cilium, socklb: Add states filter for the termination iteration

[MitchLewis930]

PR_041

[MitchLewis930]

@greptileai

[greptile-apps]

Greptile Overview

Greptile Summary

Added protocol-specific state filtering for socket termination operations to improve efficiency when iterating and destroying sockets connected to deleted/unhealthy backends.

Key Changes:

• Introduced stateMask() helper function to build TCP state bitmasks
• Added StateFilterTCP that selectively includes TCP states, explicitly excluding TCP_TIME_WAIT
• Added StateFilterUDP constant (0xffff) that includes all UDP states
• Extended SocketFilter struct with States field to pass state filters through the API
• Updated Destroy(), filterAndDestroySockets(), and destroySocket() to use configurable state filters instead of hardcoded 0xffff
• Updated test and termination logic to use new state filter constants

Critical Issue:
The documentation states TCP_CLOSE should be omitted due to ENOENT errors (lines 46-48), but the implementation includes it in StateFilterTCP (line 69). This contradiction needs clarification.

Confidence Score: 2/5

• Not safe to merge due to critical logic inconsistency in state filter implementation
• The PR contains a critical contradiction between documentation and implementation regarding TCP_CLOSE state handling. The comment explicitly states TCP_CLOSE should be omitted to avoid ENOENT errors, but the code includes it in the filter. This could lead to spurious errors or unexpected behavior in production.
• pkg/datapath/sockets/sockets.go requires immediate attention to resolve the TCP_CLOSE state filter contradiction

Important Files Changed

Filename	Overview
pkg/datapath/sockets/sockets.go	Adds TCP/UDP state filtering for socket termination; contains critical logic inconsistency between comment and implementation regarding TCP_CLOSE state

Sequence Diagram

sequenceDiagram
    participant Reconciler as Socket Termination Loop
    participant Filter as SocketFilter
    participant Sockets as sockets.Destroy()
    participant Netlink as Netlink Socket API
    participant Kernel as Linux Kernel

    Note over Reconciler: Backend marked unhealthy/deleted
    Reconciler->>Filter: Create filter with protocol-specific states
    alt TCP Protocol
        Filter->>Filter: Set States = StateFilterTCP
    else UDP Protocol
        Filter->>Filter: Set States = StateFilterUDP (0xffff)
    end
    
    Reconciler->>Sockets: Destroy(filter)
    Sockets->>Netlink: filterAndDestroySockets(family, protocol, states)
    Netlink->>Kernel: Query sockets with state filter
    Kernel-->>Netlink: Return matching sockets
    
    loop For each matching socket
        Sockets->>Filter: MatchSocket(socketID)
        Filter->>Filter: Check destination IP/Port
        Filter->>Filter: Check RevNAT map (via DestroyCB)
        alt Socket matches filter
            Sockets->>Netlink: destroySocket(socketID, states)
            Netlink->>Kernel: SOCK_DESTROY with state filter
            Kernel-->>Netlink: ACK or ENOENT
        end
    end

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Contradicts comment on lines 46-48 which says TCP_CLOSE should be omitted to avoid ENOENT errors

Suggested change

	netlink.TCP_CLOSE,
	// Following are handled without any special consideration/just closed

Prompt To Fix With AI

This is a comment left during a code review.
Path: pkg/datapath/sockets/sockets.go
Line: 69:69

Comment:
Contradicts comment on lines 46-48 which says `TCP_CLOSE` should be omitted to avoid `ENOENT` errors

```suggestion
	// Following are handled without any special consideration/just closed
```

How can I resolve this? If you propose a fix, please make it concise.