netavark icon indicating copy to clipboard operation
netavark copied to clipboard
verified publisher icon containers

firewall: flush stale UDP conntrack entries on port_forward setup/teardown

Open shivkr6 opened this issue 2 months ago • 21 comments

Add a new netlink_netfilter module to interact with the kernel's conntrack table using the netlink_packet_netfilter crate. This module allows dumping and deleting conntrack entries. All firewall drivers now call the new flush_udp_conntrack() function during port forwarding setup and teardown.

When a container with a UDP port mapping is started, stale conntrack entries can prevent traffic from reaching the new container instance. This change proactively deletes these stale entries for the mapped UDP ports, ensuring that new connections are not dropped by the kernel.

Fixes: https://github.com/containers/netavark/issues/1045

NOTE: This PR cannot be merged right now because: ~~1) I'm waiting for my PRs to be merged in the netlink-packet-netfilter crate.~~ [DONE] ~~2) I have to write integration tests to test this functionality.~~ [DONE] 3) netlink-packet-netfilter new release

CC: @Luap99 @mheon

shivkr6 avatar Nov 18 '25 15:11 shivkr6