don't skip a TCP connection if its entry cannot be found in the conntrack table (e.g., Cilium rewrites destinations at the eBPF level bypassing conntrack)

def · def · commit 8267e0a8dbe6 · 2022-09-23T15:56:49.000+03:00
diff --git a/containers/conntrack.go b/containers/conntrack.go
@@ -1,8 +1,10 @@
 package containers
 
 import (
+	"github.com/coroot/coroot-node-agent/common"
 	"github.com/florianl/go-conntrack"
 	"inet.af/netaddr"
+	"k8s.io/klog/v2"
 	"syscall"
 )
 
@@ -19,9 +21,9 @@ func ConntrackInit() error {
 	return nil
 }
 
-func ConntrackGetActualDestination(src, dst netaddr.IPPort) (netaddr.IPPort, error) {
+func ConntrackGetActualDestination(src, dst netaddr.IPPort) netaddr.IPPort {
 	if conntrackClient == nil {
-		return dst, nil
+		return dst
 	}
 
 	tcp := uint8(syscall.IPPROTO_TCP)
@@ -47,7 +49,10 @@ func ConntrackGetActualDestination(src, dst netaddr.IPPort) (netaddr.IPPort, err
 	}
 	sessions, err := conntrackClient.Get(conntrack.Conntrack, family, req)
 	if err != nil {
-		return netaddr.IPPort{}, err
+		if !common.IsNotExist(err) {
+			klog.Errorf("failed to resolve actual destination for %s->%s: %s", src, dst, err)
+		}
+		return dst
 	}
 	for _, s := range sessions {
 		if !ipTupleValid(s.Origin) || !ipTupleValid(s.Reply) {
@@ -62,11 +67,13 @@ func ConntrackGetActualDestination(src, dst netaddr.IPPort) (netaddr.IPPort, err
 		if reply == nil {
 			continue
 		}
-		ip, _ := netaddr.FromStdIP(*reply.Src)
-		port := *reply.Proto.SrcPort
-		return netaddr.IPPortFrom(ip, port), nil
+		ip, ok := netaddr.FromStdIP(*reply.Src)
+		if !ok {
+			continue
+		}
+		return netaddr.IPPortFrom(ip, *reply.Proto.SrcPort)
 	}
-	return netaddr.IPPort{}, nil
+	return dst
 }
 
 func ipTuplesEqual(a, b *conntrack.IPTuple) bool {
diff --git a/containers/container.go b/containers/container.go
@@ -374,15 +374,9 @@ func (c *Container) onConnectionOpen(pid uint32, src, dst netaddr.IPPort, failed
 	if failed {
 		c.connectsFailed[dst]++
 	} else {
-		actualDst, err := ConntrackGetActualDestination(src, dst)
-		if err != nil {
-			klog.Errorf("failed to resolve actual destination for %s->%s: %s", src, dst, err)
-		} else if actualDst.IsValid() {
-			c.connectsSuccessful[AddrPair{src: dst, dst: actualDst}]++
-			c.connectionsActive[AddrPair{src: src, dst: dst}] = actualDst
-		} else {
-			klog.Errorf("invalid actual destination for %s->%s: %s", src, dst, actualDst)
-		}
+		actualDst := ConntrackGetActualDestination(src, dst)
+		c.connectsSuccessful[AddrPair{src: dst, dst: actualDst}]++
+		c.connectionsActive[AddrPair{src: src, dst: dst}] = actualDst
 	}
 	c.connectLastAttempt[dst] = time.Now()
 }
