Conntrack flush support #32505
Merged
Conntrack flush support #32505
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
April 10, 2017 17:09
- Added conntrack support Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
- adding conntrack flush fix for moby#8795 Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
|
@fcrisciani thanks for resolving this long standing issue and a good test to catch it as well. LGTM |
mavenugo
approved these changes
Apr 11, 2017
|
LGTM |
AkihiroSuda
reviewed
Apr 11, 2017
| c.Assert(err, check.IsNil) | ||
| var flowMatch int | ||
| for _, flow := range flows { | ||
| if flow.Forward.Protocol == 17 && |
There was a problem hiding this comment.
Can we use constant for this magic number?
|
@fcrisciani the windowsRS1 failure seems genuine - |
AkihiroSuda
added
status/2-code-review
status/failing-ci
When a container was being destroyed was possible to have flows in conntrack left behind on the host. If a flow is present into the conntrack table, the packet processing will skip the POSTROUTING table of iptables and will use the information in conntrack to do the translation. For this reason is possible that long lived flows created towards a container that is destroyed, will actually affect new flows incoming to the host, creating erroneous conditions where traffic cannot reach new containers. The fix takes care of cleaning them up when a container is destroyed. The test of this commit is actually reproducing the condition where an UDP flow is established towards a container that is then destroyed. The test verifies that the flow established is gone after the container is destroyed. Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
fcrisciani
force-pushed
the
conntrack_test
branch
from
8b8dfbe
to
1c4286b
Compare
thaJeztah
removed
the
status/failing-ci
|
adding |
Merged
|
Thanks! I'll go ahead and merge 👍 |
seemethere
reviewed
Aug 31, 2017
|
|
||
| // Launch the server, this will remain listening on an exposed port and reply to any request in a ping/pong fashion | ||
| cmd := "while true; do echo hello | nc -w 1 -lu 8080; done" | ||
| _, _, err := dockerCmdWithError("run", "-d", "--name", "server", "--net", "testbind", "-p", "8080:8080/udp", "appropriate/nc", "sh", "-c", cmd) |
There was a problem hiding this comment.
@fcrisciani I think @seemethere was refering to the use of a 3rd party image, and it that case it was not updated in 2 years. could you replace it with a simple alpine for the official library ? it includes nc
There was a problem hiding this comment.
@vieux @seemethere Using that image is not accidental but is intended. The nc version in alpine does not support for example the option -q. There is a bug in nc that let the command never return also when specify the -w option.
Feel free to try to change it to the alpine removing the -q option to let the command work, but most likely the test will fail timing out because the nc command will hang forever.
thaJeztah
pushed a commit
that referenced
this pull request
Jun 3, 2022
There is a race condition between the local proxy and iptables rule setting. When we have a lot of UDP traffic, the kernel will create conntrack entries to the local proxy and will ignore the iptables rules set after that. Related to PR #32505. Fix #8795. Signed-off-by: Vincent Bernat <vincent@bernat.ch>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
Fixes #8795
Fixes #31610
Fixes #31414
On external connectivity removal, the bridge driver will take care of erasing all the conntrack flows relative to the endpoint that is going down
- How I did it
Introduced the conntrack support in the netlink library and then from libnetwork will cleanup the flows passing the IP address of the endpoint that is going down
- How to verify it
Added a test that creates a server container and a client container and establishes an UDP flow (using UDP for simplicity) between them.
The test verifies the presence of the flow fetching its from the conntrack table.
The server container is then destroyed and the tests validates that the previous flow got purged from conntrack.
- Description for the changelog
Conntrack flush on external connectivity removal
- A picture of a cute animal (not mandatory but encouraged)
