fntlnz
commented
3 years ago Good job, I'll look into this tomorrow if it's not merged yet !
Closed stanek-michal closed 3 years ago
fntlnz
commented
3 years ago Good job, I'll look into this tomorrow if it's not merged yet !
stanek-michal
commented
3 years ago I'm curious if you've run this through the new ebpf Jenkins job?
https://endgame-ci.elastic.co/job/elastic+ebpf+multibranch+pipeline/view/change-requests/
I'm not sure of the test coverage, though, so maybe this wouldn't be fully tested.
I just ran it and it looks like it succeeded. I will work on adding some specific subnet tests in TcFilterTest after FF.
cla-checker-service[bot]
commented
3 years ago 💚 CLA has been signed
stanek-michal
commented
3 years ago A couple comments, but nothing to hold up this PR.
I'll make a note to fix those in the next PR if you don't mind.
stanek-michal
commented
3 years ago I fixed a bug in ebpf_clear_map() which showed up in Endpoint testing (in a scenario where the eBPF map already contained some entries). All tests pass now.
fntlnz
commented
3 years ago Good job @stanek-michal I did a review to this and code looked good to me. I didn’t have a chance (had issues with my environment) to run the prog test run tests in this repo and see if they cover the new use case.
I’ll test those and in case there are any tests not passing I’ll open an issue. I suspect not however.
The allowed_subnets map will contain user-defined IPs and subnets. The allowed_IPs map will now only be used by the KprobeConnectHook program to dynamically add destination IPs that allowed processes want to connect to.
The TcFilter network filter checks both maps and allows the packet to be transmitted if it finds a match in either map.