Merge "Disable conntrack for TCP flows in the amphora" into stable/victoria

elements/amphora-agent/static/usr/local/bin/udp-masquerade.sh

@@ -36,10 +36,19 @@ if [ "$1" == "add" ]; then
             nft add table ip octavia-ipv4
             nft add chain ip octavia-ipv4 ip-udp-masq { type nat hook postrouting priority 100\;}
             nft add rule ip octavia-ipv4 ip-udp-masq oifname "$3" meta l4proto udp masquerade
+            nft add chain ip octavia-ipv4 prerouting { type filter hook prerouting priority -300 \; }
+            nft add rule ip octavia-ipv4 prerouting iifname "$3" meta l4proto tcp notrack
+            nft add chain ip octavia-ipv4 output { type filter hook output priority -300 \; }
+            nft add rule ip octavia-ipv4 output oifname "$3" meta l4proto tcp notrack
+
         elif [ "$2" == "ipv6" ]; then
             nft add table ip6 octavia-ipv6
             nft add chain ip6 octavia-ipv6 ip6-udp-masq { type nat hook postrouting priority 100\;}
             nft add rule ip6 octavia-ipv6 ip6-udp-masq oifname "$3" meta l4proto udp masquerade
+            nft add chain ip6 octavia-ipv6 prerouting { type filter hook prerouting priority -300 \; }
+            nft add rule ip6 octavia-ipv6 prerouting iifname "$3" meta l4proto tcp notrack
+            nft add chain ip6 octavia-ipv6 output { type filter hook output priority -300 \; }
+            nft add rule ip6 octavia-ipv6 output oifname "$3" meta l4proto tcp notrack
         else
             usage
         fi
@@ -47,8 +56,14 @@ if [ "$1" == "add" ]; then
     else # nft not found, fall back to iptables
         if [ "$2" == "ipv4" ]; then
             /sbin/iptables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE
+
+            /sbin/iptables -t raw -A PREROUTING -p tcp -i $3 -j NOTRACK
+            /sbin/iptables -t raw -A OUTPUT -p tcp -o $3 -j NOTRACK
         elif [ "$2" == "ipv6" ]; then
             /sbin/ip6tables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE
+
+            /sbin/ip6tables -t raw -A PREROUTING -p tcp -i $3 -j NOTRACK
+            /sbin/ip6tables -t raw -A OUTPUT -p tcp -o $3 -j NOTRACK
         else
             usage
         fi
@@ -60,9 +75,17 @@ elif [ "$1" == "delete" ]; then
         if [ "$2" == "ipv4" ]; then
             nft flush chain ip octavia-ipv4 ip-udp-masq
             nft delete chain ip octavia-ipv4 ip-udp-masq
+            nft flush chain ip octavia-ipv4 prerouting
+            nft delete chain ip octavia-ipv4 prerouting
+            nft flush chain ip octavia-ipv4 output
+            nft delete chain ip octavia-ipv4 output
         elif [ "$2" == "ipv6" ]; then
             nft flush chain ip6 octavia-ipv6 ip-udp-masq
             nft delete chain ip6 octavia-ipv6 ip-udp-masq
+            nft flush chain ip6 octavia-ipv6 prerouting
+            nft delete chain ip6 octavia-ipv6 prerouting
+            nft flush chain ip6 octavia-ipv6 output
+            nft delete chain ip6 octavia-ipv6 output
         else
             usage
         fi
@@ -70,8 +93,12 @@ elif [ "$1" == "delete" ]; then
     else # nft not found, fall back to iptables
         if [ "$2" == "ipv4" ]; then
             /sbin/iptables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE
+            /sbin/iptables -t raw -D PREROUTING -p tcp -i $3 -j NOTRACK
+            /sbin/iptables -t raw -D OUTPUT -p tcp -o $3 -j NOTRACK
         elif [ "$2" == "ipv6" ]; then
             /sbin/ip6tables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE
+            /sbin/ip6tables -t raw -D PREROUTING -p tcp -i $3 -j NOTRACK
+            /sbin/ip6tables -t raw -D OUTPUT -p tcp -o $3 -j NOTRACK
         else
             usage
         fi

releasenotes/notes/disable-conntrack-for-tcp-01ef6948d99353c2.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Disable conntrack for TCP flows in the Amphora, it reduces memory usage for
+    HAProxy-based listeners and prevents some kernel warnings about dropped
+    packets.