github.com/fafucoder/cilium@v1.6.11/pkg/endpointmanager/conntrack.go (about)

     1  // Copyright 2016-2018 Authors of Cilium
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package endpointmanager
    16  
    17  import (
    18  	"fmt"
    19  	"os"
    20  	"time"
    21  
    22  	"github.com/cilium/cilium/pkg/bpf"
    23  	"github.com/cilium/cilium/pkg/endpoint"
    24  	"github.com/cilium/cilium/pkg/logging/logfields"
    25  	"github.com/cilium/cilium/pkg/maps/ctmap"
    26  	"github.com/cilium/cilium/pkg/signal"
    27  	"github.com/sirupsen/logrus"
    28  )
    29  
    30  // runGC run CT's garbage collector for the given endpoint. `isLocal` refers if
    31  // the CT map is set to local. If `isIPv6` is set specifies that is the IPv6
    32  // map. `filter` represents the filter type to be used while looping all CT
    33  // entries.
    34  //
    35  // The provided endpoint is optional; if it is provided, then its map will be
    36  // garbage collected and any failures will be logged to the endpoint log.
    37  // Otherwise it will garbage-collect the global map and use the global log.
    38  func runGC(e *endpoint.Endpoint, ipv4, ipv6 bool, filter *ctmap.GCFilter) (mapType bpf.MapType, maxDeleteRatio float64) {
    39  	var maps []*ctmap.Map
    40  
    41  	if e == nil {
    42  		maps = ctmap.GlobalMaps(ipv4, ipv6)
    43  	} else {
    44  		maps = ctmap.LocalMaps(e, ipv4, ipv6)
    45  	}
    46  	for _, m := range maps {
    47  		path, err := m.Path()
    48  		if err == nil {
    49  			err = m.Open()
    50  		}
    51  		if err != nil {
    52  			msg := "Skipping CT garbage collection"
    53  			scopedLog := log.WithError(err).WithField(logfields.Path, path)
    54  			if os.IsNotExist(err) {
    55  				scopedLog.Debug(msg)
    56  			} else {
    57  				scopedLog.Warn(msg)
    58  			}
    59  			if e != nil {
    60  				e.LogStatus(endpoint.BPF, endpoint.Warning, fmt.Sprintf("%s: %s", msg, err))
    61  			}
    62  			continue
    63  		}
    64  		defer m.Close()
    65  
    66  		mapType = m.MapInfo.MapType
    67  
    68  		deleted := ctmap.GC(m, filter)
    69  
    70  		if deleted > 0 {
    71  			ratio := float64(deleted) / float64(m.MapInfo.MaxEntries)
    72  			if ratio > maxDeleteRatio {
    73  				maxDeleteRatio = ratio
    74  			}
    75  			log.WithFields(logrus.Fields{
    76  				logfields.Path: path,
    77  				"count":        deleted,
    78  			}).Debug("Deleted filtered entries from map")
    79  		}
    80  	}
    81  
    82  	return
    83  }
    84  
    85  func createGCFilter(initialScan bool, restoredEndpoints []*endpoint.Endpoint) *ctmap.GCFilter {
    86  	filter := &ctmap.GCFilter{
    87  		RemoveExpired: true,
    88  	}
    89  
    90  	// On the initial scan, scrub all IPs from the conntrack table which do
    91  	// not belong to IPs of any endpoint that has been restored. No new
    92  	// endpoints can appear yet so we can assume that any other entry not
    93  	// belonging to a restored endpoint has become stale.
    94  	if initialScan {
    95  		filter.ValidIPs = map[string]struct{}{}
    96  		for _, ep := range restoredEndpoints {
    97  			filter.ValidIPs[ep.IPv6.String()] = struct{}{}
    98  			filter.ValidIPs[ep.IPv4.String()] = struct{}{}
    99  		}
   100  	}
   101  
   102  	return filter
   103  }
   104  
   105  // EnableConntrackGC enables the connection tracking garbage collection.
   106  func EnableConntrackGC(ipv4, ipv6 bool, restoredEndpoints []*endpoint.Endpoint) {
   107  	var (
   108  		initialScan         = true
   109  		initialScanComplete = make(chan struct{})
   110  		mapType             bpf.MapType
   111  	)
   112  
   113  	go func() {
   114  		var wakeup = make(chan signal.SignalData)
   115  		ipv4Orig := ipv4
   116  		ipv6Orig := ipv6
   117  		for {
   118  			var maxDeleteRatio float64
   119  
   120  			eps := GetEndpoints()
   121  			if len(eps) > 0 || initialScan {
   122  				mapType, maxDeleteRatio = runGC(nil, ipv4, ipv6, createGCFilter(initialScan, restoredEndpoints))
   123  			}
   124  			for _, e := range eps {
   125  				if !e.ConntrackLocal() {
   126  					// Skip because GC was handled above.
   127  					continue
   128  				}
   129  				runGC(e, ipv4, ipv6, &ctmap.GCFilter{RemoveExpired: true})
   130  			}
   131  
   132  			if initialScan {
   133  				close(initialScanComplete)
   134  				initialScan = false
   135  
   136  				signal.RegisterChannel(signal.SignalNatFillUp, wakeup)
   137  				signal.SetupSignalListener()
   138  				signal.MuteChannel(signal.SignalNatFillUp)
   139  			}
   140  
   141  			signal.UnmuteChannel(signal.SignalNatFillUp)
   142  			select {
   143  			case x := <-wakeup:
   144  				ipv4 = false
   145  				ipv6 = false
   146  				if x == signal.SignalNatV4 {
   147  					ipv4 = true
   148  				} else if x == signal.SignalNatV6 {
   149  					ipv6 = true
   150  				}
   151  				// Drain current queue since we just woke up anyway.
   152  				for len(wakeup) > 0 {
   153  					x := <-wakeup
   154  					if x == signal.SignalNatV4 {
   155  						ipv4 = true
   156  					} else if x == signal.SignalNatV6 {
   157  						ipv6 = true
   158  					}
   159  				}
   160  			case <-time.After(ctmap.GetInterval(mapType, maxDeleteRatio)):
   161  				ipv4 = ipv4Orig
   162  				ipv6 = ipv6Orig
   163  			}
   164  			signal.MuteChannel(signal.SignalNatFillUp)
   165  		}
   166  	}()
   167  
   168  	select {
   169  	case <-initialScanComplete:
   170  		log.Info("Initial scan of connection tracking completed")
   171  	case <-time.After(30 * time.Second):
   172  		log.Fatal("Timeout while waiting for initial conntrack scan")
   173  	}
   174  }