firewall: flush stale UDP conntrack entries on port_forward setup/teardown

Add a new netlink_netfilter module to interact with the kernel's conntrack table using the netlink_packet_netfilter crate. This module allows dumping and deleting conntrack entries. All firewall drivers now call the new flush_udp_conntrack() function during port forwarding setup and teardown.

When a container with a UDP port mapping is started, stale conntrack entries can prevent traffic from reaching the new container instance. This change proactively deletes these stale entries for the mapped UDP ports, ensuring that new connections are not dropped by the kernel.

Added an integration test for the same and unit tests for dump_conntrack and del_conntrack.

Fixes: #1045

Signed-off-by: Shivang K Raghuvanshi <[email protected]>

Author: shivkr6

Cargo.lock

@@ -47,6 +47,7 @@ nix = { version = "0.30.1", features = ["net", "sched", "signal", "socket", "use
 rand = "0.9.2"
 sha2 = "0.10.9"
 netlink-packet-route = "0.25.1"
+netlink-packet-netfilter = { git = "https://github.com/shivkr6/netlink-packet-netfilter.git", branch = "conntrack-new" }
 netlink-packet-core = "0.8.1"
 netlink-sys = "0.8.7"
 nftables = "0.6.3"

Cargo.toml

@@ -5,7 +5,6 @@ use std::{
     os::fd::BorrowedFd,
 };
 
-use crate::dns::aardvark::SafeString;
 use crate::network::core_utils::get_default_route_interface;
 use crate::network::dhcp::{dhcp_teardown, get_dhcp_lease};
 use crate::network::netlink::Socket;
@@ -22,6 +21,7 @@ use crate::{
     },
     network::{constants, sysctl::disable_ipv6_autoconf, types},
 };
+use crate::{dns::aardvark::SafeString, network::netlink_netfilter::flush_udp_conntrack};
 use ipnet::IpNet;
 use log::{debug, error};
 use netlink_packet_route::address::{AddressAttribute, AddressScope};
@@ -542,7 +542,18 @@ impl<'a> Bridge<'a> {
 
         self.info.firewall.setup_network(sn, &system_dbus)?;
 
+        let port_mappings = spf.port_mappings;
+        let container_ip_v4 = spf.container_ip_v4;
+        let container_ip_v6 = spf.container_ip_v6;
+
         self.info.firewall.setup_port_forward(spf, &system_dbus)?;
+
+        if let Some(port_mappings) = port_mappings {
+            // Flush stale UDP conntrack entries to prevent dropped packets.
+            // See the function's doc comment for more details.
+            flush_udp_conntrack(port_mappings, container_ip_v4, container_ip_v6)?;
+        }
+
         Ok(())
     }
 
@@ -639,7 +650,18 @@ impl<'a> Bridge<'a> {
             complete_teardown,
         };
 
+        let port_mappings = tpf.config.port_mappings;
+        let container_ip_v4 = tpf.config.container_ip_v4;
+        let container_ip_v6 = tpf.config.container_ip_v6;
+
         self.info.firewall.teardown_port_forward(tpf)?;
+
+        if let Some(port_mappings) = port_mappings {
+            // Flush stale UDP conntrack entries to prevent dropped packets.
+            // See the function's doc comment for more details.
+            flush_udp_conntrack(port_mappings, container_ip_v4, container_ip_v6)?;
+        }
+
         Ok(())
     }
 }

src/network/bridge.rs

@@ -18,6 +18,7 @@ pub mod driver;
 pub mod internal_types;
 
 pub mod netlink;
+pub mod netlink_netfilter;
 pub mod netlink_route;
 
 pub mod plugin;