-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix flow validation breakage #485
Conversation
DNS exchange happens first, it's useful to have it validated even if the actual test traffic fails to validate. Signed-off-by: Jarno Rajahalme <[email protected]>
540f7ac
to
f0694b2
Compare
Retry flow matching again if all flow requirements can not be met. Start the new round from the flow following the previous first match. This effectively retries flow matching from different L4 connections, as the ephemeral source port found from the first match is fixed for the remaining requirements. By skipping the previous first match the match can succeed on a different L4 connection. Merge flow validation results for each flow requirement before returning. Without this flow validation was reported successful when at least one flow validation requirement was met, hiding failures in later requirements. For example, if successful DNS reply from proxy is required, it may be on a different UDP or TCP port than the first DNS resolution exchange that may have failed. This capability was inadvertently removed in #319. Fixes: #319 Signed-off-by: Jarno Rajahalme <[email protected]>
f0694b2
to
63acfea
Compare
I never understood the code touched here, so not sure if I can give a comprehensive review. The problem this PR is trying to solve is also not clear. I'm not sure why an offset is still being used, I thought we would remove it completely. Given a list of flows on the left and a list of requirements on the right, the flow matcher should return a single verdict. If not all of the requirements are met, the error returned should state which one. If DNS resolution was successful, the matcher should make it past the DNS resolution and fail to match establishing e.g. a TCP connection. Why does this need special treatment? |
typically the 1st DNS flow requirement ( See this commit for details on ephemeral port tracking: 6819144 The same applies to UDP exchanges as well. When the flow requirement expects to see the successful DNS response with the final answer, this practically never exists on the first DNS exchange. Without sliding the offset past the last successfully matched
Currently the code does not indicate which requirement fails. Prior to this PR the flow matcher ignored failing requirements after the 1st successful one. This was hiding failing DNS requirements after successful TCP requirements. Making DNS requirements the 1st one reveled this. This is fixed by merging the validation results earlier. |
The offset is an internal detail of the flow matcher that was previously spilled to the caller. This PR removes the |
Not sure what you mean with "special treatment" here. |
kind test failed with the same error as cilium/cilium#12141:
|
Multicluster failed with #361 |
This is a bug fix and the flakes are unrelated, marking as ready-to-merge |
DNS exchange happens first, it's useful to have it validated even if
the actual test traffic fails to validate.
Retry flow matching again if all flow requirements can not be
met. Start the new round from the flow following the previous first
match. This effectively retries flow matching from different L4
connections, as the ephemeral source port found from the first match
is fixed for the remaining requirements. By skipping the previous
first match the match can succeed on a different L4 connection.
For example, if successful DNS reply from proxy is required, it may be
on a different UDP or TCP port than the first DNS resolution exchange
that may have failed.
This capability was inadvertently removed in #319.
Merge flow validation results for each flow requirement before returning.
Without this flow validation was reported successful when at least one
flow validation requirement was met, hiding failures in later requirements.
Fixes: #319