github.com/cilium/cilium@v1.16.2/pkg/endpoint/fqdn.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package endpoint 5 6 import ( 7 "net/netip" 8 9 "github.com/cilium/cilium/pkg/time" 10 ) 11 12 const logSubsys = "fqdn" 13 14 // MarkDNSCTEntry records that dstIP is in use by a connection that is allowed 15 // by toFQDNs policy. The reverse lookup is attempted in both DNSHistory and 16 // DNSCTHistory, allowing short DNS TTLs but long-lived connections to 17 // persist there.DNSCTHistory is used to suppress delete handling of expired DNS 18 // lookups (in DNSHistory) and it relies on pkg/maps/ctmap/gc to call this 19 // function. 20 // Internally, the lookupTime is used to checkpoint this update so that 21 // dns-garbage-collector-job can correctly clear older connection data. 22 func (e *Endpoint) MarkDNSCTEntry(dstIP netip.Addr, now time.Time) { 23 if !dstIP.IsValid() { 24 e.Logger(logSubsys).Error("MarkDNSCTEntry called with invalid IP") 25 return 26 } 27 28 e.DNSZombies.MarkAlive(now, dstIP) 29 } 30 31 // MarkCTGCTime is the START time of a GC run. It is used by the DNS garbage 32 // collector to determine whether a DNS zombie can be deleted. This is done by 33 // comparing the timestamp of the start CT GC run with the alive timestamps of 34 // specific DNS zombies IPs marked with MarkDNSCTEntry. 35 // NOTE: While the timestamp is the start of the run, it should be set AFTER 36 // the run completes. This avoids a race between the DNS garbage collector and 37 // the CT GC. This would occur when a DNS zombie that has not been visited by 38 // the CT GC run is seen by a concurrent DNS garbage collector run, and then 39 // deleted. 40 // The DNS garbage collector is in daemon/fqdn.go and the CT GC is in 41 // pkg/maps/ctmap/gc/gc.go 42 func (e *Endpoint) MarkCTGCTime(prev, next time.Time) { 43 e.DNSZombies.SetCTGCTime(prev, next) 44 }