Skip to main content

Browse the archive

Revision 319fa31794acfd05c8419355888e358dbdf8a58a authored by Steven Johnson on 09 June 2023, 02:42:13 UTC, committed by Sebastian Wicki on 13 June 2023, 19:22:04 UTC 
ipsec: Only delete ipsec endpoint when node ID is not 0
 
[ upstream commit 25064d1ec51895ab89e2f736fcf7c6c66dfb5551 ]

After applying a backport of 9cc8a89f9 ("ipsec: Fix leak of XFRM
policies with ENI and Azure IPAMs") to 1.11.16, I noticed that we were
getting occasional spikes of "no inbound state" xfrm errors
(XfrmInNoStates). These lead to packet loss and brief outages for
applications sending traffic to the node on which the spikes occur.

I noticed that the "No node ID found for node." logline would appear at
the time of these spikes and from the code this is logged when the node
ID cannot be resolved. Looking a bit further the call to
`DeleteIPsecEndpoint` will end up deleting the xfrm state for any state
that matches the node id as derived from the mark in the state.

The problem seems to be that the inbound state for 0.0.0.0/0 -> node IP
has a mark of `0xd00` which when shifted >> 16 in
`getNodeIDFromXfrmMark` matches nodeID 0 and so the inbound state gets
deleted and the kernel drops all the inbound traffic as it no longer
matches a state.

This commit updates that logic to skip the XFRM state and policy
deletion when the node ID is zero.

Fixes: 9cc8a89f9 ("ipsec: Fix leak of XFRM policies with ENI and Azure IPAMs")
Signed-off-by: Steven Johnson <sjdot@protonmail.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
1 parent 00bb13b
Raw File
.mailmap 
Àbéjídé Àyodélé <abejideayodele@gmail.com>
Adam Bocim <adam.bocim@firma.seznam.cz>
Adam Korcz <adam@adalogics.com>
Alexei Starovoitov <alexei.starovoitov@gmail.com>
André Martins <andre@cilium.io>
Andrew Sy Kim <kim.andrewsy@gmail.com>
Anthony Rabbito <hello@anthonyrabbito.com>
Arika Chen <eaglesora@gmail.com>
Arthur Chiao <arthurchiao@hotmail.com>
Arthur Evstifeev <aevstifeev@gitlab.com>
Arthur Evstifeev <mail@ap4y.me>
Arvind Soni <arvind@covalent.io>
Ashwin Paranjpe <ashwin@covalent.io>
Ashwin Paranjpe <ashwinp.work@gmail.com>
Barun Acharya <barun1024@gmail.com> <barun.acharya@accuknox.com>
Barun Acharya <barun1024@gmail.com>
Bingwu Yang <detailyang@gmail.com>
Bob Bouteillier <bob.bouteillier@datadoghq.com>
Bruno Miguel Custódio <brunomcustodio@gmail.com>
Changyu Wang <changyuwang@tencent.com>
Charles-Henri Guérin <charles-henri.guerin@zenika.com>
chenyahui <chenyahui9@jd.com>
Chen Yaqi <chenyaqi01@baidu.com> <chendotjs@gmail.com>
Chen Yaqi <chenyaqi01@baidu.com>
Christine Chen <christine.chen@datadoghq.com>
Christopher Biscardi <chris@christopherbiscardi.com>
Claudia J. Kang <claudiajkang@gmail.com>
Craig Box <craig.box@gmail.com>
Dan Wendlandt <dan@isovalent.com>
Daniel Qian <qsj.daniel@gmail.com>
Darren Mackintosh <unixdaddy@gmail.com>
Darshan Chaudhary <deathbullet@gmail.com>
Dawn <lx1960753013@gmail.com>
Devarshi Sathiya <devarshisathiya5@gmail.com>
Divine Odazie <dodazie@gmail.com>
Dmitriy Zinin <admin@kami-no.ru>
El-Fadel Bonfoh <elfadel@accuknox.com> <bonfohelfadel@gmail.com>
Fankaixi Li <fankaixi.li@bytedance.com>
Florian Koch <f0@users.noreply.github.com>
François Joulaud <francois.joulaud@radiofrance.com> <48206448+joulaud@users.noreply.github.com>
Gaurav Genani <h3llix.pvt@gmail.com>
Gaurav Yadav <gaurav.dev.iiitm@gmail.com>
George Kontridze <gkontridze@plaid.com>
Gowtham Sundara <gowtham.sundara@rapyuta-robotics.com>
Hart Hoover <hart.hoover@gmail.com>
huangxuesen <huangxuesen@kuaishou.com>
Hui Kong <hui.kong@qunar.com> <konghui@live.cn>
Ian Vernon <ian@cilium.io> <vagrant@k8s1>
Ifeanyi Ubah <ify1992@yahoo.com>
Ivan Makarychev <i.makarychev@tinkoff.ru>
Jarno Rajahalme <jarno@isovalent.com>
Jarno Rajahalme <jarno@covalent.io>
Jed Salazar <jed@isovalent.com>
Jerry J. Muzsik <jerrymuzsik@icloud.com>
Jim Ntosas <ntosas@gmail.com>
Jomen Xiao <jomenxiao@gmail.com>
Jonathan Davies <jpds@protonmail.com>
Joshua Roppo <joshroppo@gmail.com>
Jun Chen <answer1991.chen@gmail.com>
Junli Ou <oujunli306@gmail.com>
Kaito Ii <kaitoii1111@gmail.com>
Kamil Lach <kamil.lach.rs@gmail.com> <kamil@thor.asgard.local>
Kante Yin <kerthcet@gmail.com>
Karl Heins <karlheins@northwesternmutual.com>
Kevin Holditch <82885135+kevholditch-f3@users.noreply.github.com>
Bokang Li <libokang.dev@gmail.com>
Li Cheng <rapid.li@huolala.cn>
Lior Rozen <liorr@tailorbrands.com> <liorrozen@users.noreply.github.com>
Liu Qun <qunliu@zyhx-group.com>
Livingstone S E <livingstone.s.e@gmail.com>
Louis DeLosSantos <louis@isovalent.com> <louis.delos@isovalent.com>
Madhu Challa <challa@gmail.com>
Mahadev Panchal <mahadev.panchal@accuknox.com>
Mandar U Jog <mjog@google.com> <mandarjog@gmail.com>
Marc Stulz <m@footek.ch>
Matthew Gumport <me@gum.pt>
Maxime Visonneau <maxime.visonneau@gmail.com>
Michael Kashin <mmkashin@gmail.com>
Michael Vorburger <vorburger@redhat.com>
Necatican Yıldırım <necaticanyildirim@gmail.com>
Neela Jacques <neela@isovalent.com> <68304471+Neelajacques@users.noreply.github.com>
Ondrej Blazek <ondrej.blazek@firma.seznam.cz>
Peiqi Shi <uestc.shi@gmail.com>
Philippe Lafoucrière <philippe.lafoucriere@gmail.com>
Pierre-Yves Aillet <pyaillet@gmail.com> <pyaillet@users.noreply.github.com>
Pratyush Singhal <psinghal20@gmail.com>
Raamnath Mani <ram29@bskyb.com>
Raphael Campos <raphael@accuknox.com>
Rei Shimizu <Shikugawa@gmail.com>
Roman Ptitcyn <romanspb@yahoo.com>
Salvatore Mazzarino <salvatore@accuknox.com> <dev@mazzarino.cz>
Sami Yessou <fnzv@users.noreply.github.com>
Sander Timmerman <stimmerman@schubergphilis.com>
Sean Winn <sean@isovalent.com> <seanmwinn@hotmail.com>
Sergey Generalov <sergey@isovalent.com> <sergey@genbit.ru>
Tam Mach <sayboras@yahoo.com>
Thomas Graf <thomas@cilium.io>
Tobias Mose <tobias.mose@xentom.com>
Tobias Mose <mosetobias@gmail.com>
Tomoki Sugiura <cheztomo513@gmail.com> <tomoki.sugiura@mail.shanpu.info>
Tomoki Sugiura <cheztomo513@gmail.com>
Tony Lu <tonylu@linux.alibaba.com>
Trevor Tao <trevor.tao@arm.com>
Vance Li <vanceli@tencent.com> <liyannois@gmail.com>
Vance Li <vanceli@tencent.com> vanceli <vanceli@tencent.com>
Ville Ojamo <bluikko@users.noreply.github.com> <14869000+bluikko@users.noreply.github.com>
Vlad Ungureanu <vladu@palantir.com> <ungureanuvladvictor@gmail.com>
Wang Dong <xdragon007@gmail.com>>
Wayne Haber <whaber@gitlab.com> <41373231+whaber@users.noreply.github.com>
Weilong Cui <cuiwl@google.com>
Will Stewart <will@northflank.com>
Yiannis Yiakoumis <yiannis@selfienetworks.com>
Youssef Azrak <yazrak.tech@gmail.com>
Yurii Dzobak <yurii.dzobak@lotusflare.com>
Yurii Komar <Subreptivus@gmail.com>
Yves Blusseau <yves.blusseau@acoss.fr>
Zhu Yan <hackzhuyan@gmail.com>
back to top