Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend the CT expiration timeout for egress gateway packets #24905

Merged
merged 3 commits into from
Apr 28, 2023
Merged

Extend the CT expiration timeout for egress gateway packets #24905

merged 3 commits into from
Apr 28, 2023

Commits on Apr 25, 2023

  1. bpf: Extend the CT expiration timeout for egress gateway packets 

    When the SNAT entry already exists for a connection that goes through
the egress gateway (i.e. it's not the first packet), ct_lookup4 is
skipped. That means that ct_update_timeout is not called, and the CT
entry will be garbage collected while the connection is still active.

To fix this bug, do the CT lookups for the second and further packets of
connections using egress gateway as well.

Fixes: 4532996 ("bpf: nat: always track egress gateway connections")
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
    @gentoo-root
    gentoo-root committed Apr 25, 2023
    Configuration menu
    Copy the full SHA
    c447c4d View commit details
    Browse the repository at this point in the history

  2. bpf: test: enhance egress SNAT case 

    Send another packet in the reply direction and test whether it passed
through revSNAT on the egress gateway. Note that it's not checked that
the reply packet passed through connection tracking, because of a bug:

cilium#25110

Send a second packet, and test whether it passed through CT tracking on
the gateway node.

Common pktgen and check code is extracted to separate functions, and the
existing tc_egressgw_skip_excluded_cidr_snat makes use of it.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
    @julianwiedmann @gentoo-root
    julianwiedmann authored and gentoo-root committed Apr 25, 2023
    Configuration menu
    Copy the full SHA
    b83145f View commit details
    Browse the repository at this point in the history

  3. bpf: test: Cleanup the policy map after the test 

    Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
    @gentoo-root
    gentoo-root committed Apr 25, 2023
    Configuration menu
    Copy the full SHA
    db4bcfb View commit details
    Browse the repository at this point in the history