-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Metric to track conntrack state invalid packets dropped by iptables #122812
Metric to track conntrack state invalid packets dropped by iptables #122812
Conversation
Skipping CI for Draft Pull Request. |
/sig network |
/test pull-kubernetes-verify |
Tested locally on kind
|
63e4154
to
4bbeeaf
Compare
love this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice
4bbeeaf
to
1a393ad
Compare
Tried preserving the counters. Added the drop rule in |
/kind feature @aroradaman please add a release note |
// NFNL_MSG_ACCT_NEW | ||
cmdNew = 0 | ||
// NFNL_MSG_ACCT_GET | ||
cmdGet = 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can see 3 commands here https://nftables.org/projects/libnetfilter_acct/doxygen/html/group__nlmsg.html , are this related?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. We don't need the third one NFNL_MSG_ACCT_GET_CTRZERO
, it does get + atomic reset to zero.
@@ -264,3 +275,40 @@ func RegisterMetrics() { | |||
func SinceInSeconds(start time.Time) float64 { | |||
return time.Since(start).Seconds() | |||
} | |||
|
|||
var _ metrics.StableCollector = &ctStateInvalidPacketsCollector{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I´m not familiar with this stuff, @dgrisonnet do you mind to take a look to the metrics part?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh it seems was already reviewed by instrumentation #122812 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also removed the metric sync dependency on proxier sync loop 😃
@aroradaman you have to rebase, I don't understand the minor details but it seems they were thoroughly reviewed, the INVALID DROP rules for conntrack now also uses the accounting system of iptables to store the value with the number of packets that match and report them via metrics. To do this a new low level netlink library was added LGTM /assign @danwinship @thockin |
f515d84
to
823983c
Compare
/approve Approve for go.mod |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aroradaman, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
lgtm but needs rebase (yay post-unfreeze mergefest) also needs a release note... doesn't need to be super-detailed since there will eventually be a larger nftables release note and upgrading-from-iptables documentation, but at least the general idea (new metric to help iptables kube-proxy users know if they are depending on iptables-kube-proxy-specific features) as discussed here there's no e2e test because this particular rule doesn't get hit in all cluster types, but we have plans for other nfacct-based metrics and will add an e2e for one of them. |
823983c
to
aa95396
Compare
rebased, release-note added and addressed #122812 (comment). |
nfacct is netfilter's accounting subsystem. This utility allows interactions with the subsystem using lower level netlink API. Signed-off-by: Daman Arora <aroradaman@gmail.com>
Track packets dropped by proxy which were marked invalid by conntrack using nfacct netfilter extended accounting infrastructure. Signed-off-by: Daman Arora <aroradaman@gmail.com>
aa95396
to
3363ec4
Compare
/lgtm |
LGTM label has been added. Git tree hash: 769d1550d33e4411eafefeaca3bafac35a3e25d2
|
Metric to track number of packets dropped by iptables which were marked INVALID by conntrack.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Subtask of #122572
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: