This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-rover.git
The following commit(s) were added to refs/heads/main by this push:
new 79292fe Adapt ambient mesh 1.23 iptables mode (#195)
79292fe is described below
commit 79292fe07f17f98f486e0c4471213e1961fb2d1d
Author: mrproliu <[email protected]>
AuthorDate: Thu May 22 11:23:04 2025 +0800
Adapt ambient mesh 1.23 iptables mode (#195)
---
pkg/accesslog/collector/connection.go | 50 ++++++++++++++++++++++++-----------
pkg/tools/ip/conntrack.go | 19 ++++++++++---
2 files changed, 51 insertions(+), 18 deletions(-)
diff --git a/pkg/accesslog/collector/connection.go
b/pkg/accesslog/collector/connection.go
index b25c02e..29adfa9 100644
--- a/pkg/accesslog/collector/connection.go
+++ b/pkg/accesslog/collector/connection.go
@@ -254,6 +254,7 @@ func (c *ConnectionPartitionContext)
IsOnlyLocalPortEmpty(socketPair *ip.SocketP
func (c *ConnectionPartitionContext) BuildSocketPair(event
*events.SocketConnectEvent) *ip.SocketPair {
var result *ip.SocketPair
haveConnTrack := false
+ remoteAddrPort := uint16(event.RemoteAddrPort)
switch event.SocketFamily {
case unix.AF_INET:
result = &ip.SocketPair{
@@ -262,18 +263,26 @@ func (c *ConnectionPartitionContext)
BuildSocketPair(event *events.SocketConnect
SrcIP: ip.ParseIPV4(event.LocalAddrV4),
SrcPort: uint16(event.LocalAddrPort),
}
+ remoteAddr := ip.ParseIPV4(event.RemoteAddrV4)
+ ignoredConntrack := true
if event.ConnTrackUpstreamIPl != 0 &&
event.ConnTrackUpstreamPort != 0 {
haveConnTrack = true
- result.DestIP =
ip.ParseIPV4(uint32(event.ConnTrackUpstreamIPl))
- result.DestPort = uint16(event.ConnTrackUpstreamPort)
+ conntrackIP :=
ip.ParseIPV4(uint32(event.ConnTrackUpstreamIPl))
+ if !ip.ShouldIgnoreConntrack(remoteAddr, conntrackIP,
uint16(event.ConnTrackUpstreamPort)) {
+ result.DestIP = conntrackIP
+ result.DestPort =
uint16(event.ConnTrackUpstreamPort)
+ ignoredConntrack = false
+ }
if connectionLogger.Enable(logrus.DebugLevel) {
- connectionLogger.Debugf("found the connection
from the conntrack, connection ID: %d, randomID: %d, original: %s:%d,
conntrack: %s:%d",
- event.ConID, event.RandomID,
ip.ParseIPV4(event.RemoteAddrV4), uint16(event.RemoteAddrPort), result.DestIP,
result.DestPort)
+ connectionLogger.Debugf("found the connection
from the conntrack, connection ID: %d, randomID: %d, "+
+ "original: %s:%d, conntrack: %s:%d,
ignored: %t",
+ event.ConID, event.RandomID,
remoteAddr, remoteAddrPort, result.DestIP, result.DestPort, ignoredConntrack)
}
- } else {
- result.DestIP = ip.ParseIPV4(event.RemoteAddrV4)
- result.DestPort = uint16(event.RemoteAddrPort)
+ }
+ if ignoredConntrack {
+ result.DestIP = remoteAddr
+ result.DestPort = remoteAddrPort
}
case unix.AF_INET6:
result = &ip.SocketPair{
@@ -282,24 +291,35 @@ func (c *ConnectionPartitionContext)
BuildSocketPair(event *events.SocketConnect
SrcIP: ip.ParseIPV6(event.LocalAddrV6),
SrcPort: uint16(event.LocalAddrPort),
}
+ remoteAddr := ip.ParseIPV6(event.RemoteAddrV6)
+ ignoredConntrack := true
if event.ConnTrackUpstreamIPl != 0 &&
event.ConnTrackUpstreamPort != 0 {
haveConnTrack = true
+ var conntrackIP string
if event.ConnTrackUpstreamIPh != 0 {
var ipv6 [16]uint8
binary.BigEndian.PutUint64(ipv6[0:8],
event.ConnTrackUpstreamIPh)
binary.BigEndian.PutUint64(ipv6[8:16],
event.ConnTrackUpstreamIPl)
- result.DestIP = ip.ParseIPV6(ipv6)
+ conntrackIP = ip.ParseIPV6(ipv6)
} else {
- result.DestIP =
ip.ParseIPV4(uint32(event.ConnTrackUpstreamIPl))
+ conntrackIP =
ip.ParseIPV4(uint32(event.ConnTrackUpstreamIPl))
+ }
+
+ if !ip.ShouldIgnoreConntrack(remoteAddr, conntrackIP,
uint16(event.ConnTrackUpstreamPort)) {
+ result.DestIP = conntrackIP
+ result.DestPort =
uint16(event.ConnTrackUpstreamPort)
+ ignoredConntrack = false
}
- result.DestPort = uint16(event.ConnTrackUpstreamPort)
+
if connectionLogger.Enable(logrus.DebugLevel) {
- connectionLogger.Debugf("found the connection
from the conntrack, connection ID: %d, randomID: %d, original: %s:%d,
conntrack: %s:%d",
- event.ConID, event.RandomID,
ip.ParseIPV6(event.RemoteAddrV6), uint16(event.RemoteAddrPort), result.DestIP,
result.DestPort)
+ connectionLogger.Debugf("found the connection
from the conntrack, connection ID: %d, randomID: %d, "+
+ "original: %s:%d, conntrack: %s:%d,
ignored: %t",
+ event.ConID, event.RandomID,
remoteAddr, remoteAddrPort, result.DestIP, result.DestPort, ignoredConntrack)
}
- } else {
- result.DestIP = ip.ParseIPV6(event.RemoteAddrV6)
- result.DestPort = uint16(event.RemoteAddrPort)
+ }
+ if ignoredConntrack {
+ result.DestIP = remoteAddr
+ result.DestPort = remoteAddrPort
}
}
diff --git a/pkg/tools/ip/conntrack.go b/pkg/tools/ip/conntrack.go
index 3e3f934..831d2cc 100644
--- a/pkg/tools/ip/conntrack.go
+++ b/pkg/tools/ip/conntrack.go
@@ -27,6 +27,7 @@ import (
"golang.org/x/sys/unix"
"github.com/apache/skywalking-rover/pkg/logger"
+ "github.com/apache/skywalking-rover/pkg/tools"
)
var log = logger.GetLogger("tools", "ip")
@@ -71,15 +72,27 @@ func (c *ConnTrack) UpdateRealPeerAddress(addr *SocketPair)
error {
}
if res := c.filterValidateReply(session, tuple); res != nil {
- addr.DestIP = res.Src.String()
- addr.NeedConnTrack = false
- log.Debugf("update real peer address from conntrack:
%s:%d", addr.DestIP, addr.DestPort)
+ if !ShouldIgnoreConntrack(addr.DestIP,
res.Src.String(), *res.Proto.SrcPort) {
+ addr.DestIP = res.Src.String()
+ addr.NeedConnTrack = false
+ log.Debugf("update real peer address from
conntrack: %s:%d", addr.DestIP, addr.DestPort)
+ } else {
+ log.Debugf("ignore conntrack, original dest IP:
%s:%d, conntrack IP: %s:%d",
+ addr.DestIP, addr.DestPort,
res.Src.String(), *res.Proto.SrcPort)
+ }
return nil
}
}
return nil
}
+func ShouldIgnoreConntrack(originalDestIP, conntrackIP string, conntrackPort
uint16) bool {
+ // if the original dest IP is not local host
+ // and the conntrack IP is local host, and port is 15001, such as
127.0.0.1:15001, means the conntrack is to istio-proxy
+ // then we should ignore the conntrack
+ return conntrackPort == 15001 && tools.IsLocalHostAddress(conntrackIP)
&& !tools.IsLocalHostAddress(originalDestIP)
+}
+
func (c *ConnTrack) parseSocketToTuple(addr *SocketPair) *conntrack.IPTuple {
tcp := uint8(syscall.IPPROTO_TCP)
srcIP := net.ParseIP(addr.SrcIP)
