From 4dbda3d3978cf257dbf61573fbd4a64d46148032 Mon Sep 17 00:00:00 2001 From: Hongliang Liu Date: Sun, 7 Apr 2024 19:21:51 +0800 Subject: [PATCH] Fix that AntreaProxy could unintentionally delete conntrack entries in zone 0 This is a subsequent PR for #5112. As mentioned in #5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR is to fix the issue by incorporating a ct zone filter, which is provided by the latest go libray `netlink`. Signed-off-by: Hongliang Liu --- go.mod | 2 ++ go.sum | 5 +++-- pkg/agent/route/route_linux.go | 9 +++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 4e7c76b974e..9c665019dea 100644 --- a/go.mod +++ b/go.mod @@ -236,3 +236,5 @@ require ( sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) + +replace github.com/vishvananda/netlink v1.2.1-beta.2 => github.com/hongliangl/netlink v1.1.1-0.20240407022104-46eb8cc4f2b9 diff --git a/go.sum b/go.sum index f5a4403806f..be456ebcada 100644 --- a/go.sum +++ b/go.sum @@ -420,6 +420,8 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/memberlist v0.5.1 h1:mk5dRuzeDNis2bi6LLoQIXfMH7JQvAzt3mQD0vNZZUo= github.com/hashicorp/memberlist v0.5.1/go.mod h1:zGDXV6AqbDTKTM6yxW0I4+JtFzZAJVoIPvss4hV8F24= +github.com/hongliangl/netlink v1.1.1-0.20240407022104-46eb8cc4f2b9 h1:B+OBUWAK0hTP9+Sbl2Gtu+kmnW5iKpfYuTUy9jNd6Lo= +github.com/hongliangl/netlink v1.1.1-0.20240407022104-46eb8cc4f2b9/go.mod h1:whJevzBpTrid75eZy99s3DqCmy05NfibNaF2Ol5Ox5A= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= @@ -725,8 +727,6 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/vishvananda/netlink v1.1.1-0.20211101163509-b10eb8fe5cf6/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= -github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs= -github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8= github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= @@ -943,6 +943,7 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= diff --git a/pkg/agent/route/route_linux.go b/pkg/agent/route/route_linux.go index 31890415aa5..ed542bfb7bb 100644 --- a/pkg/agent/route/route_linux.go +++ b/pkg/agent/route/route_linux.go @@ -33,6 +33,7 @@ import ( utilnet "k8s.io/utils/net" "antrea.io/antrea/pkg/agent/config" + "antrea.io/antrea/pkg/agent/openflow" "antrea.io/antrea/pkg/agent/servicecidr" "antrea.io/antrea/pkg/agent/types" "antrea.io/antrea/pkg/agent/util/ipset" @@ -1919,28 +1920,36 @@ func (c *Client) DeleteRouteForLink(cidr *net.IPNet, linkIndex int) error { func (c *Client) ClearConntrackEntryForService(svcIP net.IP, svcPort uint16, endpointIP net.IP, protocol binding.Protocol) error { var protoVar uint8 var ipFamily netlink.InetFamily + var zone uint16 switch protocol { case binding.ProtocolTCP: ipFamily = unix.AF_INET protoVar = unix.IPPROTO_TCP + zone = openflow.CtZone case binding.ProtocolTCPv6: ipFamily = unix.AF_INET6 protoVar = unix.IPPROTO_TCP + zone = openflow.CtZoneV6 case binding.ProtocolUDP: ipFamily = unix.AF_INET protoVar = unix.IPPROTO_UDP + zone = openflow.CtZone case binding.ProtocolUDPv6: ipFamily = unix.AF_INET6 protoVar = unix.IPPROTO_UDP + zone = openflow.CtZoneV6 case binding.ProtocolSCTP: ipFamily = unix.AF_INET protoVar = unix.IPPROTO_SCTP + zone = openflow.CtZone case binding.ProtocolSCTPv6: ipFamily = unix.AF_INET6 protoVar = unix.IPPROTO_SCTP + zone = openflow.CtZoneV6 } filter := &netlink.ConntrackFilter{} filter.AddProtocol(protoVar) + filter.AddZone(zone) if svcIP != nil { filter.AddIP(netlink.ConntrackOrigDstIP, svcIP) }