From 135292e0509f61f75353cc0c348246dd749f3fef Mon Sep 17 00:00:00 2001 From: Miguel Duarte Barroso Date: Thu, 20 Apr 2023 10:30:00 +0200 Subject: [PATCH] bridge, del: timeout after 55 secs of trying to list rules Making sure the exec'ed nft command is executed in 55 secs allows for CNI to fail early, thus preventing CRI from sending another CNI DEL while the previous NFT call is still being processed. This fix prevents part of the behavior described in [0], in which: > cnv-bridge and nft comes pile up in a loop, increasing every 60, never completes The timeout had to be less than 60 seconds (otherwise CRI would still trigger CNI DEL again) but large enough for this feature to have a chance of working on older kernels (e.g. centOS 8), where it takes longer to access even a specific chain/table. Signed-off-by: Miguel Duarte Barroso --- pkg/link/spoofcheck.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/link/spoofcheck.go b/pkg/link/spoofcheck.go index 82487fe9..f22a6753 100644 --- a/pkg/link/spoofcheck.go +++ b/pkg/link/spoofcheck.go @@ -15,8 +15,10 @@ package link import ( + "context" "fmt" "os" + "time" "github.com/networkplumbing/go-nft/nft" "github.com/networkplumbing/go-nft/nft/schema" @@ -46,7 +48,10 @@ func (dnc defaultNftConfigurer) Apply(cfg *nft.Config) error { } func (dnc defaultNftConfigurer) Read(filterCommands ...string) (*nft.Config, error) { - return nft.ReadConfig(filterCommands...) + const timeout = 55 * time.Second + ctxWithTimeout, cancelFunc := context.WithTimeout(context.Background(), timeout) + defer cancelFunc() + return nft.ReadConfigContext(ctxWithTimeout, filterCommands...) } func NewSpoofChecker(iface, macAddress, refID string) *SpoofChecker {