firewall: flush stale UDP conntrack entries on port_forward setup/teardown

Add a new netlink_netfilter module to interact with the kernel's conntrack table using the netlink_packet_netfilter crate. This module allows dumping and deleting conntrack entries. All firewall drivers now call the new flush_udp_conntrack() function during port forwarding setup and teardown.

When a container with a UDP port mapping is started, stale conntrack entries can prevent traffic from reaching the new container instance. This change proactively deletes these stale entries for the mapped UDP ports, ensuring that new connections are not dropped by the kernel.

Added an integration test for the same and unit tests for dump_conntrack and del_conntrack.

Fixes: #1045

Signed-off-by: Shivang K Raghuvanshi <[email protected]>

Author: shivkr6

Cargo.lock

@@ -47,6 +47,7 @@ nix = { version = "0.30.1", features = ["net", "sched", "signal", "socket", "use
 rand = "0.9.2"
 sha2 = "0.10.9"
 netlink-packet-route = "0.25.1"
+netlink-packet-netfilter = { git = "https://github.com/shivkr6/netlink-packet-netfilter.git", branch = "conntrack-new" }
 netlink-packet-core = "0.8.1"
 netlink-sys = "0.8.7"
 nftables = "0.6.3"

Cargo.toml

@@ -1,6 +1,7 @@
 use crate::error::{NetavarkError, NetavarkResult};
 use crate::network::internal_types;
 use crate::network::internal_types::{PortForwardConfig, TearDownNetwork, TeardownPortForward};
+use crate::network::netlink_netfilter::flush_udp_conntrack;
 use crate::network::types::PortMapping;
 use crate::{firewall, wrap};
 use core::convert::TryFrom;
@@ -373,6 +374,16 @@ impl firewall::FirewallDriver for FirewallD {
             setup_portfw.container_id
         );
 
+        if let Some(port_mappings) = setup_portfw.port_mappings {
+            // Flush stale UDP conntrack entries to prevent dropped packets.
+            // See the function's doc comment for more details.
+            flush_udp_conntrack(
+                port_mappings,
+                setup_portfw.container_ip_v4,
+                setup_portfw.container_ip_v6,
+            )?;
+        }
+
         Ok(())
     }
 
@@ -617,6 +628,16 @@ impl firewall::FirewallDriver for FirewallD {
         }
         update_policy_config(&self.conn, HOSTFWDPOLICYNAME, new_localhost_policy_config)?;
 
+        if let Some(port_mappings) = teardown_pf.config.port_mappings {
+            // Flush stale UDP conntrack entries to prevent dropped packets.
+            // See the function's doc comment for more details.
+            flush_udp_conntrack(
+                port_mappings,
+                teardown_pf.config.container_ip_v4,
+                teardown_pf.config.container_ip_v6,
+            )?;
+        }
+
         Ok(())
     }
 }

src/firewall/firewalld.rs

@@ -9,6 +9,7 @@ use crate::firewall::varktables::types::{
 use crate::network::internal_types::{
     PortForwardConfig, SetupNetwork, TearDownNetwork, TeardownPortForward,
 };
+use crate::network::netlink_netfilter::flush_udp_conntrack;
 use iptables;
 use iptables::IPTables;
 
@@ -151,6 +152,17 @@ impl firewall::FirewallDriver for IptablesDriver {
                 get_port_forwarding_chains(&self.conn6, &setup_portfw, &v6, &subnet_v6, true)?;
             create_network_chains(chains)?;
         };
+
+        if let Some(port_mappings) = setup_portfw.port_mappings {
+            // Flush stale UDP conntrack entries to prevent dropped packets.
+            // See the function's doc comment for more details.
+            flush_udp_conntrack(
+                port_mappings,
+                setup_portfw.container_ip_v4,
+                setup_portfw.container_ip_v6,
+            )?;
+        }
+
         Result::Ok(())
     }
 
@@ -216,6 +228,16 @@ impl firewall::FirewallDriver for IptablesDriver {
                 }
             }
         }
+        if let Some(port_mappings) = tear.config.port_mappings {
+            // Flush stale UDP conntrack entries to prevent dropped packets.
+            // See the function's doc comment for more details.
+            flush_udp_conntrack(
+                port_mappings,
+                tear.config.container_ip_v4,
+                tear.config.container_ip_v6,
+            )?;
+        }
+
         Result::Ok(())
     }
 }

src/firewall/iptables.rs

@@ -3,6 +3,7 @@ use crate::firewall;
 use crate::firewall::firewalld;
 use crate::network::internal_types;
 use crate::network::internal_types::IsolateOption;
+use crate::network::netlink_netfilter::flush_udp_conntrack;
 use crate::network::types::PortMapping;
 use ipnet::IpNet;
 use nftables::batch::Batch;
@@ -744,6 +745,16 @@ impl firewall::FirewallDriver for Nftables {
 
         helper::apply_ruleset(&rules)?;
 
+        if let Some(port_mappings) = setup_portfw.port_mappings {
+            // Flush stale UDP conntrack entries to prevent dropped packets.
+            // See the function's doc comment for more details.
+            flush_udp_conntrack(
+                port_mappings,
+                setup_portfw.container_ip_v4,
+                setup_portfw.container_ip_v6,
+            )?;
+        }
+
         Ok(())
     }
 
@@ -815,6 +826,16 @@ impl firewall::FirewallDriver for Nftables {
 
         helper::apply_ruleset(&rules)?;
 
+        if let Some(port_mappings) = teardown_pf.config.port_mappings {
+            // Flush stale UDP conntrack entries to prevent dropped packets.
+            // See the function's doc comment for more details.
+            flush_udp_conntrack(
+                port_mappings,
+                teardown_pf.config.container_ip_v4,
+                teardown_pf.config.container_ip_v6,
+            )?;
+        }
+
         Ok(())
     }
 }

src/firewall/nft.rs

@@ -18,6 +18,7 @@ pub mod driver;
 pub mod internal_types;
 
 pub mod netlink;
+pub mod netlink_netfilter;
 pub mod netlink_route;
 
 pub mod plugin;