ipsec: Log duration of temporary XFRM state removal

Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This temporary removal should be very short but can still cause drops under heavy throughput. This commit logs the duration of the removal so we can validate that it's actually always short and estimate the impact on packet drops. Note the log message will now be displayed only once the XFRM state is re-added, instead of when it's removed like before. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
cilium · May 2, 2024 · bba016e · bba016e
1 parent e7db879
commit bba016e
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/pkg/datapath/linux/ipsec/ipsec_linux.go b/pkg/datapath/linux/ipsec/ipsec_linux.go
@@ -402,14 +402,16 @@ func xfrmStateReplace(new *netlink.XfrmState, remoteRebooted bool) error {
 // conflicting XFRM state. This function removes the conflicting state and
 // prepares a defer callback to re-add it with proper logging.
 func xfrmTemporarilyRemoveState(scopedLog *logrus.Entry, state netlink.XfrmState, dir string) (error, func()) {
+	start := time.Now()
 	if err := netlink.XfrmStateDel(&state); err != nil {
 		return err, nil
 	}
-	scopedLog.Infof("Temporarily removed old XFRM %s state", dir)
 	return nil, func() {
 		if err := netlink.XfrmStateAdd(&state); err != nil {
 			scopedLog.WithError(err).Errorf("Failed to re-add old XFRM %s state", dir)
 		}
+		elapsed := time.Since(start)
+		scopedLog.WithField(logfields.Duration, elapsed).Infof("Temporarily removed old XFRM %s state", dir)
 	}
 }