Monitor Aggregation for connections does not work with host firewall

[joestringer]

The host firewall does not respect the monitor parameter to the ct_lookup[46]() functions, it simply gathers it and discards, for example:

cilium/bpf/lib/host_firewall.h

Line 268 in f55ec90

__u32 monitor = 0, dst_id = WORLD_ID;

cilium/bpf/lib/host_firewall.h

Lines 300 to 301 in f55ec90

	ret = ct_lookup4(get_ct_map4(&tuple), &tuple, ctx, l4_off, CT_INGRESS,
	&ct_state, &monitor);

This means that even with monitorAggregationLevel=medium, aggregation of monitor notifications based on connections does not occur correctly for packets from the host towards the networks, meaning that notifications are generated once per packet rather than once every 5s per connection.

The monitor argument should be handled similarly to how it is used in bpf/bpf_lxc.c in the bpf_host.c.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[ti-mo]

Hi @joestringer

After investigating this specific case (connecting to an iperf container from the host) thoroughly, I can't reproduce the behaviour you described by

aggregation of monitor notifications based on connections does not occur correctly for packets from the host towards the networks

All TRACE_FROM_* obs points are simply dropped by emit_trace_notify() when aggregation is enabled, so this includes TRACE_FROM_HOST.

cilium/bpf/lib/trace.h

Lines 129 to 133 in 037bef5

	if (MONITOR_AGGREGATION >= TRACE_AGGREGATE_RX) {
	switch (obs_point) {
	case TRACE_FROM_LXC:
	case TRACE_FROM_PROXY:
	case TRACE_FROM_HOST:

From what I can see, only 2 host-FW code paths could currently generate floods:

1. Packets that fail validate_ethertype() when the host firewall is disabled, although this gets ignored when aggregation is enabled.

   cilium/bpf/bpf_host.c

   Lines 1035 to 1036 in b9e44f3

   	send_trace_notify(ctx, TRACE_TO_STACK, srcID, 0, 0,
   	CILIUM_IFINDEX, ret, 0);

2. Outbound packets towards other cluster nodes.

   cilium/bpf/bpf_host.c

   Lines 1002 to 1003 in b9e44f3

   	send_trace_notify(ctx, TRACE_TO_NETWORK, src_id, 0, 0,
   	0, ret, 0);

---

Is it possible that the case you described is caused by the latter? A simple ping flood can cause this (eg. from k8s1->k8s2 test VMs):

~ sudo ping 192.168.33.12 -i 0.01
...

~ cilium monitor
-> network flow 0x0 identity 1->0 state new ifindex 0 orig-ip 0.0.0.0: 192.168.33.11 -> 192.168.33.12 EchoRequest
-> network flow 0x0 identity 1->0 state new ifindex 0 orig-ip 0.0.0.0: 192.168.33.11 -> 192.168.33.12 EchoRequest
-> network flow 0x0 identity 1->0 state new ifindex 0 orig-ip 0.0.0.0: 192.168.33.11 -> 192.168.33.12 EchoRequest

Note how these events are wrongly labeled as 'to network'. There is no traffic to/from container networks here,
but rather between two cluster nodes directly. There doesn't seem to be any other kind of traffic that hits this
send_trace_notify() call. It looks like a fall-through and as such I would suggest we remove it to avoid future
regressions.

Instead, we could add new trace notifications with the correct observation points in the routines in host_firewall.h
where the monitor values are actually in scope. Otherwise, we'd need to declare+init it in to_host() for each packet
that hits the interface, including ones that don't use CT, which sounds like a bad idea. Additionally, we'd have to
plumb monitor into all ingress/egress routines, which I'd rather avoid.

@pchaigno @joestringer WDYT?

[pchaigno]

From what I can see, only 2 host-FW code paths could currently generate floods:

I think that's the two cases Joe had in mind (the second at least would be aggregation of monitor notifications based on connections does not occur correctly for packets from the host towards the networks).

Note how these events are wrongly labeled as 'to network'.

Why is that wrong? network here refers to anything outside the node.

[joestringer]

All TRACE_FROM_* obs points are simply dropped by emit_trace_notify() when aggregation is enabled, so this includes TRACE_FROM_HOST.

This is true, assuming a high enough aggregation level (which is also the default).

But yes, in general I am more concerned with the TRACE_TO_* cases for this issue.

Instead, we could add new trace notifications with the correct observation points in the routines in host_firewall.h
where the monitor values are actually in scope.

I don't understand the "correct observation points" angle. As @pchaigno mentions, "network" here is considered the 'physical' network outside the host, not anything within the node. In general there are typically two observation points for any given flow which may originate from the network, the host, an endpoint, or a tunnel and may be destined to one of these. One observation point represents the source of the packet and one represents the destination.

Otherwise, we'd need to declare+init it in to_host() for each packet that hits the interface, including ones that don't use CT, which sounds like a bad idea.

Are you worried about the cost of initializing a register to a default value? This should be cheap compared to the rest of the logic in the datapath, I don't think we're at the point of optimizing instructions like this yet. Furthermore, the goal here is to avoid preparing monitor messages and transmitting them to userspace, which will otherwise cause a bunch of other processing to occur both in the BPF packet handling and in the userspace side to handle the event for every single packet.

Additionally, we'd have to plumb monitor into all ingress/egress routines, which I'd rather avoid.

I think it's tedious implementation-wise, but it will improve CPU usage as well as just the usability of cilium monitor if it isn't flooded by per-packet events but instead is more like "1 event per flow each 5s".