-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.8 backports 2020-10-07 #13438
v1.8 backports 2020-10-07 #13438
Conversation
[ upstream commit edd0552 ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
[ upstream commit e22ee43 ] This makes it clear that the L7 filter builds on the L3/L4 filter. Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
…ed guide [ upstream commit 803f283 ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
[ upstream commit ada53a9 ] When a tcp SYN packet hits a conntrack entry that is in close-wait state, the entry timeout will be modified and the entry will be reopened. But because the return code is CT_ESTABLISHED, policy-verdict event will not be generated even this is a new connection. The patch fix the issue by returning the code CT_REOPENED instead in this case. Except for policy verdict events, all other handlings are the same as if CT_ESTABLISHED is returned. Signed-off-by: Zang Li <zangli@google.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
[ upstream commit a03e1a6 ] This commit fixes a typo in the IPV4_FRAGMENTS constant in the BPF host filewall, which should have been named ENABLE_IPV4_FRAGMENTS. As IPV4_FRAGMENTS was never defined, this bug caused the `is_untracked_fragment` variable in `ipv4_host_policy_ingress` to be set to `true` even when IPv4 fragment tracking was effectively enabled. This in turn caused the host firewall to always fail the L4 policy lookup for all IPv4 fragment and to always fall back to the L3 policy lookup, potentially returning the incorrect DROP_FRAG_NOSUPPORT error in case no policy allowing the traffic was in place. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
[ upstream commit 4a66961 ] It has been observed that the "sessionSuccess <- true" statement can block forever. E.g. Cilium v1.7.9: goroutine 742 [chan send, 547 minutes]: github.com/cilium/cilium/pkg/kvstore.(*etcdClient).renewLockSession(0xc000f66000, 0x2790b40, 0xc000e247c0, 0x0, 0x0) /go/src/github.com/cilium/cilium/pkg/kvstore/etcd.go:657 +0x3e2 github.com/cilium/cilium/pkg/kvstore.connectEtcdClient.func6(0x2790b40, 0xc000e247c0, 0x3aae820, 0x2) /go/src/github.com/cilium/cilium/pkg/kvstore/etcd.go:819 +0x3e github.com/cilium/cilium/pkg/controller.(*Controller).runController(0xc000f42500) /go/src/github.com/cilium/cilium/pkg/controller/controller.go:205 +0xa2a created by github.com/cilium/cilium/pkg/controller.(*Manager).updateController /go/src/github.com/cilium/cilium/pkg/controller/manager.go:120 +0xb09 This can happen when the context cancellation timer fires after a function which consumes the context has returned, but before "sessionSuccess <- true" is executed. After the timeout, the receiving goroutine is closed, making the sending block forever. Fix this by making the sessionSuccess channel buffered. Note that after sending we don't check whether the context has been cancelled, as we expect that any subsequent functions which consume the context will check for the cancellation. Fixes: 0262854 ("etcd: Fix incorrect context usage in session renewal") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for my changes 👍
test-backport-1.8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for my changes, thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I reviewed my code owners only (datapath and documentation).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks :)
LGTM for my changes, thanks! |
test-1.18-4.9 |
Once this PR is merged, you can update the PR labels via: