Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ctmap: add GC support for DSR NAT entries with nodeport-backed CT entry #28857

Merged
merged 8 commits into from Oct 30, 2023
Merged

ctmap: add GC support for DSR NAT entries with nodeport-backed CT entry #28857

merged 8 commits into from Oct 30, 2023

Conversation

julianwiedmann
Copy link
Member

@julianwiedmann julianwiedmann commented Oct 29, 2023
edited

#22978 changed the way how backend nodes manage the NAT entry for a DSR connection. Previously such a NAT entry's lifetime would be controlled by a CT_INGRESS CT entry created by bpf_lxc.
With the changes in the referenced PR, we are now using a CT_EGRESS CT entry instead gets created by the nodeport ingress path.

The PR added GC support for such NAT entries in PurgeOrphanNATEntries(). But it missed also adding such support to the GC code that runs when a specific CT entry is removed.

Add this support now, along with some cleanups & additional tests.

When the CT entry for a DSR connection is garbage-collected, the corresponding SNAT entry is now also removed.

@julianwiedmann julianwiedmann added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. feature/conntrack feature/snat Relates to SNAT or Masquerading of traffic labels Oct 29, 2023
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann force-pushed the 1.15-ct-nat-gc branch 2 times, most recently from 5762e08 to 5e4135f Compare October 29, 2023 15:43
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann
ctmap: clean up hard-coded values
a43dfd9 
De-obfuscate some of the flags to improve readability.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
ctmap: add GC test-case for SNATed TCP
327bcd3 
Test that when the CT entry for 192.168.61.11:38193 -> 192.168.61.12:80
is removed, then the related IN and OUT NAT entries are purged along with
it.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
ctmap: add test for Legacy DSR
10800c6 
DSR uses a OUT NAT entry for RevDNAT of backend replies. Prior to the
changes in cilium#22978, this NAT entry was
protected by the CT_INGRESS entry which bpf_lxc creates for the backend
connection.

Test that GC of the NAT entry works when the CT entry is removed.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
ctmap: improve description for PurgeOrphanNATEntries()
4fa926d 
Point out that PurgeOrphanNATEntries() is only a fallback, to purge NAT
entries that are unexpectedly no longer backed by any CT entry.

During normal operations NAT entries should get purged as part of the GC
for their specific CT entry.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
ctmap: set dsr flag for relevant CT entries in TestOrphanNatGC()
d122e87 
CT entries that get created for a DSR connection by the datapath will have
the `dsr` flag set. Reflect this in the CT entries that we use for tests.

The flag currently doesn't make a difference for the GC logic, but let's
still be a bit more accurate.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
ctmap: move some NAT GC logic into ctmap
57c5155 
We want to add more advanced handling into the GC logic, which requires
information from the actual CT entry. Let's consolidate all of the
decision making in the purgeCtEntry*() functions, so that the NAT code
doesn't need to understand all the details of how CT and NAT interact.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
ctmap: limit DSR purge to CT entries with .dsr flag
4b15472 
Clarify which CT entries potentially require purging of a DSR-related NAT
entry. This reduces the risk of accidentally purging unrelated NAT entries,
and allows the GC logic to do less work.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Oct 30, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.4 Oct 30, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.9 Oct 30, 2023
@julianwiedmann julianwiedmann added area/loadbalancing Impacts load-balancing and Kubernetes service implementations and removed release-note/misc This PR makes changes that have no direct user impact. labels Oct 30, 2023
@julianwiedmann
ctmap: add NAT purge for nodeport-backed DSR NAT entries
0a080d3 
With cilium#22978 we changed how DSR NAT
entries are managed. Instead of associating the NAT entry's lifetime with
bpf_lxc's CT_INGRESS entry, the nodeport code on the backend now creates
its own CT_EGRESS entry. When such a CT_EGRESS entry is GC'ed, we should
therefore also purge the related DSR NAT entry.

Also add a test for this case.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann changed the title 1.15 ct nat gc ctmap: add GC support for DSR NAT entries with nodeport-backed CT entry Oct 30, 2023
@julianwiedmann julianwiedmann marked this pull request as ready for review October 30, 2023 08:34
@julianwiedmann julianwiedmann requested a review from a team as a code owner October 30, 2023 08:34
dylandreimerink
dylandreimerink approved these changes Oct 30, 2023
View reviewed changes
Copy link
Member

@dylandreimerink dylandreimerink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 30, 2023
@dylandreimerink dylandreimerink merged commit 21072cd into cilium:main Oct 30, 2023
62 checks passed
@pippolo84 pippolo84 mentioned this pull request Oct 30, 2023
Merged
9 tasks
@pippolo84 pippolo84 added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Oct 30, 2023
@julianwiedmann julianwiedmann mentioned this pull request Oct 30, 2023
Merged
@pippolo84 pippolo84 mentioned this pull request Oct 30, 2023
Merged
6 tasks
@pippolo84 pippolo84 added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Oct 30, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.13 in 1.13.9 Oct 30, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.14 in 1.14.4 Oct 30, 2023
@pippolo84 pippolo84 added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Nov 2, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.9 Nov 2, 2023
@jibi jibi added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Nov 7, 2023
@thorn3r thorn3r mentioned this pull request Nov 9, 2023
Merged
@nathanjsweet nathanjsweet mentioned this pull request Nov 12, 2023
Merged
@ghost ghost mentioned this pull request Nov 21, 2023
Open
2 tasks
@julianwiedmann julianwiedmann mentioned this pull request Dec 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dylandreimerink dylandreimerink dylandreimerink approved these changes

Assignees
No one assigned
Labels
area/loadbalancing Impacts load-balancing and Kubernetes service implementations backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. feature/conntrack feature/snat Relates to SNAT or Masquerading of traffic kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
1.13.9
Backport done to v1.13
1.14.4
Backport pending to v1.14
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@julianwiedmann @dylandreimerink @jibi @pippolo84