bridge: also flush conntrack entries when setting up endpoints #43409
Conversation
There is a race condition between the local proxy and iptables rule setting. When we have a lot of UDP traffic, the kernel will create conntrack entries to the local proxy and will ignore the iptables rules set after that. Related to PR moby#32505. Fix moby#8795. Signed-off-by: Vincent Bernat <[email protected]>
thaJeztah
added
status/2-code-review
area/networking
|
@evol262 PTAL |
|
For some reason, it does not always work... Also, related to #28589, moby/libnetwork#2423, moby/libnetwork#2657. |
|
Do you have a reproducer for it not working? |
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
discussed this with others, and while this may not solve all situations (as commented), it also looks like something that won't "hurt" to do, so let's get this one in 👍
LGTM
|
The commit for this PR seems to reference a tag which is far ahead of the current version tag. v22.06.0-beta.0. I'm having troubling discerning whether this change is in a release version or just on master? My team is experiencing an issue that these changes may resolve. |
|
It's on the 22 milestone, so only in master and in the 22.06 release branch, not in 20.10 (at least I don't see that it's been back ported to the 20.10 release branch) |
4 participants
- What I did
- How I did it
There is a race condition between the local proxy and iptables rule
setting. When we have a lot of UDP traffic, the kernel will create
conntrack entries to the local proxy and will ignore the iptables
rules set after that.
Related to PR #32505.
- How to verify it
That's the hard point as this is a race condition. You need to have a lot of UDP packets for them to reach the local proxy before iptables rules are set.
- Description for the changelog
Fix UDP traffic in containers not working after the container is restarted on sustained traffic