sockets: Terminate sockets with BPF socket iterators

[jrife]

This is a follow up to #37907...

bpf_sock_destroy(), a kfunc introduced in the 6.5 kernel by @aditighag was implemented as a way to destroy UDP sockets connected to a stale UDP backend. While the original RFC mentions one possible advantage being the elimination of exposure and traversal of every network namespace, the final patch series still requires that socket iteration be done per namespace.

We are currently leaning towards invoking the sock_destroy API
directly from BPF programs. This allows us to have an effective
mechanism without having to enter every possible container network
namespace on a node, and rely on the CONFIG_INET_DIAG_DESTROY config
with the right permissions. BPF programs attached to cgroup hooks can
store client sockets connected to a backend, and invoke destroy APIs
when backends are deleted.

However, this approach still reduces dependence on CONFIG_INET_DIAG_DESTROY, which the RFC claims is disabled by default. Perhaps a future kernel improvement to BPF socket iterators could allow for namespace iteration to be pushed to the BPF layer as well.

The API is behind the CONFIG_INET_DIAG_DESTROY config that's disabled by default

It seems that this change has been planned for awhile, so this PR takes a stab at implementing it. Originally, this was blocked by the availability of bpf_sock_destroy() in production kernels and the availability of newer versions of LLVM inside Cilium. However, 6.8+ is now the default kernel version on many Ubuntu distros, and LLVM has long since been upgraded, not that the LLVM version shipped with Cilium matters much, since this PR bakes in bpf_sock_term.o into the Cilium agent image (more on this below).

This PR splits BPF, control plane, and test changes into different commits for easier review.

BPF Changes: bpf_sock_term.c

bpf_sock_term.c implements cil_sock_udp_destroy. cil_sock_udp_destroy is meant to be used in conjunction with BPF socket iterators to iterate through all sockets in a network namespace and destroy any matching the configured filter. cilium_sock_term_filter is a single-element array containing the filter, a value consisting of a backend's address family, address, and port.

An earlier prototype of the program simply used DECLARE_CONFIG for each of the filter fields, requiring a new program to be configured and loaded for each new backend filter. This was convenient since there was no need to coordinate access to the map in userspace between parallel calls to TerminateUDPConnectionsToBackend(), but was ultimately too slow
(about 100x slower according to a simple benchmark). So, userspace needs to synchronize access to the map and this program using a mutex. Each "iterator instance" needs to follow this sequence:

1. Acquire some lock.
2. Set the value of the filter in cilium_sock_term_filter.
3. Create a new socket iterator.
4. Read all items in the iterator.
5. Release the lock.

It's OK for different calls to TerminateUDPConnectionsToBackend() to intertwine as long as these "critical sections" are sequential between threads.

The program combines the current socket's cookie and the configured filter into a cilium_lb(4|6)_reverse_sk map key and checks for the existence of that key to see if this socket was connected to the now obsolete backend. If so, it destroys it with the bpf_sock_destroy() kfunc.

A couple of points worth calling out:

1. bpf_sock_term.c uses sparse definitions of struct bpf_iter__udp and its dependencies to avoid pulling in vmlinux.h or a long chain of dependencies; it's not as straightforward as other definitions which can be cleanly copied in by syncing some header from the kernel.
2. I tried using Co-Re helpers around field accesses but had limited success. While I could use them to get a pointer to sk, I couldn't pass that pointer to the bpf_sock_destroy() kfunc without the verifier complaining about unsafe pointers or some such thing. This could use some further investigation, but at least right now I'm not sure how to get this to work. So, I guess there's some risk of the field accesses breaking on newer kernels if offsets change in struct bpf_iter__udp. This probably warrants some discussion.
3. bpf_sock_term.c is compiled once and built into the Cilium agent image, a big departure from other programs which are compiled at runtime, but hopefully not an unwelcome one. With the clang-free milestone underway, I figured I would just skip right to the end with this new program and bake it into the image. I'm not sure how well this aligns with the long term vision, so it would probably be good to get some input from @ti-mo and @dylandreimerink who are driving the clang-free effort.

Control Plane Changes

Beyond the obvious plumbing that needs to happen to initialize programs and maps, this PR implements an alternative strategy for destroying sockets in the current net namespace called BPFSocketDestroyer and moves the original netlink-based Destroy() function to a new SocketDestroyer called NetlinkSocketDestroyer. backendConnectionHandler uses BPFSocketDestroyer by default but falls back to NetlinkSocketDestroyer if that fails, as would be the case if the current kernel does not support the bpf_sock_destroy() kfunc.

BPFSockDestroyer#Destroy() lazy-initializes the socket iterator program, sets the value in the socket filter map, initializes the socket iterator, then iterates to completion. It takes a lock over this whole sequence to ensure calls to Destroy() are serialized across parallel instances of TerminateUDPConnectionsToBackend().

Test

This PR includes BPF unit tests as well as integration tests for netlink and BPF socket destroyer variants, but here's a small demo of the BPF socket destroyer working with a workload I put together earlier to test connected UDP sockets.

apiVersion: v1
data:
  config.js: |
    {
      "port": 8125,
      "address_ipv6": true,
      "backends": [ "./backends/console" ],
      "debug": true,
      "dumpMessages": true,
    }
kind: ConfigMap
metadata:
  name: statsd-config
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: statsd
spec:
  replicas: 1
  selector:
    matchLabels:
      app: statsd
  template:
    metadata:
      labels:
        app: statsd
    spec:
      containers:
      - name: statsd
        image: statsd/statsd:latest # Or specify a particular version
        command:
        - ./bin/statsd
        - /etc/statsd/config.js
        ports:
        - containerPort: 8125
          name: statsd
        volumeMounts:
        - name: config-volume
          mountPath: /etc/statsd
      volumes:
      - name: config-volume
        configMap:
          name: statsd-config
---
apiVersion: v1
kind: Service
metadata:
  name: statsd
spec:
  ipFamilyPolicy: PreferDualStack
  ipFamilies:
  - IPv6
  - IPv4
  selector:
    app: statsd
  ports:
  - protocol: UDP
    port: 8125
    targetPort: 8125
    name: statsd
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gen-stats
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gen-stats
  template:
    metadata:
      labels:
        app: gen-stats
    spec:
      containers:
      - name: gen-stats
        image: python:3.9-slim-buster
        command:
          - python
          - /etc/gen-stats/gen-stats.py
          - $(POD_NAME)
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        volumeMounts:
        - name: config-volume
          mountPath: /etc/gen-stats
      volumes:
      - name: config-volume
        configMap:
          name: gen-stats
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: gen-stats
data:
  gen-stats.py: |
    import time
    import sys
    import socket

    pod_name = sys.argv[1]
    family, _, _, _, addr = socket.getaddrinfo('statsd', 8125, socket.AF_INET6, socket.SOCK_DGRAM)[0]
    print('Address: ' + str(addr), flush=True)
    sock = socket.socket(family, socket.SOCK_DGRAM)
    sock.bind(('', 10001))
    sock.connect(addr)

    while True:
        try:
          sock.send(bytes(pod_name + ':1|c', encoding='ascii'))
        except OSError as e:
          print('send failed: ' + str(e), flush=True)
          try:
            sock = socket.socket(family, socket.SOCK_DGRAM)
            sock.bind(('', 10001))
            sock.connect(addr)
          except OSError as e:
            print('recreate socket failed: ' + str(e), flush=True)
          else:
            print('Recreated socket', flush=True)
        else:
          print('send completed', flush=True)

        time.sleep(1)

jordan@t14:~/code/cilium$ kubectl get pods -A -o wide
NAMESPACE            NAME                                         READY   STATUS    RESTARTS   AGE     IP             NODE                 NOMINATED NODE   READINESS GATES
default              gen-stats-6b7ff59478-rdl6j                   1/1     Running   0          56s     10.244.1.46    kind-worker2         <none>           <none>
default              statsd-654f7b64b4-56lwq                      1/1     Running   0          56s     10.244.1.6     kind-worker2         <none>           <none>
...
jordan@t14:~/code/cilium$ kubectl delete pods statsd-654f7b64b4-56lwq
pod "statsd-654f7b64b4-56lwq" deleted
jordan@t14:~/code/cilium$ 

Meanwhile,

jordan@t14:~/code/cilium$ kubectl logs -f gen-stats-6b7ff59478-rdl6j
Address: ('fd00:10:96::5ebf', 8125, 0, 0)
...
send completed
send completed
send failed: [Errno 89] Destination address required
recreate socket failed: [Errno 1] Operation not permitted
send failed: [Errno 89] Destination address required
recreate socket failed: [Errno 1] Operation not permitted
send failed: [Errno 89] Destination address required
recreate socket failed: [Errno 1] Operation not permitted
send failed: [Errno 89] Destination address required
Recreated socket
send completed
send completed
send completed
send completed
send completed
^C
jordan@t14:~/code/cilium$ kubectl logs -n kube-system cilium-rx545 | grep -i terminated
time=2025-04-07T21:03:12Z level=info msg="Forcefully terminated sockets" module=agent.controlplane.service-manager filter="{DestIp:fd00:10:244:1::e9d7 DestPort:8125 Family:10 Protocol:17 DestroyCB:0x2f87d20}" destroyed=2
jordan@t14:~/code/cilium$ 

Related Kernel Patches

I made some improvements upstream that eliminate scenarios where some sockets may be skipped or repeated during iteration for TCP and UDP socket iterators. This should make socket iterators as a mechanism for this sort of thing a bit more reliable.

• [RFC PATCH bpf-next 0/3] Avoid skipping sockets with socket iterators
• [PATCH v7 bpf-next 0/7] bpf: udp: Exactly-once socket iteration
• [PATCH v6 bpf-next 00/12] bpf: tcp: Exactly-once socket iteration

Fixes: #37907

sockets: In socket-LB mode, terminate sockets connected to deleted backends using BPF socket iterators.

[pippolo84]

Removing myself as a reviewer since Jussi already acked for sig-foundations ✅

[jrife]

cilium-agent(8605) has 419 file descriptors open
cilium-agent(8387) has 537 file descriptors open
cilium-agent(8387) has more than 500 file descriptors (potential leak)

Looks like the file descriptor leak check is failing. Will need to investigate this tomorrow.

Edit: This went away with a retrigger and testing locally, I could not detect any file descriptor leaks while using the feature. I created #40832 to try to debug the leak (if any), but cannot reproduce there. I will try a few more times. Related: #40179

[jrife]

/test

[jrife]

Tracking what appear to be some CI flakes...

• Cilium Cluster Mesh upgrade (ci-clustermesh) run failed on Endpoint restoration/regeneration of completed job stuck in infinite loop (error="retrieving device lxc*: Link not found") #39370
• Cilium E2E Upgrade (ci-e2e-upgrade) run failed on CI: Cilium E2E Upgrade (ci-e2e-upgrade) - echo-ingress-l7-named-port: command terminated with exit code 28 #40835 (issue newly opened by me)
• Conformance AWS-CNI (ci-awscni) run failed on CI: Conformance AWS-CNI (ci-awscni) - Create EKS nodegroup: 1 error(s) occurred and nodegroups haven't been created properly... #40836 (issue newly opened by me)

[jrife]

/test

[jrife]

@joamaki I had to change the code in termination.go since you approved, namely the introduction of this to make the mocking work in termination_test.go. Just a heads up in case you want to take another look.

// socketDestroyerFactory creates a level of indirection that makes it possible
// to inject mock SocketDestroyers in tests. SocketDestoyer cannot simply be
// Provide()ed above, since the invocation of NewSocketDestroyer must be
// deferred until all maps are created. We want to run it right before
// socketTerminationLoop is invoked.
type socketDestroyerFactory func(socketTerminationParams) (sockets.SocketDestroyer, error)

func makeSocketDestroyer(p socketTerminationParams) (sockets.SocketDestroyer, error) {
	sockRevNat4, sockRevNat6 := p.LBMaps.SockRevNat()
	sd, err := sockets.NewSocketDestroyer(p.Log, sockRevNat4, sockRevNat6)
	if err != nil {
		return nil, err
	}

	return sd, nil
}

[jrife]

Looks like this still needs a review from @cilium/ci-structure . Maybe @pchaigno ?

[pchaigno]

Reviewing for ci-structure.

[tommyp1ckles]

Looks for me, @ti-mo I'm assuming these changes all look on your side as well?

[jrife]

Created a follow up issue here: #40862

[jrife]

/test

[jrife]

/ci-ipsec-e2e

[joestringer]

Timo is out for a few weeks, and it looks like @jrife has done his best to address or respond to the earlier feedback. Strictly speaking that means that @cilium/loader hasn't given an approval, so I think it's reasonable to give a little extra time for someone there to see (maybe @rgo3 or @dylandreimerink ?) but if there's no further feedback in the next few days then it seems like this should be fine to merge. We can always iterate more in-tree.

[joestringer]

Filed #40925 for merge queue status check failure case, we've seen this before and it's unrelated to this PR.

[smagnani96]

EDIT: @dylandreimerink found the culprit (🙏🏼 ), going to open a PR in a minute.

👋🏼 From commit bpf: Implement socket iterator program and tests, make kind-image-agent fails with:

❯ make kind-image-agent
kind is ready
make dev-docker-image DOCKER_IMAGE_TAG=local
make[1]: Entering directory '/home/XXX/tmp/cilium'
Using Docker Buildx builder "default" with build flags "--load".
: images/cilium/Dockerfile localhost:5000/cilium/cilium:local
docker buildx build -f images/cilium/Dockerfile  --load  --build-arg MODIFIERS="NOSTRIP= NOOPT= LOCKDEBUG= RACE= V= LIBNETWORK_PLUGIN= " --build-arg CILIUM_SHA=100f8bc179 --build-arg OPERATOR_VARIANT=cilium-dev --build-arg DEBUG_HOLD= --target release -t localhost:5000/cilium/cilium-dev:local .
[+] Building 4.9s (10/21)                                                                                                                                                                                                       docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                                                      0.0s
 => => transferring dockerfile: 10.97kB                                                                                                                                                                                                   0.0s
 => [internal] load metadata for quay.io/cilium/cilium-envoy:v1.35.0-1753779236-ad8b8335b9191b13c3da99048bf850e439354e42@sha256:65aca8ec7223462777ca7d86394133a18dda8d41c37b6933489f1fc82945d504                                          0.4s
 => [internal] load metadata for quay.io/cilium/cilium-runtime:30803685cd0ff7897876e57fdac234a5caede8f0@sha256:551b44ea9c8e5dc6f6e8c55e8be84ad834d265f9024ed9fde8edf88abdd9424e                                                           0.6s
 => [internal] load metadata for quay.io/cilium/cilium-builder:223fc64724872068b184fc13404ba47afd389b46@sha256:282190764c045d75b5f60eec555449344aa6792ded348dbb82322e48b29ad857                                                           0.0s
 => [builder 1/7] FROM quay.io/cilium/cilium-builder:223fc64724872068b184fc13404ba47afd389b46@sha256:282190764c045d75b5f60eec555449344aa6792ded348dbb82322e48b29ad857                                                                     0.0s
 => [cilium-envoy 1/1] FROM quay.io/cilium/cilium-envoy:v1.35.0-1753779236-ad8b8335b9191b13c3da99048bf850e439354e42@sha256:65aca8ec7223462777ca7d86394133a18dda8d41c37b6933489f1fc82945d504                                               0.0s
 => [internal] load build context                                                                                                                                                                                                         3.5s
 => => transferring context: 261.00MB                                                                                                                                                                                                     3.4s
 => [release 1/8] FROM quay.io/cilium/cilium-runtime:30803685cd0ff7897876e57fdac234a5caede8f0@sha256:551b44ea9c8e5dc6f6e8c55e8be84ad834d265f9024ed9fde8edf88abdd9424e                                                                     0.0s
 => CACHED [builder 2/7] WORKDIR /go/src/github.com/cilium/cilium                                                                                                                                                                         0.0s
 => ERROR [builder 3/7] RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium     --mount=type=cache,target=/root/.cache     --mount=type=cache,target=/go/pkg     make GOARCH=amd64 DESTDIR=/tmp/install/linux/amd64   0.7s
------                                                                                                                                                                                                                                         
 > [builder 3/7] RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium     --mount=type=cache,target=/root/.cache     --mount=type=cache,target=/go/pkg     make GOARCH=amd64 DESTDIR=/tmp/install/linux/amd64 PKG_BUILD=1 $(echo NOSTRIP= NOOPT= LOCKDEBUG= RACE= V= LIBNETWORK_PLUGIN=  | tr -d '"') NOSTRIP=1     build-container install-container-binary:                                                                                                              
0.166 for i in cilium-dbg daemon cilium-health bugtool tools/mount tools/sysctlfix plugins/cilium-cni; do make  -C $i all; done                                                                                                                
0.168 make[1]: Entering directory '/go/src/github.com/cilium/cilium/cilium-dbg'                                                                                                                                                                
0.199 CGO_ENABLED=0  go build -mod=vendor -ldflags '-X "github.com/cilium/cilium/pkg/version.ciliumVersion=1.19.0-dev 100f8bc179 2025-04-01T21:21:48Z" -X "github.com/cilium/cilium/pkg/envoy.requiredEnvoyVersionSHA=ad8b8335b9191b13c3da99048bf850e439354e42" ' -tags=osusergo  -o cilium-dbg
0.456 ../pkg/datapath/bpf/sockterm_bpfel.go:198:12: pattern sockterm_bpfel.o: no matching files found
0.462 make[1]: *** [Makefile:23: cilium-dbg] Error 1
0.462 make[1]: Leaving directory '/go/src/github.com/cilium/cilium/cilium-dbg'
0.462 make: *** [Makefile:61: build-container] Error 2
------
Dockerfile:41
--------------------
  40 |     # in accordance with the supplied/default NOSTRIP setting. See "Extract debug symbols" below.
  41 | >>> RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium \
  42 | >>>     --mount=type=cache,target=/root/.cache \
  43 | >>>     --mount=type=cache,target=/go/pkg \
  44 | >>>     make GOARCH=${TARGETARCH} DESTDIR=/tmp/install/${TARGETOS}/${TARGETARCH} PKG_BUILD=1 $(echo $MODIFIERS | tr -d '"') NOSTRIP=1 \
  45 | >>>     build-container install-container-binary
  46 |     
--------------------
ERROR: failed to build: failed to solve: process "/bin/sh -c make GOARCH=${TARGETARCH} DESTDIR=/tmp/install/${TARGETOS}/${TARGETARCH} PKG_BUILD=1 $(echo $MODIFIERS | tr -d '\"') NOSTRIP=1     build-container install-container-binary" did not complete successfully: exit code: 2
make[1]: *** [Makefile.docker:125: dev-docker-image] Error 1
make[1]: Leaving directory '/home/XXX/tmp/cilium'
make: *** [Makefile.kind:200: kind-build-image-agent] Error 2

Any idea how to fix this?