Preserve flows on reconfigs with port-forwarding#1314
Merged
Fredi-raspall merged 1 commit intomainfrom Mar 4, 2026
Merged
Conversation
Fredi-raspall
requested review from
a team,
daniel-noland and
sergeymatov
and removed request for
a team and
daniel-noland
Fredi-raspall
force-pushed
the
pr/fredi/port-forwarding-reconfigs
branch
from
7bae2b3 to
bae9870
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the port-forwarding NF to preserve existing flows across port-forwarding rule reconfigurations by re-evaluating packets when a flow’s stored Weak reference to its rule becomes stale, and then re-linking the flow state to the current matching rule.
Changes:
- Add stale-rule detection and rule re-resolution for packets hitting Active flows with port-forwarding state.
- Refresh flow expiry using the currently applicable
PortFwEntry(instead of relying on upgrading theWeakinside state). - Expose flow invalidation helper and adjust
PortFwStateto allow updating its stored rule reference.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
nat/src/portfw/nf.rs |
Adds stale-rule recovery path that re-looks up compatible rules and reassigns flow state rule references. |
nat/src/portfw/flow_state.rs |
Adjusts flow-state helpers to allow stale-rule handling (no early invalidation) and refreshes timeouts based on a provided rule entry. |
In the original implementation of port-forwarding, rules referred
to single ips and ports. When a flow for a port-forwarded packet
was created, the corresponding state referred to the matched rule
so that the data-path could refer to it (via a Weak reference) to
learn things like the timeouts, needed to extend flows' lifetimes.
With rules that can contain prefixes and ports, this is more
difficult since, on reconfigurations, it is hard to preserve the
original rule since the object (mostly immutable) may need to be
replaced by a newer one in case it would need to be updated. If
that happens, the Weak reference to the previous rule is dropped
and it is no longer possible to recover, from a flow, the rule
that lead to its creation. The option of letting the flow-filter
deal with this is insufficient, because, even if after a reconfig
the flow-filter would allow the flow, the port-forwarding logic
requires knowing the timeouts (present only in the rule) to
determine how much to extend the flows.
This patch fixes the logic so that, if a packet in either direction
hits a flow with port forwarding state whose corresponding rule
has been dropped or modified, the PortForwarder NF re-evaluates the
packet to newly determine if it should continue to be port-forwarded
according to the new config. In that case, a new Weak reference to
the newer rule is created. The approach of using Weak references is
hence still a valid one to expedite (omit reevaluations) most of
the time in the "fast path". The slower path only applies:
- for the first packet, when there's no state
- for the first packet hitting a flow that refers to a stale
port-forwarding rule, which can only happen after a reconfigu-
ration.
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Fredi-raspall
force-pushed
the
pr/fredi/port-forwarding-reconfigs
branch
from
bae9870 to
6051845
Compare
sergeymatov
approved these changes
Mar 3, 2026
Contributor
sergeymatov
left a comment
sergeymatov
left a comment
There was a problem hiding this comment.
@Fredi-raspall thank you
mvachhar
approved these changes
Mar 3, 2026
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1313
In the original implementation of port-forwarding, rules referred to single ips and ports. When a flow for a port-forwarded packet was created, the corresponding state referred to the matched rule so that the data-path could refer to it (via a Weak reference) to learn things like the timeouts, needed to extend flows' lifetimes.
With rules that can contain prefixes and ports, this is more diffi- cult since, on reconfigurations, it is hard to preserve the origi- nal rule since the object (mostly immutable) may need to be replaced by a newer one in case it would need to be updated. If that happens, the Weak reference to the previous rule is dropped and it is no longer possible to recover, from a flow, the rule that lead to its creation. The option of letting the flow-filter deal with this is insufficient, because, even if after a reconfig the flow-filter would allow the flow, the port-forwarding logic requires knowing the timeouts (present only in the rule) to determine how much to extend the flows.
This patch fixes the logic so that, if a packet in either direction hits a flow with port forwarding state whose corresponding rule has been dropped or modified, the PortForwarder NF re-evaluates the packet to newly determine if it should continue to be port-forwarded according to the new config. In that case, a new Weak reference to the newer rule is created. The approach of using Weak references is hence still a valid one to expedite (omit reevaluations) most of the time in the "fast path". The slower path only applies: