bpf: Allow CT creation on FIN

After policy changes, the conntrack table is being cleared and adjusted. However, the proxy may still be closing connections to/from the endpoint. The packet exchange required for thne closing was not allowed because CT re-creation was prevented for FIN and RST packets. Given that the policy table is always consulted on every packet, it is safe to create a CT entry even on RST/FIN to not slow down the connection termination. Signed-off-by: Thomas Graf <thomasa@cilium.io>
cilium · Feb 16, 2018 · 3389456 · 3389456
1 parent 9ad6ebd
commit 3389456
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 10 deletions.
diff --git a/bpf/lib/common.h b/bpf/lib/common.h
@@ -224,7 +224,7 @@ enum {
 #define DROP_CT_INVALID_HDR	-135
 #define DROP_CT_MISSING_ACK	-136
 #define DROP_CT_UNKNOWN_PROTO	-137
-#define DROP_CT_CANT_CREATE	-138
+#define DROP_CT_CANT_CREATE	-138 /* unused */
 #define DROP_UNKNOWN_L3		-139
 #define DROP_MISSED_TAIL_CALL	-140
 #define DROP_WRITE_ERROR	-141

diff --git a/bpf/lib/conntrack.h b/bpf/lib/conntrack.h
@@ -274,10 +274,6 @@ static inline int __inline__ ct_lookup6(void *map, struct ipv6_ct_tuple *tuple,
 #ifdef LXC_NAT46
 	skb->cb[CB_NAT46_STATE] = NAT46_CLEAR;
 #endif
-	/* No entries found, packet must be eligible for creating a CT entry */
-	if (ret == CT_NEW && action != ACTION_CREATE)
-		ret = DROP_CT_CANT_CREATE;
-
 out:
 	cilium_dbg(skb, DBG_CT_VERDICT, ret < 0 ? -ret : ret,
 		ct_state->proxy_port << 16 | ct_state->rev_nat_index);
@@ -421,10 +417,6 @@ static inline int __inline__ ct_lookup4(void *map, struct ipv4_ct_tuple *tuple,
 	ipv4_ct_tuple_reverse(tuple);
 	ret = __ct_lookup(map, skb, tuple, action, dir, ct_state);
 
-	/* No entries found, packet must be eligible for creating a CT entry */
-	if (ret == CT_NEW && action != ACTION_CREATE)
-		ret = DROP_CT_CANT_CREATE;
-
 out:
 	cilium_dbg(skb, DBG_CT_VERDICT, ret < 0 ? -ret : ret,
 		ct_state->proxy_port << 16 | ct_state->rev_nat_index);

diff --git a/daemon/bpf.sha b/daemon/bpf.sha
@@ -1,3 +1,3 @@
-GO_BINDATA_SHA1SUM=5e0527170c0618a1bf47e4f1f0f8832fbb70fbe4
+GO_BINDATA_SHA1SUM=52b281b9d088c1077bec4262bc70e155952027df
 GO_VERSION_USED=go1.9.3
 BPF_FILES=../bpf/COPYING ../bpf/Makefile ../bpf/bpf_features.h ../bpf/bpf_lb.c ../bpf/bpf_lxc.c ../bpf/bpf_netdev.c ../bpf/bpf_overlay.c ../bpf/bpf_xdp.c ../bpf/filter_config.h ../bpf/include/bpf/api.h ../bpf/include/iproute2/bpf_elf.h ../bpf/include/linux/bpf.h ../bpf/include/linux/bpf_common.h ../bpf/include/linux/byteorder.h ../bpf/include/linux/byteorder/big_endian.h ../bpf/include/linux/byteorder/little_endian.h ../bpf/include/linux/icmp.h ../bpf/include/linux/icmpv6.h ../bpf/include/linux/if_arp.h ../bpf/include/linux/if_ether.h ../bpf/include/linux/in.h ../bpf/include/linux/in6.h ../bpf/include/linux/ioctl.h ../bpf/include/linux/ip.h ../bpf/include/linux/ipv6.h ../bpf/include/linux/perf_event.h ../bpf/include/linux/swab.h ../bpf/include/linux/tcp.h ../bpf/include/linux/type_mapper.h ../bpf/include/linux/udp.h ../bpf/init.sh ../bpf/join_ep.sh ../bpf/lib/arp.h ../bpf/lib/common.h ../bpf/lib/conntrack.h ../bpf/lib/csum.h ../bpf/lib/dbg.h ../bpf/lib/drop.h ../bpf/lib/encap.h ../bpf/lib/eps.h ../bpf/lib/eth.h ../bpf/lib/events.h ../bpf/lib/geneve.h ../bpf/lib/icmp6.h ../bpf/lib/ipv4.h ../bpf/lib/ipv6.h ../bpf/lib/l3.h ../bpf/lib/l4.h ../bpf/lib/lb.h ../bpf/lib/lxc.h ../bpf/lib/maps.h ../bpf/lib/nat46.h ../bpf/lib/policy.h ../bpf/lib/trace.h ../bpf/lib/utils.h ../bpf/lib/xdp.h ../bpf/lxc_config.h ../bpf/netdev_config.h ../bpf/node_config.h ../bpf/probes/raw_change_tail.t ../bpf/probes/raw_insn.h ../bpf/probes/raw_invalidate_hash.t ../bpf/probes/raw_lpm_map.t ../bpf/probes/raw_lru_map.t ../bpf/probes/raw_main.c ../bpf/probes/raw_map_val_adj.t ../bpf/probes/raw_mark_map_val.t ../bpf/run_probes.sh ../bpf/spawn_netns.sh