endpoint: Skip conntrack clean on endpoint restore

The commit cb49db5 introduced conntrack cleaning on the initial endpoint build to clean eventual state from a previous endpoint build. This is correct in principle but the commit missed to exclude endpoint builds triggered by restored endpoints. Fixes: cb49db5 ("endpoint: Clear conntrack on initial endpoint build") Signed-off-by: Thomas Graf <thomas@cilium.io>
cilium · Oct 15, 2018 · b6f9dcc · b6f9dcc
1 parent 46292fc
commit b6f9dcc
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/daemon/state.go b/daemon/state.go
@@ -130,6 +130,8 @@ func (d *Daemon) restoreOldEndpoints(dir string, clean bool) (*endpointRestoreSt
 
 		ep.Unlock()
 
+		ep.SkipStateClean()
+
 		state.restored = append(state.restored, ep)
 
 		delete(existingEndpoints, ep.IPv4.String())

diff --git a/pkg/endpoint/endpoint.go b/pkg/endpoint/endpoint.go
@@ -2759,3 +2759,16 @@ func (e *Endpoint) scrubIPsInConntrackTable() {
 	e.scrubIPsInConntrackTableLocked()
 	e.Unlock()
 }
+
+// SkipStateClean can be called on a endpoint before its first build to skip
+// the cleaning of state such as the conntrack table. This is useful when an
+// endpoint is being restored from state and the datapath state should not be
+// claned.
+//
+// The endpoint lock must NOT be held.
+func (e *Endpoint) SkipStateClean() {
+	// Mark conntrack as already cleaned
+	e.UnconditionalLock()
+	e.ctCleaned = true
+	e.Unlock()
+}