nat: Orphan entries in NAT table #12686
Labels
kind/bug
This is a bug in the Cilium logic.
priority/high
This is considered vital to an upcoming release.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
If the (LRU) CT table gets full, then an eviction of CT entry upon insert of a new entry won't trigger removal of NAT, and such entries won't be removed by the CT GC. To avoid from leaking entries, we should scan the NAT map and remove orphan entries.
Merging the CT and NAT maps or implementing LRU callbacks in the kernel would be a long term fix.
The text was updated successfully, but these errors were encountered: