envoy proxy: Only reuse DNS proxy port when it's free

When cilium-agent starts, it will allocate a free port for proxy to use, if users don't speicify in config. It also tries to recover previous allocation from iptables rules, but the recover doesn't check if the port is already open by other processes on the host. This change will check the recovered port is free before assign it to DNS proxy. Fix #22465 Signed-off-by: Yongkun Gui <ygui@google.com>
cilium · May 31, 2023 · 6fec1b0 · 6fec1b0
1 parent e89dfb4
commit 6fec1b0
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/daemon/cmd/fqdn.go b/daemon/cmd/fqdn.go
@@ -363,8 +363,12 @@ func (d *Daemon) bootstrapFQDN(possibleEndpoints map[uint16]*endpoint.Endpoint,
 	if option.Config.ToFQDNsProxyPort != 0 {
 		port = uint16(option.Config.ToFQDNsProxyPort)
 	} else if port == 0 {
-		// Try locate old DNS proxy port number from the datapath
-		port = d.datapath.GetProxyPort(proxy.DNSProxyName)
+		// Try locate old DNS proxy port number from the datapath, and reuse it if it's not open
+		oldPort := d.datapath.GetProxyPort(proxy.DNSProxyName)
+		openLocalPorts := proxy.OpenLocalPorts()
+		if _, alreadyOpen := openLocalPorts[oldPort]; !alreadyOpen {
+			port = oldPort
+		}
 	}
 	if err := re.InitRegexCompileLRU(option.Config.FQDNRegexCompileLRUSize); err != nil {
 		return fmt.Errorf("could not initialize regex LRU cache: %w", err)

diff --git a/pkg/proxy/netstat.go b/pkg/proxy/netstat.go
@@ -65,3 +65,8 @@ func readOpenLocalPorts(procNetFiles []string) map[uint16]struct{} {
 
 	return openLocalPorts
 }
+
+// OpenLocalPorts returns the set of L4 ports currently open locally.
+func OpenLocalPorts() map[uint16]struct{} {
+	return readOpenLocalPorts(append(procNetTCPFiles, procNetUDPFiles...))
+}