Remove the associated stale conntrack entries when UDP Endpoints are removed #5112
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hongliangl
added
area/proxy
jianjuns
reviewed
Jun 12, 2023
jianjuns
reviewed
Jun 12, 2023
|
Left a comment in #5115 (comment) |
OVS also supports removing conntrack entry via |
|
And do we also need to do the same as https://github.com/kubernetes/kubernetes/blob/232cdf97164f6e3a77ee954bbdd29866232f04dc/pkg/proxy/conntrack/cleanup.go#L36-L39? |
I think that's better than installing something new, but I prefer the library approach if possible. |
@tnqn We don't need this since we use packet-out to send a reject packet directly to the output interface which will not generate a conntrack entry. |
|
hongliangl
force-pushed
the
20230607-udp-preserve-connection
branch
2 times, most recently
from
1f10a30
to
910de25
Compare
|
I have updated this PR and now it uses Go library netlink in this PR to delete stale conntrack entry. @tnqn @antoninbas |
hongliangl
force-pushed
the
20230607-udp-preserve-connection
branch
2 times, most recently
from
6d6ffeb
to
250ba4b
Compare
hongliangl
force-pushed
the
20230607-udp-preserve-connection
branch
from
250ba4b
to
b34f1cb
Compare
hongliangl
force-pushed
the
20230607-udp-preserve-connection
branch
from
b34f1cb
to
e441042
Compare
hongliangl
force-pushed
the
20230607-udp-preserve-connection
branch
from
e441042
to
2c9692c
Compare
tnqn
reviewed
Jul 12, 2023
pkg/agent/proxy/proxier.go
Outdated
Comment on lines
613
to
621
| if needClearConntrackEntries(svcInfo.OFProtocol) { | ||
| if !p.removeStaleEndpointConntrackEntries(svcPortName, svcInfo, staleEndpoints) { | ||
| continue | ||
| } | ||
| } |
There was a problem hiding this comment.
could it be moved to removeStaleEndpoints? it seems a fair sub function of it.
There was a problem hiding this comment.
It could be moved to removeStaleEndpoints, and it is more sensible to read and understand. However, it will be called redundantly once when deleting a Service. For example,func (p *proxier) removeStaleServices() is called when deleting a Service. Within the function, the conntrack items related with the Service will be deleted in
if !p.removeServiceFlows(svcInfo) {
continue
}
As a result, it is no need to delete the contrack items in
if !p.removeStaleEndpoints(svcPortName, svcInfo, endpoints) {
continue
}
There was a problem hiding this comment.
I took another look, it seems we shouldn't even call removeStaleEndpointConntrackEntries in removeServiceFlows, as it would lead to connection disrupted when Services are updated.
There was a problem hiding this comment.
We didn't call removeStaleEndpointConntrackEntries in removeServiceFlows, do you meant that we call ClearConntrackEntryForService in removeServiceFlows?
Could it incur any potential issues? If yes, we should perhaps have a feature gate for it, in case it causes problems to production clusters, otherwise it would be effective without any way to disable it. |
The potential risk is that it could delete the UDP conntrack items introduced by kube-proxy. For example, assuming that Antrea is deployed with kube-proxy, and a UDP NodePort Service is created.
|
tnqn
reviewed
Jul 12, 2023
pkg/agent/proxy/proxier.go
Outdated
Comment on lines
613
to
621
| if needClearConntrackEntries(svcInfo.OFProtocol) { | ||
| if !p.removeStaleEndpointConntrackEntries(svcPortName, svcInfo, staleEndpoints) { | ||
| continue | ||
| } | ||
| } |
There was a problem hiding this comment.
I took another look, it seems we shouldn't even call removeStaleEndpointConntrackEntries in removeServiceFlows, as it would lead to connection disrupted when Services are updated.
pkg/agent/proxy/proxier.go
Outdated
| @@ -397,6 +442,12 @@ func (p *proxier) uninstallNodePortService(svcPort uint16, protocol binding.Prot | |||
| if err := p.routeClient.DeleteNodePort(p.nodePortAddresses, svcPort, protocol); err != nil { | |||
| return fmt.Errorf("failed to remove NodePort traffic redirecting rules: %w", err) | |||
| } | |||
| if needClearConntrackEntries(protocol) { | |||
| // Remove NodePort conntrack entries when protocol is UDP. | |||
| if err := p.routeClient.ClearConntrackEntryForService(nil, svcPort, nil, protocol); err != nil { | |||
There was a problem hiding this comment.
If I'm not mistaken, this could clear all conntrack entries on the Node using that port, even it's not even service traffic, for example, when pod A accesses pod B's this port.
There was a problem hiding this comment.
Node IPs and NodePort port are used to match the conntrack items.
There was a problem hiding this comment.
Sorry, I missed that. I'll Node IPs to match conntrack items for NodePort.
hongliangl
force-pushed
the
20230607-udp-preserve-connection
branch
2 times, most recently
from
0b5cc4d
to
1ff376a
Compare
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 11, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR is to fix the issue by incorporating a ct zone filter, which is provided by the latest go libray `netlink`. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 11, 2024
This is a subsequent PR for antrea-io#5112. It fixes the issue that AntreaProxy could unintentionally delete conntrack entries in zone 0 As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Consequently, we are promoting the feature gate `CleanupStaleUDPSvcConntrack` to Beta. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 11, 2024
This is a subsequent PR for antrea-io#5112. It fixes the issue that AntreaProxy could unintentionally delete conntrack entries in zone 0 As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Consequently, we are promoting the feature gate `CleanupStaleUDPSvcConntrack` to Beta. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 11, 2024
This is a subsequent PR for antrea-io#5112. It fixes the issue that AntreaProxy could unintentionally delete conntrack entries in zone 0 As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Consequently, we are promoting the feature gate `CleanupStaleUDPSvcConntrack` to Beta. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 11, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 11, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 11, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 12, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Apr 24, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 23, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 23, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 24, 2024
…n zone 0 This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
tnqn
pushed a commit
that referenced
this pull request
May 28, 2024
…n zone 0 (#6193) This is a subsequent PR for #5112. As mentioned in #5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 28, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 29, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 29, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
May 30, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 5, 2024
…n zone 0 (antrea-io#6193) This is a subsequent PR for antrea-io#5112. As mentioned in antrea-io#5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
tnqn
pushed a commit
that referenced
this pull request
Jun 6, 2024
…n zone 0 (#6193) (#6406) This is a subsequent PR for #5112. As mentioned in #5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
tnqn
pushed a commit
that referenced
this pull request
Jun 6, 2024
…n zone 0 (#6193) (#6404) This is a subsequent PR for #5112. As mentioned in #5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
tnqn
pushed a commit
that referenced
this pull request
Jun 6, 2024
…n zone 0 (#6193) (#6405) This is a subsequent PR for #5112. As mentioned in #5112: > Due to the restriction of the go library 'netlink', there is no API to specify a target zone. As a result, when deleting a stale conntrack entry with a destination port (such as NodePort), not only will the conntrack entry whose destination port is the port added by AntreaProxy be deleted, but also the conntrack entry that is not added by AntreaProxy will be deleted. This behavior is unexpected, as only the conntrack entries added by AntreaProxy should be deleted. This PR resolves the issue by integrating a CT zone filter, now available in the latest Go library `netlink`. Leveraging this feature, AntreaProxy can accurately delete stale UDP conntrack entries. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 6, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 7, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
added a commit
to hongliangl/antrea
that referenced
this pull request
Jun 12, 2024
In antrea-io#5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of antrea-io#6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <[email protected]>
tnqn
pushed a commit
that referenced
this pull request
Jun 13, 2024
In #5112, due to the limitations of the Go netlink library, AntreaProxy would unconditionally delete conntrack entries added by kube-proxy in conntrack zone 0. AntreaProxy was supposed to only delete its own entries in conntrack zones 65520 or 65521. To address this, a feature was added to isolate the relevant code. After the merge of #6193, the netlink library was updated, allowing AntreaProxy to precisely delete conntrack entries in zones 65520 or 65521. It is now safe to enable the corresponding code by default. Signed-off-by: Hongliang Liu <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, when a client accessed a UDP Service through AntreaProxy, if the
selected backend Pod was deleted and no new available backend Pod was automatically
selected by AntreaProxy, the connection would always remain unavailable. This issue
occurred because a conntrack entry was generated through OVS ct action in AntreaProxy
when handling the first packet of the UDP connection. Even if the selected Endpoint
was removed, the conntrack entry's timeout would be flushed upon receiving a packet
from the client in AntreaProxy OVS pipeline. Consequently, the stale conntrack entry
would persist as long as the client continued sending packets to the UDP service,
causing AntreaProxy's OVS pipeline to direct the packets to the IP of the removed
backend Pod.
This PR addresses the issue by removing the stale conntrack entries when the
associated UDP Endpoints are removed. This ensures that a new available backend Pod
can be selected in AntreaProxy's OVS pipeline.
Please note the following:
target zone. As a result, when deleting a stale conntrack entry with a
destination port (such as NodePort), not only will the conntrack entry whose
destination port is the port added by AntreaProxy be deleted, but also the
conntrack entry that is not added by AntreaProxy will be deleted. This behavior
is unexpected, as only the conntrack entries added by AntreaProxy should be
deleted.