Revision - 319fa31 - ipsec: Only delete ipsec endpoint when node ID is not 0

Revision 319fa31794acfd05c8419355888e358dbdf8a58a authored by Steven Johnson on 09 June 2023, 02:42:13 UTC, committed by Sebastian Wicki on 13 June 2023, 19:22:04 UTC

ipsec: Only delete ipsec endpoint when node ID is not 0

[ upstream commit 25064d1ec51895ab89e2f736fcf7c6c66dfb5551 ]

After applying a backport of 9cc8a89f9 ("ipsec: Fix leak of XFRM
policies with ENI and Azure IPAMs") to 1.11.16, I noticed that we were
getting occasional spikes of "no inbound state" xfrm errors
(XfrmInNoStates). These lead to packet loss and brief outages for
applications sending traffic to the node on which the spikes occur.

I noticed that the "No node ID found for node." logline would appear at
the time of these spikes and from the code this is logged when the node
ID cannot be resolved. Looking a bit further the call to
`DeleteIPsecEndpoint` will end up deleting the xfrm state for any state
that matches the node id as derived from the mark in the state.

The problem seems to be that the inbound state for 0.0.0.0/0 -> node IP
has a mark of `0xd00` which when shifted >> 16 in
`getNodeIDFromXfrmMark` matches nodeID 0 and so the inbound state gets
deleted and the kernel drops all the inbound traffic as it no longer
matches a state.

This commit updates that logic to skip the XFRM state and policy
deletion when the node ID is zero.

Fixes: 9cc8a89f9 ("ipsec: Fix leak of XFRM policies with ENI and Azure IPAMs")
Signed-off-by: Steven Johnson <sjdot@protonmail.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

1 parent 00bb13b

Files
Changes

Permalinks

Makefile.defs

# Copyright 2017-2020 Authors of Cilium
# SPDX-License-Identifier: Apache-2.0

SHELL := /bin/bash
.SHELLFLAGS := -eu -o pipefail -c

# define a function replacing spaces with commas in a list
empty :=
space := $(empty) $(empty)
comma := ,
join-with-comma = $(subst $(space),$(comma),$(strip $1))

ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
RELATIVE_DIR := $(shell echo $(realpath .) | sed "s;$(ROOT_DIR)[/]*;;")
include $(ROOT_DIR)/Makefile.quiet

PREFIX?=/usr
BINDIR?=$(PREFIX)/bin
CNIBINDIR?=/opt/cni/bin
CNICONFDIR?=/etc/cni/net.d
LIBDIR?=$(PREFIX)/lib
LOCALSTATEDIR?=/var
RUNDIR?=/var/run
CONFDIR?=/etc
export GOARCH ?= $(shell $(GO) env GOARCH)

INSTALL = install

CONTAINER_ENGINE?=docker
DOCKER_FLAGS?=
DOCKER_BUILD_FLAGS?=

# Set DOCKER_DEV_ACCOUNT with "cilium" by default
ifeq ($(DOCKER_DEV_ACCOUNT),)
    DOCKER_DEV_ACCOUNT=cilium
endif

# Set DOCKER_IMAGE_TAG with "latest" by default
ifeq ($(DOCKER_IMAGE_TAG),)
    DOCKER_IMAGE_TAG=latest
endif

ifeq ($(shell uname -m),aarch64)
    ETCD_IMAGE=quay.io/coreos/etcd:v3.3.20-arm64
else
    ETCD_IMAGE=quay.io/coreos/etcd:v3.3.20
endif

CONSUL_IMAGE=consul:1.7.2

GO ?= go

# go build/test/clean flags
# these are declared here so they are treated explicitly
# as non-immediate variables
GO_BUILD_FLAGS =
GO_TEST_FLAGS =
GO_CLEAN_FLAGS =
GO_BUILD_LDFLAGS =
# go build/test -tags values
GO_TAGS_FLAGS = osusergo

# This is declared here as it is needed to change the covermode depending on if
# RACE is specified.
GOTEST_COVER_OPTS =

VERSION = $(shell cat $(dir $(lastword $(MAKEFILE_LIST)))/VERSION)
VERSION_MAJOR = $(shell cat $(dir $(lastword $(MAKEFILE_LIST)))/VERSION | cut -d. -f1)
# Use git only if in a Git repo
ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/.git),)
    GIT_VERSION = $(shell git show -s --format='format:%h %aI')
else
    GIT_VERSION = $(shell cat $(ROOT_DIR)/GIT_VERSION)
endif
FULL_BUILD_VERSION = $(VERSION) $(GIT_VERSION)
GO_BUILD_LDFLAGS += -X "github.com/cilium/cilium/pkg/version.ciliumVersion=$(FULL_BUILD_VERSION)"

ifeq ($(NOSTRIP),)
    # Note: these options will not remove annotations needed for stack
    # traces, so panic backtraces will still be readable.
    #
    # -w: Omit the DWARF symbol table.
    # -s: Omit the symbol table and debug information.
    GO_BUILD_LDFLAGS += -s -w
endif

ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/images/cilium/Dockerfile),)
    CILIUM_ENVOY_REF=$(shell sed -E -e 's/^FROM (--[^ ]* )*([^ ]*) as cilium-envoy/\2/p;d' < $(ROOT_DIR)/images/cilium/Dockerfile)
    CILIUM_ENVOY_SHA=$(shell echo $(CILIUM_ENVOY_REF) | sed -E -e 's/[^/]*\/[^:]*:(.*-)?([^:@]*).*/\2/p;d')
    GO_BUILD_LDFLAGS += -X "github.com/cilium/cilium/pkg/envoy.RequiredEnvoyVersionSHA=$(CILIUM_ENVOY_SHA)"
endif

# Use git only if in a Git repo, otherwise find the files from the file system
BPF_SRCFILES_IGNORE = bpf/.gitignore
ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/.git),)
    BPF_SRCFILES := $(shell git ls-files $(ROOT_DIR)/bpf/ | LC_ALL=C sort | tr "\n" ' ')
else
    # this line has to be in-sync with bpf/.gitignore, please note usage of make patterns like `%.i`
    BPF_SRCFILES_IGNORE += bpf/cilium-probe-kernel-hz bpf/%.i bpf/%.s bpf/.rebuild_all
    BPF_SRCFILES := $(shell find $(ROOT_DIR)/bpf/ -type f | LC_ALL=C sort | tr "\n" ' ')
endif

# ROOT_DIR can be either `../` or absolute path, each of these need to be stripped
BPF_SRCFILES := $(filter-out $(BPF_SRCFILES_IGNORE),$(subst ../,,$(subst $(ROOT_DIR)/,,$(BPF_SRCFILES))))
CILIUM_DATAPATH_SHA256=$(shell cd $(ROOT_DIR); cat $(BPF_SRCFILES) | sha256sum | awk '{print $$1}')
GO_BUILD_LDFLAGS += -X "github.com/cilium/cilium/pkg/datapath/loader.DatapathSHA256=$(CILIUM_DATAPATH_SHA256)"

# Set -mod=vendor if running >= go 1.13 or if GO111MODULE is set.
# A go build is being executed with go modules if:
# * The go command is invoked with GO111MODULE=on environment variable set.
# * The go command is invoked in a directory outside of the $GOPATH/src tree
#   and the environment variable GO111MODULE unset (or explicitly set to 'auto').
ifeq ($(GO111MODULE),on)
    GO_BUILD_FLAGS += -mod=vendor
    GO_TEST_FLAGS += -mod=vendor
    GO_CLEAN_FLAGS += -mod=vendor
else
    GO_MAJOR_VERSION_GE_1 := $(shell expr `$(GO) version | grep -E 'go[0-9]+' -o | sed 's/go//g'` \>= 1)
    ifeq ($(GO_MAJOR_VERSION_GE_1),1)
        GO_MINOR_VERSION_GE_13 := $(shell expr `$(GO) version | grep -E 'go[^ ]+' -o | sed 's/go1.//g'` \>= 13)
        ifeq ($(GO_MINOR_VERSION_GE_13),1)
            GO_BUILD_FLAGS += -mod=vendor
            GO_TEST_FLAGS += -mod=vendor
            GO_CLEAN_FLAGS += -mod=vendor
        endif
    endif
endif

GO_BUILD = CGO_ENABLED=0 $(GO) build
# Currently crosscompiling only enabled for arm64 targets
CGO_CC =
ifeq ($(GOARCH),arm64)
    CGO_CC = CC=aarch64-linux-gnu-gcc
endif
GO_BUILD_WITH_CGO = CGO_ENABLED=1 $(CGO_CC) $(GO) build

ifneq ($(RACE),)
    GO_BUILD_FLAGS += -race
    GO_TEST_FLAGS += -race
    GOTEST_COVER_OPTS += -covermode=atomic

    # GO_BUILD becomes GO_BUILD_WITH_CGO as `-race` requires CGO
    GO_BUILD = $(GO_BUILD_WITH_CGO)
    ifeq ($(LOCKDEBUG),)
        LOCKDEBUG=1
    endif
else
    GOTEST_COVER_OPTS += -covermode=count
endif

ifneq ($(LOCKDEBUG),)
    GO_TAGS_FLAGS += lockdebug
endif

GO_BUILD_FLAGS += -ldflags '$(GO_BUILD_LDFLAGS) $(EXTRA_GO_BUILD_LDFLAGS)' -tags=$(call join-with-comma,$(GO_TAGS_FLAGS)) $(EXTRA_GO_BUILD_FLAGS)
GO_TEST_FLAGS += -tags=$(call join-with-comma,$(GO_TAGS_FLAGS))

ifeq ($(NOOPT),1)
    GO_BUILD_FLAGS += -gcflags="all=-N -l"
endif

GO_BUILD += $(GO_BUILD_FLAGS)
GO_BUILD_WITH_CGO += $(GO_BUILD_FLAGS)

GO_TEST = $(GO) test $(GO_TEST_FLAGS)
GO_CLEAN = $(GO) clean $(GO_CLEAN_FLAGS)
# TODO: remove `GO111MODULE=off` once Go 1.13 is deprecated by Go maintainers
GO_VET = GO111MODULE=off $(GO) vet
GO_LIST = GO111MODULE=off $(GO) list

ifeq ($(BASE_IMAGE),)
    BASE_IMAGE=scratch
endif

HELM_TOOLBOX_VERSION ?= "v1.0.1"
HELM_TOOLBOX_SHA ?= "a1483fc036b15c290326ba7ed36b8f0b714e185913b72a6074c04225d74e034c"
HELM_TOOLBOX_IMAGE ?= "quay.io/cilium/helm-toolbox:$(HELM_TOOLBOX_VERSION)@sha256:$(HELM_TOOLBOX_SHA)"

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...