[BPF] make conntrack timeouts configurable

BPFConntrackTimers overides the default values for the specified conntrack timer if set. It is a key-value make, where each value can be either a duration or a name of a Linux conntrack timeout to use. Possible values for the keys are: CreationGracePeriod, TCPPreEstablished, TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen, ICMPLastSeen. Example: CreationGracePeriod: 15s TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait This would override 3 timers, one with 15 seconds and two with respective values taken from /proc/sys/net/netfilter/<name> files. Unset or incorrect values are replaced by the default values with a warning log for incorrect values. [Default: CreationGracePeriod: 10s TCPPreEstablished: 20s TCPEstablished: 1h TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait TCPResetSeen: 40s UDPLastSeen: 60s GenericIPLastSeen: 10m ICMPLastSeen: 5s ]
projectcalico · Dec 17, 2024 · 93d4e03 · 93d4e03
1 parent 889f33c
commit 93d4e03
Show file tree

Hide file tree

Showing 19 changed files with 379 additions and 2 deletions.
diff --git a/api/pkg/apis/projectcalico/v3/felixconfig.go b/api/pkg/apis/projectcalico/v3/felixconfig.go
@@ -611,6 +611,39 @@ type FelixConfigurationSpec struct {
 	// [Default: Auto]
 	BPFConntrackCleanupMode *BPFConntrackMode `json:"bpfConntrackMode,omitempty" validate:"omitempty,oneof=Auto Userspace BPFProgram"`
 
+	// BPFConntrackTimers overides the default values for the specified conntrack timer if
+	// set. It is a key-value make, where each value can be either a duration or a name of
+	// a Linux conntrack timeout to use.
+	//
+	// Possible values for the keys are: CreationGracePeriod, TCPPreEstablished,
+	// TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen,
+	// ICMPLastSeen.
+	//
+	// Example:
+	//
+	// CreationGracePeriod: 15s
+	// TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent
+	// TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait
+	//
+	// This would override 3 timers, one with 15 seconds and two with respective values
+	// taken from /proc/sys/net/netfilter/<name> files.
+	//
+	// Unset or incorrect values are replaced by the default values with a warning log for
+	// incorrect values.
+	//
+	// [Default:
+	//	CreationGracePeriod: 10s
+	//	TCPPreEstablished:   20s
+	//	TCPEstablished:      1h
+	//	TCPFinsSeen:         nf_conntrack_tcp_timeout_time_wait
+	//	TCPResetSeen:        40s
+	//	UDPLastSeen:         60s
+	//	GenericIPLastSeen:   10m
+	//	ICMPLastSeen:        5s
+	// ]
+	// +optional
+	BPFConntrackTimeouts *map[string]string `json:"bpfConntrackTimeouts,omitempty" validate:"omitempty"`
+
 	// BPFLogFilters is a map of key=values where the value is
 	// a pcap filter expression and the key is an interface name with 'all'
 	// denoting all interfaces, 'weps' all workload endpoints and 'heps' all host

diff --git a/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go b/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go
diff --git a/api/pkg/openapi/generated.openapi.go b/api/pkg/openapi/generated.openapi.go
diff --git a/felix/bpf/conntrack/timeouts.go b/felix/bpf/conntrack/timeouts.go
@@ -15,6 +15,12 @@
 package conntrack
 
 import (
+	"bufio"
+	"fmt"
+	"os"
+	"reflect"
+	"strconv"
+	"strings"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -99,3 +105,76 @@ func DefaultTimeouts() Timeouts {
 		ICMPLastSeen:        5 * time.Second,
 	}
 }
+
+func GetTimeouts(config map[string]string) Timeouts {
+	t := DefaultTimeouts()
+
+	v := reflect.ValueOf(&t)
+	v = v.Elem()
+
+	for key, value := range config {
+		field := v.FieldByName(key)
+		if !field.IsValid() {
+			log.WithField("value", key).Warn("Not a valid BPF conntrack timeout, skipping")
+			continue
+		}
+
+		d, err := time.ParseDuration(value)
+		if err == nil {
+			log.WithFields(log.Fields{"name": key, "value": d}).Info("BPF conntrack timeout set")
+			field.SetInt(int64(d))
+			continue
+		}
+
+		seconds, err := readSecondsFromFile(value)
+		if err == nil {
+			d := time.Duration(seconds) * time.Second
+			log.WithFields(log.Fields{"name": key, "value": d}).Infof("BPF conntrack timeout set from %s", value)
+			field.SetInt(int64(d))
+			continue
+		}
+
+		log.WithField("value", key).Warnf("Not a valid BPF conntrack timeout value, using default %s",
+			time.Duration(field.Int()))
+	}
+
+	fields := make(log.Fields)
+
+	tt := reflect.TypeOf(t)
+
+	for i := 0; i < v.NumField(); i++ {
+		fields[tt.Field(i).Name] = v.Field(i).Interface()
+	}
+
+	log.WithFields(fields).Infof("BPF conntrack timers")
+
+	return t
+}
+
+func readSecondsFromFile(nfTimeout string) (int, error) {
+	filePath := "/proc/sys/net/netfilter/" + nfTimeout
+
+	file, err := os.Open(filePath)
+	if err != nil {
+		return 0, fmt.Errorf("error opening file: %w", err)
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	if scanner.Scan() {
+		line := scanner.Text()
+		line = strings.TrimSpace(line)
+		seconds, err := strconv.Atoi(line)
+		if err != nil {
+			return 0, fmt.Errorf("error converting the value to an integer: %w", err)
+		}
+
+		return seconds, nil
+	}
+
+	if err := scanner.Err(); err != nil {
+		return 0, fmt.Errorf("error reading from file: %w", err)
+	}
+
+	return 0, fmt.Errorf("file is empty or cannot read a line")
+}
diff --git a/felix/config/config_params.go b/felix/config/config_params.go
@@ -180,6 +180,7 @@ type Config struct {
 	BPFLogLevel                        string            `config:"oneof(off,info,debug);off;non-zero"`
 	BPFConntrackLogLevel               string            `config:"oneof(off,debug);off;non-zero"`
 	BPFConntrackCleanupMode            string            `config:"oneof(Auto,Userspace,BPFProgram);Auto"`
+	BPFConntrackTimeouts               map[string]string `config:"keyvaluelist;CreationGracePeriod=10s,TCPPreEstablished=20s,TCPEstablished=1h,TCPFinsSeen=nf_conntrack_tcp_timeout_time_wait,TCPResetSeen=40s,UDPLastSeen=60s,GenericIPLastSeen=10m,ICMPLastSeen=5s"`
 	BPFLogFilters                      map[string]string `config:"keyvaluelist;;"`
 	BPFCTLBLogFilter                   string            `config:"oneof(all);;"`
 	BPFDataIfacePattern                *regexp.Regexp    `config:"regexp;^((en|wl|ww|sl|ib)[Popsx].*|(eth|wlan|wwan|bond).*)"`

diff --git a/felix/dataplane/driver.go b/felix/dataplane/driver.go
@@ -378,7 +378,7 @@ func StartDataplaneDriver(
 			BPFDisableGROForIfaces:             configParams.BPFDisableGROForIfaces,
 			XDPEnabled:                         configParams.XDPEnabled,
 			XDPAllowGeneric:                    configParams.GenericXDPEnabled,
-			BPFConntrackTimeouts:               conntrack.DefaultTimeouts(), // FIXME make timeouts configurable
+			BPFConntrackTimeouts:               conntrack.GetTimeouts(configParams.BPFConntrackTimeouts),
 			BPFConntrackCleanupMode:            apiv3.BPFConntrackMode(configParams.BPFConntrackCleanupMode),
 			RouteTableManager:                  routeTableIndexAllocator,
 			MTUIfacePattern:                    configParams.MTUIfacePattern,

diff --git a/felix/docs/config-params.json b/felix/docs/config-params.json
diff --git a/felix/docs/config-params.md b/felix/docs/config-params.md
diff --git a/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml b/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml
diff --git a/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go b/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go
@@ -43,7 +43,7 @@ const (
 )
 
 const (
-	numBaseFelixConfigs = 151
+	numBaseFelixConfigs = 152
 )
 
 var _ = Describe("Test the generic configuration update processor and the concrete implementations", func() {

diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml
diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml
diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml
-Original file line number
+Diff line change
@@ Expand Up / @@ -43,7 +43,7 @@ const ( @@
     )
     const (
-    	numBaseFelixConfigs = 151
+    	numBaseFelixConfigs = 152
     )
     var _ = Describe("Test the generic configuration update processor and the concrete implementations", func() {
@@ Expand Down @@