bpf_host: emit '-> network' traces for egress packets by navarrothiago · Pull Request #16082 · cilium/cilium

navarrothiago · 2021-05-11T12:56:25Z

bpf_host: emit '-> network' traces for egress packets

See the issue below for the full context. The caveat is, this program is only attached to the native device egress if the host firewall is enabled, so there still won't be any TRACE_TO_NETWORK visibility if that's not the case.

I've also added handle_to_netdev_ipv4() to clean up to_netdev() a bit, to bring it on par with the ipv6 handling.

bpf_host: emit '-> network' traces for packets leaving the node when Host Firewall are enabled

Based on: #13485
Fixes: #12561

Co-authored-by: Thiago Navarro navarro@accuknox.com
Signed-off-by: Timo Beckers timo@isovalent.com
Signed-off-by: Thiago Navarro navarro@accuknox.com

pchaigno

This is a bit hard to review as is. Could you separate in multiple logical commits? For example, the changes to take monitor into account in existing traces (what #12561 is about) could be one commit, new traces would be another commit, and general cleanups (e.g., new comments) would be a last commit.

navarrothiago · 2021-05-24T20:57:02Z

new traces would be another commit

Thank you for you comments. Sorry, but I did not understand you. What do you mean by new traces? AFAIU, the issue is related to this comment, right? So, new trace would be the issue. Let me know if I got your point.

UPDATE: I believe I got your point now. You refer send_trace_notify(ctx, TRACE_TO_NETWORK, 0, 0, 0, 0, ret, monitor); in a separate commit, right? I will do that.

UPDATE: Done! Sorry about the misunderstood. Let me know if I am aligned with what you have suggested!

pchaigno

I think we should exclude the second commit for now. The other two commits look 👍 to me.

Please don't forget to add Timo has a coauthor of the last commit (via Signed-off-by, Co-authored-by, or both).

pchaigno · 2021-05-26T13:15:23Z

@navarrothiago Could you also fix the second commit's title? Right now, I doesn't provide any useful/actionable information.

See the issue below for the full context. The caveat is, this program is only attached to the native device egress if the host firewall is enabled, so there still won't be any TRACE_TO_NETWORK visibility if that's not the case. bpf_host: emit '-> network' traces for packets leaving the node when Host Firewall are enabled Based on: cilium#13485 Fixes: cilium#12561 Co-authored-by: Thiago Navarro <navarro@accuknox.com> Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Thiago Navarro <navarro@accuknox.com>

Besides, cleans up with some comments and applies code style Co-authored-by: Thiago Navarro <navarro@accuknox.com> Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Thiago Navarro <navarro@accuknox.com>

pchaigno · 2021-05-26T19:32:41Z

test-me-please

The checkpatch failure can be ignored.

navarrothiago · 2021-05-27T12:43:30Z

@pchaigno, should we re-trigger the jobs?

pchaigno · 2021-05-27T13:33:23Z

test-runtime

pchaigno · 2021-05-27T17:15:28Z

Team reviews are covered and tests are passing. Marking as ready to merge.

maintainer-s-little-helper Bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 11, 2021

navarrothiago force-pushed the pr/host-firewall-monitor/12561 branch 5 times, most recently from 74da421 to 6e02e2b Compare May 11, 2021 18:12

navarrothiago marked this pull request as ready for review May 13, 2021 23:18

navarrothiago requested review from a team and jrfastab May 13, 2021 23:18

maintainer-s-little-helper Bot assigned jrfastab May 13, 2021

navarrothiago force-pushed the pr/host-firewall-monitor/12561 branch 2 times, most recently from 5d03a1c to a58c86c Compare May 17, 2021 13:36

pchaigno reviewed May 21, 2021

View reviewed changes

Comment thread bpf/lib/common.h Outdated

Comment thread bpf/lib/trace.h Outdated

maintainer-s-little-helper Bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 21, 2021

navarrothiago marked this pull request as draft May 24, 2021 14:57

navarrothiago force-pushed the pr/host-firewall-monitor/12561 branch from a58c86c to e5dbe84 Compare May 24, 2021 20:47

navarrothiago marked this pull request as ready for review May 24, 2021 21:04

navarrothiago requested a review from pchaigno May 24, 2021 21:04

maintainer-s-little-helper Bot assigned pchaigno May 24, 2021

navarrothiago marked this pull request as draft May 25, 2021 15:30

navarrothiago force-pushed the pr/host-firewall-monitor/12561 branch 2 times, most recently from c74e442 to 72cad26 Compare May 25, 2021 18:55

navarrothiago marked this pull request as ready for review May 25, 2021 19:56

pchaigno requested changes May 26, 2021

View reviewed changes

Comment thread bpf/lib/nodeport.h Outdated

navarrothiago force-pushed the pr/host-firewall-monitor/12561 branch from 72cad26 to 6eba8ab Compare May 26, 2021 13:04

navarrothiago force-pushed the pr/host-firewall-monitor/12561 branch from 6eba8ab to 5a1b385 Compare May 26, 2021 14:19

navarrothiago force-pushed the pr/host-firewall-monitor/12561 branch from 5a1b385 to 9758957 Compare May 26, 2021 14:26

bpf: adds handle_to_netdev_ipv4() to clean up to_netdev()

84f7f14

Besides, cleans up with some comments and applies code style Co-authored-by: Thiago Navarro <navarro@accuknox.com> Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Thiago Navarro <navarro@accuknox.com>

navarrothiago force-pushed the pr/host-firewall-monitor/12561 branch from 9758957 to 84f7f14 Compare May 26, 2021 14:28

navarrothiago requested a review from pchaigno May 26, 2021 14:29

pchaigno approved these changes May 26, 2021

View reviewed changes

maintainer-s-little-helper Bot unassigned pchaigno May 26, 2021

pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 27, 2021

aanm merged commit 4e7ea3b into cilium:master May 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bpf_host: emit '-> network' traces for egress packets#16082

bpf_host: emit '-> network' traces for egress packets#16082
aanm merged 2 commits intocilium:masterfrom
navarrothiago:pr/host-firewall-monitor/12561

navarrothiago commented May 11, 2021 •

edited

Loading

Uh oh!

pchaigno left a comment

Uh oh!

Uh oh!

Uh oh!

navarrothiago commented May 24, 2021 •

edited

Loading

Uh oh!

pchaigno left a comment

Uh oh!

Uh oh!

pchaigno commented May 26, 2021

Uh oh!

pchaigno commented May 26, 2021 •

edited

Loading

Uh oh!

navarrothiago commented May 27, 2021

Uh oh!

pchaigno commented May 27, 2021

Uh oh!

pchaigno commented May 27, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

navarrothiago commented May 11, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pchaigno left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

navarrothiago commented May 24, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pchaigno left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

pchaigno commented May 26, 2021

Uh oh!

pchaigno commented May 26, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

navarrothiago commented May 27, 2021

Uh oh!

pchaigno commented May 27, 2021

Uh oh!

pchaigno commented May 27, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

navarrothiago commented May 11, 2021 •

edited

Loading

navarrothiago commented May 24, 2021 •

edited

Loading

pchaigno commented May 26, 2021 •

edited

Loading