74 lines
2.4 KiB
Diff
74 lines
2.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: monok8s authors <monok8s@localhost>
|
|
Date: Mon, 11 May 2026 00:00:00 +0000
|
|
Subject: [PATCH] cmm: ignore conntracks without fastpath metadata
|
|
|
|
CMM receives conntrack notifications for the whole system conntrack table.
|
|
On a Kubernetes node, many entries are unrelated to Comcerto/NXP fastpath:
|
|
loopback traffic, local control-plane traffic, Cilium traffic, broadcast,
|
|
multicast, and ordinary slow-path flows.
|
|
|
|
Those entries do not necessarily carry the private fastpath attributes CMM
|
|
expects. Treat them as non-fastpathable instead of trying to process them.
|
|
|
|
---
|
|
cmm/src/ffcontrol.c | 31 +++++++++++++++++++++++++++++++
|
|
1 file changed, 31 insertions(+)
|
|
|
|
diff --git a/cmm/src/ffcontrol.c b/cmm/src/ffcontrol.c
|
|
--- a/cmm/src/ffcontrol.c
|
|
+++ b/cmm/src/ffcontrol.c
|
|
@@ -75,6 +75,25 @@
|
|
return 1;
|
|
}
|
|
|
|
+/*****************************************************************
|
|
+* cmmFcHasFastpathAttrs()
|
|
+*
|
|
+* CMM receives all conntrack notifications, including entries that
|
|
+* never passed through the Comcerto/NXP fastpath hooks. Those entries
|
|
+* do not have the private fastpath attributes needed below. Treat them
|
|
+* as ordinary slow-path conntracks and ignore them.
|
|
+******************************************************************/
|
|
+static int cmmFcHasFastpathAttrs(struct nf_conntrack *ct)
|
|
+{
|
|
+ if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IIF))
|
|
+ return 0;
|
|
+
|
|
+ if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IFINDEX))
|
|
+ return 0;
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+
|
|
/*****************************************************************
|
|
* cmmIsConntrack4Allowed()
|
|
*
|
|
@@ -92,6 +111,12 @@
|
|
sAddr = nfct_get_attr_u32(ct, ATTR_ORIG_IPV4_SRC);
|
|
dAddr = nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC);
|
|
|
|
+ if (!cmmFcHasFastpathAttrs(ct)) {
|
|
+ cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n",
|
|
+ __func__);
|
|
+ goto refused;
|
|
+ }
|
|
+
|
|
/* Multicast connections are not forwarded */
|
|
if (MULTICAST(dAddr)) {
|
|
cmm_print(DEBUG_WARNING, "%s: conntrack multicast dst:%s:%x src:%s:%x\n", __func__,
|
|
@@ -197,6 +222,12 @@
|
|
Saddr = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
|
|
SaddrReply = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
|
|
|
|
+ if (!Saddr || !SaddrReply || !cmmFcHasFastpathAttrs(ct)) {
|
|
+ cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n",
|
|
+ __func__);
|
|
+ goto refused;
|
|
+ }
|
|
+
|
|
if ((SaddrReply[0] & ntohl(0xff000000)) == ntohl(0xff000000))
|
|
{
|
|
goto refused;
|
|
--
|
|
2.45.0
|