-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIGSEV in startup when installNoConntrackIptablesRules is true #32607
Comments
This is because IPv4NativeRoutingCIDR is NULL in the config (as masquerading is disabled). I see that the main branch is using |
Hi @Jean-Daniel, thanks for the bug report. I think what you pointed out is correct, we are missing a check for a nil (or empty) IPv4 native routing CIDR before installing the iptables NOTRACK rules. 👍 |
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. FIxes: cilium#32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Fixes: cilium#32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Related: cilium#32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Related: cilium#32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Related: cilium#32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Related: cilium#32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Related: #32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Related: #32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Fixes: #32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Is there an existing issue for this?
What happened?
I tried to enable
installNoConntrackIptablesRules
and restart the agent to apply the change, but they started to crash loop with the following stack trace.Cilium Version
Cilium 1.15.5
Kernel Version
Linux worker-1.cluster 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Kubernetes Version
Server Version: v1.29.5
Regression
No response
Sysdump
Relevant log output
No response
Anything else?
No response
Cilium Users Document
Code of Conduct
The text was updated successfully, but these errors were encountered: