from
Nov 14, 2024

Conversation

pippolo84
Copy link
Member

The haveIp6tables parameter is initially set to true, but its initializiation is completed in the manager Start hook. That hook is executed in its onw goroutine, while another one runs the iptables reconciler oneshot job. Those two goroutines may run concurrently thus leading to a data race when accessing the haveIp6tables parameter.

Since that parameter enables or disable the support for IPv6 rules, we must enforce an ordering between the two goroutines, specifically we must force the reconciler to wait for the initialization to be completed.

Therefore, use a wait group to force the reconciler to wait for both the ip{4,6}tables wait arguments and haveIp6tables config parameter to be fully initialized.

@pippolo84 pippolo84 added kind/bug This is a bug in the Cilium logic. area/iptables Impacts how Cilium interacts with iptables. needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Nov 11, 2024
@pippolo84 pippolo84 requested a review from a team as a code owner November 11, 2024 21:18
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Nov 11, 2024
@pippolo84 pippolo84 added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Nov 11, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Nov 11, 2024
@pippolo84 pippolo84 mentioned this pull request Nov 11, 2024
Closed
3 tasks
@pippolo84 pippolo84 force-pushed the pr/pippolo84/main-fix-iptables-race branch from 66ce916 to a34b45c Compare November 11, 2024 21:21
@pippolo84

This comment was marked as outdated.

Sign in to view
@pippolo84 pippolo84 force-pushed the pr/pippolo84/main-fix-iptables-race branch from a34b45c to 99bdb73 Compare November 12, 2024 17:14
@pippolo84

This comment was marked as outdated.

Sign in to view
@pippolo84
iptables: Fix data race in iptables manager
a6ebb32 
The haveIp6tables parameter is initially set to true, but its
initialization is completed in the manager Start hook.  That hook is
executed in its onw goroutine, while another one runs the iptables
reconciler oneshot job. Those two goroutines may run concurrently thus
leading to a data race when accessing the haveIp6tables parameter.

Since that parameter enables or disable the support for IPv6 rules, we
must enforce an ordering between the two goroutines, specifically we
must force the reconciler to wait for the initialization to be
completed.

Therefore, use a wait group to force the reconciler to wait for both the
ip{4,6}tables wait arguments and haveIp6tables config parameter to be
fully initialized.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 force-pushed the pr/pippolo84/main-fix-iptables-race branch from 99bdb73 to a6ebb32 Compare November 13, 2024 10:29
@pippolo84
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 13, 2024
@aanm aanm added this pull request to the merge queue Nov 14, 2024
Merged via the queue into cilium:main with commit 65398f3 Nov 14, 2024
63 of 64 checks passed
@rastislavs rastislavs mentioned this pull request Nov 20, 2024
Merged
14 tasks
@rastislavs rastislavs added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Nov 20, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Nov 26, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Dec 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gentoo-root gentoo-root gentoo-root approved these changes

Assignees
No one assigned
Labels
area/iptables Impacts how Cilium interacts with iptables. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pippolo84 @gentoo-root @aanm @rastislavs