portmap: fix bug that new udp connection deletes all existing conntrack entries #705
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
devbv
force-pushed
the
master
branch
3 times, most recently
from
07bb0e7 to
73d8fde
Compare
…ck entries Calling AddPort before AddProtocol returns an error, which means ConntrackDeleteFilter has been called without port filter. Signed-off-by: Sang Heon Lee <[email protected]>
|
oof. good catch. |
matthewdupre
approved these changes
Feb 23, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello, I found a critical bug that new udp connection deletes all existing conntrack entries.
The
DeleteConntrackEntriesForDstPortfunction intended to only delete a conntrack entry that meet the conditions, but calling AddPort before AddProtocol returns an error (Filter attribute not available without a valid Layer 4 protocol: 0) and the port filter remains empty.As a result, ConntrackDeleteFilter deletes all conntrack entries without port filter.
I think this is the simplest PR to resolve this issue, but I'm totally fine if you just ignore this PR and solve this issue in better way.
Just for reference, this bug is affecting our service with latest AKS node image. I recommend someone who are suffering same issue in AKS to build your own plugin binary and inject to worker nodes.
ref: https://github.com/vishvananda/netlink/blob/main/conntrack_linux.go#L455