spoofcheck: Make use of go-nft's ApplyConfigEcho()

[SirPhuttel]

Store the relevant applied config part for later to extract the rule to delete from there instead of having to list the ruleset. This is much faster especially with large rulesets.

[SirPhuttel]

@EdDev here we are, could you please review the commit?

[EdDev]

Looks very nice, thank you!

I have added a few points inline.

I noticed the new logic is not covered by unit tests, which may be a bit tricky now. I think we can improve on that in a follow up.

[SirPhuttel]

Next round: I introduced SpoofChecker::findPreroutingRule() which is a wrapper around the LookupRule() method, taking care of gathering the relevant ruleset snippet if not cached already.

Cache dropping happens in Teardown() which knows if it is no longer valid or not.

[squeed]

Why does this need a separate timeout?

[SirPhuttel]

Since nft.ApplyConfigEcho() requires a context, I had to create one so I just copied the respective code from Read(). Not sure if it is possible to create a context without timeout, but looking at commit 135292e ("bridge, del: timeout after 55 secs of trying to list rules"), which introduced the 55s timeout to Read(), it seems sensible to make ApplyConfigEcho() behave the same.
Or are you suggesting to introduce a common timeout value for use in both methods?

[squeed]

It's not a big problem, but it's certainly not necessary. A CNI plugin binary is executed for every call, so if the runtime (read: containerd / cri-o) decides to cancel the CNI execution, it will just kill the binary. That will certainly stop any nft calls :-). In that case, you can just use context.Background() which will never be cancelled.

That said, 55 seconds seems like more than enough for nft to apply (I hope!), so this is probably academic.

[SirPhuttel]

Well, frequent updates to an oversized nftables ruleset have a realistic chance of starving readers. Each time the ruleset's generation ID bumps, the reader discards the already fetched cache and restarts. Older nft versions always fetched the full ruleset irrespective of the actual command (so listing a small chain would still take long if a large other one was present).
I don't think this is possible to happen with echo mode, but I don't see why having the timeout should hurt.
Your explanation sounds like the context with timeout is pointless, though I assume @maiqueb fixed a real issue when introducing the Read() timeout.

[EdDev]

A CNI plugin binary is executed for every call, so if the runtime (read: containerd / cri-o) decides to cancel the CNI execution, it will just kill the binary. That will certainly stop any nft calls :-). In that case, you can just use context.Background() which will never be cancelled.

We saw in k8s based systems that there is no timeout that eventually kills the call to the CNI.
We identified thousands of nft instances hanging with no one canceling them.

I think it is not safe to assume someone will cancel the CNI call after a timeout, it depends on the runtime or even the one who calls the runtime in the first place.

[SirPhuttel]

Two updates:

• Dropped a leftover line from the commit message, no functional changes.
• Extended spoofcheck_test.go to cover the fallback to Read() if Apply() should not return anything.

@EdDev do you think the testsuite part is sufficient now? Any idea what to test for in addition?

[EdDev]

Two updates:

* Dropped a leftover line from the commit message, no functional changes.

* Extended spoofcheck_test.go to cover the fallback to Read() if Apply() should not return anything.

@EdDev do you think the testsuite part is sufficient now? Any idea what to test for in addition?

I am good with the current change, thank you.

I need now to release go-nft to add the new API in a formal release.
There may be another change I want to include, so I will update soon about it.

[EdDev]

I need now to release go-nft to add the new API in a formal release.
There may be another change I want to include, so I will update soon about it.

@SirPhuttel , new go-nft release is out: https://github.com/networkplumbing/go-nft/releases/tag/v0.4.0
I suggest you update go.mog and sync the vendoring to use it (instead of the one pointing to a specific commit).

[squeed]

Looks good, just two things

• a few minor lint issues
• can you pick up the latest go-nft release?

Thanks

[EdDev]

Thank you very much!

[s1061123]

/lgtm

[squeed]

@SirPhuttel we merged some dep updates, can you rebase? Then we'll merge this.

[SirPhuttel]

@SirPhuttel we merged some dep updates, can you rebase? Then we'll merge this.

DONE! Applied with just a context conflict in go.mod.

[SirPhuttel]

And a (final?) whitespace fix to make the linter happy.

[SirPhuttel]

@squeed Ping! This is stuck somehow. Could you please approve the workflow so we see if it passes CI? Thanks!

[squeed]

Hmm, the tests are failing for no clear reason. I'm taking a look.

[squeed]

tests are broken; I'm investigating. Huh

[squeed]

@SirPhuttel can you rebase on main? There was an issue with CI, sorry.

[SirPhuttel]

@squeed DONE, thanks for investigating.