Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correctly preserve inbound UFID on outbound TCP close #469

Merged
merged 3 commits into from
Mar 7, 2024
Merged

Correctly preserve inbound UFID on outbound TCP close #469

merged 3 commits into from
Mar 7, 2024

Conversation

FelixMcFelix
Copy link
Collaborator

@FelixMcFelix FelixMcFelix commented Mar 7, 2024
edited
Loading

Outbound TCP packets which transitioned the state machine to Closed were
double-removing the TCP flow entries allocated to them. This is not bad on its
own due to the table lock. However, the inbound UFID was being always being
reported as None in this case. Ultimately, we need both UFIDs to remove
both UFT entries.

The inbound UFID used to invalidate both UFT entries was being computed from a
second remove in e.g. process_out_tcp_existing. Naturally this returned None,
as the TCP flow entry has already been removed. This resulted in the inbound UFID
always being None -- a later call to update_tcp_entry thus removes only the
outbound UFT entry and leaves a dangling inbound UFT entry.

This dangling entry prevents new inbound TCP flows on the same 5-tuple for a time
of 1 minute (i.e., until the UFT entry expires).

This fix plumbs the inbound UFID down correctly and performs the flow entry removal
only once. This ensures that both UFT entries will be torn down when a guest
packet transitions the state to TcpState::Closed. Also, any packets dropped
due to a missing TCP flow entry will now remove the existing UFT entry they matched
against.

Fixes #466.

@FelixMcFelix
Correctly preserve inbound UFID on outbound TCP close
225d3be 
Outbound TCP packets which transitioned to close were double-removing
the TCP flow entries allocated to them. This is not bad on its own due
to the table lock. However, the inbound UFID used to invalidate both UFT
entries was being sourced from the second remove, so always returned
`None`.

This fix plumbs the inbound UFT down correctly and performs the removal
only once.

Fixes #466.
@FelixMcFelix
Remove TCP UFT entries if no TCP flow entry found
07780bd 
This is an extra safeguard in the event that the TCP flow state's
inbound UFID is never set, and hard-reconciles any case where we have a
UFT for a TCP flow but no TCP flow.
@FelixMcFelix
Minor clippy-driven tweaks.
cd53808
@FelixMcFelix FelixMcFelix self-assigned this Mar 7, 2024
@FelixMcFelix FelixMcFelix merged commit 7e56634 into master Mar 7, 2024
9 checks passed
@FelixMcFelix FelixMcFelix deleted the fix-466 branch March 7, 2024 23:24
@FelixMcFelix FelixMcFelix mentioned this pull request Mar 13, 2024
Merged
FelixMcFelix added a commit to oxidecomputer/omicron that referenced this pull request Mar 13, 2024
@FelixMcFelix
Bump OPTE to a4c956e (#5257)
d6c7dc0 
* a4c956e chore(deps): lock file maintenance (oxidecomputer/opte#474)
* 6847b04 chore(deps): update rust crate nix to 0.28
(oxidecomputer/opte#473)
* c30aa36 Benchmarks and instrumentation (oxidecomputer/opte#395)
* 53201de Fix xtask non-package install for fresh systems.
(oxidecomputer/opte#470)
* 7e56634 Correctly preserve inbound UFID on outbound TCP close
(oxidecomputer/opte#469)
@FelixMcFelix FelixMcFelix added this to the 7 milestone Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rcgoodfellow rcgoodfellow rcgoodfellow approved these changes

Assignees

@FelixMcFelix FelixMcFelix

Labels
None yet
Projects
None yet
Milestone
7
Development

Successfully merging this pull request may close these issues.

UFT outlives TCP Flow entries for some inbound packets
2 participants
@FelixMcFelix @rcgoodfellow