FQDN proxy stops forwarding traffic

[tgraf]

The FQDN proxy can get into a state where forwarding no longer occurs. Comparing a cilium-sysdump before and after reveals:

• No difference in any datapath plumbing
• Equivalent gops-stack for FQDN code, both are blocking on IO wait

However, the reported proxy statistics are very different. While this problem is occurring:

        "proxy-statistics": [
          {
            "allocated-proxy-port": 18064,
            "location": "egress",
            "port": 8053,
            "protocol": "dns",
            "statistics": {
              "requests": {},
              "responses": {}
            }
          },
          {
            "allocated-proxy-port": 18064,
            "location": "egress",
            "port": 8053,
            "protocol": "dns",
            "statistics": {
              "requests": {},
              "responses": {}
            }
          }
        ],

After restarting cilium-agent to resolve the issue:

        "proxy-statistics": [
          {
            "allocated-proxy-port": 32463,
            "location": "egress",
            "port": 8053,
            "protocol": "dns",
            "statistics": {
              "requests": {
                "denied": 146,
                "forwarded": 40,
                "received": 186
              },
              "responses": {
                "forwarded": 40,
                "received": 40
              }
            }
          },
          {
            "allocated-proxy-port": 32463,
            "location": "egress",
            "port": 8053,
            "protocol": "dns",
            "statistics": {
              "requests": {},
              "responses": {}
            }
          }
        ],

[qmonnet]

Found in logs:

message="Releasing proxy port [...] failed"
    error="Can't release proxy port: proxy cilium-dns-egress on [...] has refcount 0"

Focusing on the refcount 0 error message present in the log, we looked at the logics for nRedirects in pkg/proxy/proxy.go. The logics seems sane in the proxy layer itself, but maybe we call RemoveRedirect() incorrectly.

In particular, we call it from RemoveProxyRedirect() in daemon/daemon.go, in turn called from pkg/endpoint/bpf.go. In the latter file, in runPreCompilationSteps(), we call addNewRedirects() conditionally (and it increments the refcount eventually), but removeOldRedirects() (decrementing) not under the same conditions.

So maybe we could be decrementing even if we don't validate the if e.desiredPolicy != nil && e.desiredPolicy.L4Policy != nil && e.desiredPolicy.L4Policy.HasRedirect(), i.e. even if we don’t increment the refcount first? More investigation needed to see how the redirect add/remove works.