Skip to content

Comments

cilium, socklb: Add states filter for the termination iteration#1

Open
MitchLewis930 wants to merge 1 commit intopr_041_beforefrom
pr_041_after
Open

cilium, socklb: Add states filter for the termination iteration#1
MitchLewis930 wants to merge 1 commit intopr_041_beforefrom
pr_041_after

Conversation

@MitchLewis930
Copy link

@MitchLewis930 MitchLewis930 commented Jan 30, 2026

PR_041


Note

Medium Risk
Touches socket termination behavior and netlink state filtering; incorrect masks could miss terminating some stale connections or change kernel error/cleanup behavior.

Overview
Socket termination now passes an explicit socket state mask through SocketFilter so netlink iteration and SOCK_DESTROY operate only on selected states rather than always using 0xffff.

Adds StateFilterTCP (with documented omissions like TCP_TIME_WAIT to avoid wasted iteration and TCP_CLOSE to avoid confusing ENOENT behavior) and StateFilterUDP, and wires these into the load balancer backend-connection termination flow and socket destroy tests.

Written by Cursor Bugbot for commit 16e9d5d. This will update automatically on new commits. Configure here.

Add a state filter to the iterator and skip TCP sockets which are in
closing or time wait state. There is no need to spend time to iterate
these. Technically, there is no harm since when the client app closes
the socket and it goes into time wait state, then upon close the socket
LB removes the socket from the revnat map in cil_sock_release.. but
then again, no need to iterate through these.

Suggested-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

netlink.TCP_NEW_SYN_REC,
// Sockets in TCP_LISTEN are moved to closing state
// (net/ipv4/tcp.c#L4908)
netlink.TCP_CLOSE,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TCP_CLOSE included in filter despite documented omission

High Severity

The documentation at lines 46-48 explicitly states that TCP_CLOSE should be omitted from StateFilterTCP because "Calls to close a socket in TCP_CLOSE state will result in ENOENT, this is also confusing as it is the same err code returned when a socket that doesn't exist is destroyed." However, netlink.TCP_CLOSE is included in the mask on line 69. The comment on lines 67-68 about "Sockets in TCP_LISTEN" also appears misplaced above TCP_CLOSE instead of TCP_LISTEN on line 74, suggesting accidental insertion.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants