Revision 9368f21c53b7aa96b8743a0b8b79a0ab44d963c6 authored by Jarno Rajahalme on 20 June 2024, 21:26:05 UTC, committed by Nathan Sweet on 21 June 2024, 15:57:37 UTC
AllowsIdentity is only used for testing, move it there. Add the missing InvertedPortMask field on the wildcard port lookup. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
1 parent d97069c
connections.go
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package service
import (
"errors"
"net"
"syscall"
"github.com/vishvananda/netlink"
"golang.org/x/sys/unix"
"github.com/cilium/cilium/pkg/datapath/sockets"
lb "github.com/cilium/cilium/pkg/loadbalancer"
"github.com/cilium/cilium/pkg/option"
)
var opSupported = true
func (s *Service) TerminateUDPConnectionsToBackend(l3n4Addr *lb.L3n4Addr) {
// With socket-lb, existing client applications can continue to connect to
// deleted backends. Destroy any client sockets connected to the deleted backend.
if !(option.Config.EnableSocketLB || option.Config.BPFSocketLBHostnsOnly) {
return
}
if !opSupported {
return
}
var (
family uint8
protocol uint8
)
ip := net.IP(l3n4Addr.AddrCluster.Addr().AsSlice())
l4Addr := l3n4Addr.L4Addr
switch l3n4Addr.Protocol {
case lb.UDP:
protocol = unix.IPPROTO_UDP
default:
return
}
log.Debugf("handling udp connections to deleted backend %v", l3n4Addr)
if l3n4Addr.IsIPv6() {
family = syscall.AF_INET6
} else {
family = syscall.AF_INET
}
// Filter pod connections load-balanced to the passed service backend.
//
// When pod traffic is load-balanced to service backends, the cilium datapath
// records entries in the sock rev nat map that store the pod socket cookie
// (unique identifier in the kernel) along with the destination backend ip/port.
checkSockInRevNat := func(id netlink.SocketID) bool {
cookie := uint64(id.Cookie[1])
cookie = cookie<<32 + uint64(id.Cookie[0])
return s.lbmap.ExistsSockRevNat(cookie, id.Destination, id.DestinationPort)
}
err := s.backendConnectionHandler.Destroy(sockets.SocketFilter{
Family: family,
Protocol: protocol,
DestIp: ip,
DestPort: l4Addr.Port,
DestroyCB: checkSockInRevNat,
})
if err != nil {
if errors.Is(err, unix.EOPNOTSUPP) {
opSupported = false
log.Errorf("Forcefully terminating sockets connected to deleted service backends " +
"not supported by underlying kernel: see kube-proxy free guide for " +
"the required kernel configurations")
} else {
log.Errorf("Error while forcefully terminating sockets connected to"+
"deleted service backend: %v. If you see any traffic going to such"+
"deleted backends, consider restarting application pods sending the traffic.", err)
}
}
}
// backendConnectionHandler is added for dependency injection in tests.
type backendConnectionHandler struct{}
func (h backendConnectionHandler) Destroy(filter sockets.SocketFilter) error {
return sockets.Destroy(filter)
}
Computing file changes ...
