-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.8 backports 2020-10-07 #13438
v1.8 backports 2020-10-07 #13438
Commits on Oct 7, 2020
-
docs: Correct app name in getting started guide
[ upstream commit edd0552 ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 4916e8c - Browse repository at this point
Copy the full SHA 4916e8cView commit details -
docs: Add demonstration that second example is additive
[ upstream commit e22ee43 ] This makes it clear that the L7 filter builds on the L3/L4 filter. Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 79ce4b7 - Browse repository at this point
Copy the full SHA 79ce4b7View commit details -
docs: Create connectivity test is separate namespace in getting start…
…ed guide [ upstream commit 803f283 ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 209a571 - Browse repository at this point
Copy the full SHA 209a571View commit details -
Add the return code CT_REOPENED for conntrack table lookup.
[ upstream commit ada53a9 ] When a tcp SYN packet hits a conntrack entry that is in close-wait state, the entry timeout will be modified and the entry will be reopened. But because the return code is CT_ESTABLISHED, policy-verdict event will not be generated even this is a new connection. The patch fix the issue by returning the code CT_REOPENED instead in this case. Except for policy verdict events, all other handlings are the same as if CT_ESTABLISHED is returned. Signed-off-by: Zang Li <zangli@google.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for bb9f168 - Browse repository at this point
Copy the full SHA bb9f168View commit details -
bpf: properly handle IPv4 fragmented packets in host firewall
[ upstream commit a03e1a6 ] This commit fixes a typo in the IPV4_FRAGMENTS constant in the BPF host filewall, which should have been named ENABLE_IPV4_FRAGMENTS. As IPV4_FRAGMENTS was never defined, this bug caused the `is_untracked_fragment` variable in `ipv4_host_policy_ingress` to be set to `true` even when IPv4 fragment tracking was effectively enabled. This in turn caused the host firewall to always fail the L4 policy lookup for all IPv4 fragment and to always fall back to the L3 policy lookup, potentially returning the incorrect DROP_FRAG_NOSUPPORT error in case no policy allowing the traffic was in place. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 98d5440 - Browse repository at this point
Copy the full SHA 98d5440View commit details -
contexthelpers: Fix deadlock when nobody recvs on success channel
[ upstream commit 4a66961 ] It has been observed that the "sessionSuccess <- true" statement can block forever. E.g. Cilium v1.7.9: goroutine 742 [chan send, 547 minutes]: github.com/cilium/cilium/pkg/kvstore.(*etcdClient).renewLockSession(0xc000f66000, 0x2790b40, 0xc000e247c0, 0x0, 0x0) /go/src/github.com/cilium/cilium/pkg/kvstore/etcd.go:657 +0x3e2 github.com/cilium/cilium/pkg/kvstore.connectEtcdClient.func6(0x2790b40, 0xc000e247c0, 0x3aae820, 0x2) /go/src/github.com/cilium/cilium/pkg/kvstore/etcd.go:819 +0x3e github.com/cilium/cilium/pkg/controller.(*Controller).runController(0xc000f42500) /go/src/github.com/cilium/cilium/pkg/controller/controller.go:205 +0xa2a created by github.com/cilium/cilium/pkg/controller.(*Manager).updateController /go/src/github.com/cilium/cilium/pkg/controller/manager.go:120 +0xb09 This can happen when the context cancellation timer fires after a function which consumes the context has returned, but before "sessionSuccess <- true" is executed. After the timeout, the receiving goroutine is closed, making the sending block forever. Fix this by making the sessionSuccess channel buffered. Note that after sending we don't check whether the context has been cancelled, as we expect that any subsequent functions which consume the context will check for the cancellation. Fixes: 0262854 ("etcd: Fix incorrect context usage in session renewal") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 6d96020 - Browse repository at this point
Copy the full SHA 6d96020View commit details