search

netobserv / netobserv-ebpf-agent

Network Observability eBPF Agent
Apache License 2.0
116 stars 29 forks source link

NETOBSERV-1478: Add eBPF Agent filtering capability #307

Closed msherif1234 closed 2 months ago

msherif1234 commented 3 months ago

Description

This PR allow provisioning global filter to limit what goes to eBPF flows table this also fix #266

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR > >The following shows example of provision this feature >```shell > >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > >udo bpftool map dump id 211 >[{ > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } >] > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626434: bpf_trace_printk: ip_filter: > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 172 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 253 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 122 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 101 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626441: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626441: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626442: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626442: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626443: bpf_trace_printk: result: 2 > >``` >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR > >The following shows example of provision this feature >```shell > >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > >sudo bpftool map dump id 211 >[{ > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } >] > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626434: bpf_trace_printk: ip_filter: > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 172 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 253 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 122 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 101 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626441: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626441: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626442: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626442: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626443: bpf_trace_printk: result: 2 > >``` >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
codecov-commenter commented 3 months ago

Codecov Report

Attention: Patch coverage is 31.65829% with 136 lines in your changes are missing coverage. Please review.

Project coverage is 33.91%. Comparing base (cb2cf53) to head (28bce79). Report is 1 commits behind head on main.

Files Patch % Lines
pkg/ebpf/flow_filter.go 43.66% 71 Missing and 9 partials :warning:
pkg/ebpf/tracer.go 0.00% 36 Missing :warning:
pkg/agent/agent.go 0.00% 19 Missing :warning:
pkg/ebpf/bpf_x86_bpfel.go 0.00% 1 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #307 +/- ## ========================================== + Coverage 33.63% 33.91% +0.27% ========================================== Files 47 48 +1 Lines 3865 4043 +178 ========================================== + Hits 1300 1371 +71 - Misses 2477 2575 +98 - Partials 88 97 +9 ``` | [Flag](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/307/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv) | Coverage Δ | | |---|---|---| | [unittests](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/307/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv) | `33.91% <31.65%> (+0.27%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 >The following shows example of provision this feature >```shell > >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > >sudo bpftool map dump id 211 >[{ > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } >] > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626434: bpf_trace_printk: ip_filter: > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 172 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 253 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 122 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 101 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626438: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626439: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626440: bpf_trace_printk: 0 > irq/177-iwlwifi-1194 [010] ..s2. 6252.626441: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626441: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626442: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626442: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 6252.626443: bpf_trace_printk: result: 2 > >``` >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549124: bpf_trace_printk: rule found > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549125: bpf_trace_printk: srcPortStart matched > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549127: bpf_trace_printk: ip not zero ip[0]:192 > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549129: bpf_trace_printk: dstIP matched > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549130: bpf_trace_printk: direction matched > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549131: bpf_trace_printk: result: 3 > > >``` >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549124: bpf_trace_printk: rule found > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549125: bpf_trace_printk: srcPortStart matched > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549127: bpf_trace_printk: ip not zero ip[0]:192 > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549129: bpf_trace_printk: dstIP matched > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549130: bpf_trace_printk: direction matched > > irq/170-iwlwifi-1187 [003] ..s2. 14437.549131: bpf_trace_printk: result: 3 > > >``` >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762556: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762557: bpf_trace_printk: protocol matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762560: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762563: bpf_trace_printk: ip not zero ip[0]:192 > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762564: bpf_trace_printk: dstIP matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762576: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762577: bpf_trace_printk: result: 4 > >``` >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `optional` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762556: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762557: bpf_trace_printk: protocol matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762560: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762563: bpf_trace_printk: ip not zero ip[0]:192 > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762564: bpf_trace_printk: dstIP matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762576: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762577: bpf_trace_printk: result: 4 > >``` >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `optional` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762556: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762557: bpf_trace_printk: protocol matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762560: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762563: bpf_trace_printk: ip not zero ip[0]:192 > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762564: bpf_trace_printk: dstIP matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762576: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762577: bpf_trace_printk: result: 4 > >``` > >check filter drop statistics >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8330 0 8330 0 ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 240 > 0 2180k 0 --:--:-- --:--:-- --:--:-- 2711k >``` > >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `optional` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762556: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762557: bpf_trace_printk: protocol matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762560: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762563: bpf_trace_printk: ip not zero ip[0]:192 > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762564: bpf_trace_printk: dstIP matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762576: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762577: bpf_trace_printk: result: 4 > >``` > >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >Note: if u wanted to match on any CIDR we can use `0.0.0.0\0` syntax >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `optional` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762556: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762557: bpf_trace_printk: protocol matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762560: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762563: bpf_trace_printk: ip not zero ip[0]:192 > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762564: bpf_trace_printk: dstIP matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762576: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762577: bpf_trace_printk: result: 4 > >``` > >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >Note: if u wanted to match on any CIDR we can use `0.0.0.0/0` syntax >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `optional` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762556: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762557: bpf_trace_printk: protocol matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762560: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762563: bpf_trace_printk: ip not zero ip[0]:192 > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762564: bpf_trace_printk: dstIP matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762576: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762577: bpf_trace_printk: result: 4 > >``` > >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
msherif1234 commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:e235a56

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=e235a56 make set-agent-image
msherif1234 commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:a516e6b

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=a516e6b make set-agent-image
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >Note: if u wanted to match on any CIDR we can use `0.0.0.0/0` syntax >- `FLOW_FILTER_ACTION` either "Accept" or "Reject" `required` >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `optional` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > > sudo bpftool map dump id 273 -p >[{ > "key": ["0x18","0x00","0x00","0x00","0xac","0xfd","0x7a","0x01","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "value": ["0x06","0x00","0x00","0x00","0x00","0x50","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0xc0","0xa8","0x01","0xfd","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00","0x00" > ], > "formatted": { > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "ip": [192,168,1,253,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } > } >] > >irq/170-iwlwifi-1187 [003] ..s2. 14437.549100: bpf_trace_printk: ip_filter: > irq/170-iwlwifi-1187 [003] ..s2. 14437.549111: bpf_trace_printk: 172 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549112: bpf_trace_printk: 253 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 122 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549113: bpf_trace_printk: 101 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549114: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549115: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549116: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549117: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549118: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549119: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549120: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549121: bpf_trace_printk: 0 > irq/170-iwlwifi-1187 [003] ..s2. 14437.549122: bpf_trace_printk: > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762556: bpf_trace_printk: rule found > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762557: bpf_trace_printk: protocol matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762560: bpf_trace_printk: srcPortStart matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762563: bpf_trace_printk: ip not zero ip[0]:192 > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762564: bpf_trace_printk: dstIP matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762576: bpf_trace_printk: direction matched > > irq/177-iwlwifi-1194 [010] ..s2. 16041.762577: bpf_trace_printk: result: 4 > >``` > >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [ ] Does this PR require product documentation? > * [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [ ] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
msherif1234 commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:eb6b7af

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=eb6b7af make set-agent-image
msherif1234 commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:a2be65d

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=a2be65d make set-agent-image
msherif1234 commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:2bf5794

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=2bf5794 make set-agent-image
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF table >based on filter rule direction user has to provision ipCIDR based on this rule >- Direction: Ingress , use srcIP CIDR >- Direction: Egress, use dstIP CIDR >this also fix #266 > >### Supported options >- `ENABLE_FLOW_FILTER` knob to enable flow filtering feature `required` >- `FLOW_FILTER_IP_CIDR` matching IP CIDR `required` >Note: if u wanted to match on any CIDR we can use `0.0.0.0/0` syntax >- `FLOW_FILTER_ACTION` either "Accept" or "Reject" `required` >- `FLOW_FILTER_DIRECTION` direction to apply the filtering rule on `optional` >- `FLOW_FILTER_PROTOCOL` tcp/udp/sctp/icmpv4/icmpv4 `optional` >- `FLOW_FILTER_SOURCE_PORT` single int value for sport `optional` >- `FLOW_FILTER_SOURCE_PORT_RANGE` use range format [xxx-yyy] for sport `optional` >- `FLOW_FILTER_DESTINATION_PORT` single int value for dport `optional` >- `FLOW_FILTER_DESTINATION_PORT_RANGE` use range format [xxx-yyy] for dport `optional` >- `FLOW_FILTER_ICMP_TYPE` for icmp and icmp6 type value `optional` >- `FLOW_FILTER_ICMP_CODE` for icmp and icmp6 code value `optional` >- `FLOW_FILTER_IP` for matching against specific ip address `optional` > >The following shows example of provision this feature >```shell >sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ENABLE_FLOW_FILTER=true FLOW_FILTER_IP_CIDR="172.253.122.1/24" FLOW_FILTER_ACTION="Reject" FLOW_FILTER_DIRECTION="ingress" FLOW_FILTER_PROTOCOL="tcp" FLOW_FILTER_SOURCE_PORT=80 FLOW_FILTER_IP="192.168.1.253" LOG_LEVEL="trace" METRICS_ENABLE=true ./bin/netobserv-ebpf-agent > >``` >The above rule provision ingress filter rule so the source CIDR is `172.253.122.1/24` for protocol `TCP` with srcPort `80` which is the configuration to match my test with >`curl google.com` > >I also enabled metrics because we counter to show flows been filtered > >### UT >- run the above standalone agent command >- from another xterm run `curl -4 google.com -v` >- from another xterm check metrics and ebpf map content and logs >```shell >curl 127.0.0.1:9090/metrics | grep Filter > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed >100 8318 0 8318 0 0 3062k 0 --:--:-- --:--ebpf_agent_dropped_flows_total{reason="FlowFilterDropCounter",source="flow-fetcher"} 1076 >:-- --:--:-- 4061k > >[{ > "key": { > "prefix_len": 24, > "ip_data": [172,253,122,1,0,0,0,0,0,0,0,0,0,0,0,0 > ] > }, > "value": { > "protocol": 6, > "dstPortStart": 0, > "dstPortEnd": 0, > "srcPortStart": 80, > "srcPortEnd": 0, > "icmpType": 0, > "icmpCode": 0, > "direction": "INGRESS", > "action": "REJECT", > "ip": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 > ] > } > } >] > >``` > >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [X] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [X] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [X] Does this PR require product documentation? > * [X] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [X] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [X] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:bde17a4

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=bde17a4 make set-agent-image
msherif1234 commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:52bfe00

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=52bfe00 make set-agent-image
msherif1234 commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:bae371f

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=bae371f make set-agent-image
openshift-ci-robot commented 3 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF flows table >this also fix #266 > > >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [X] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [X] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [X] Does this PR require product documentation? > * [X] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [X] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [X] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
jotak commented 3 months ago

/lgtm

Amoghrd commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:bd5c6e0

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=bd5c6e0 make set-agent-image
Amoghrd commented 2 months ago

/label qe-approved

openshift-ci-robot commented 2 months ago

@msherif1234: This pull request references NETOBSERV-1478 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/netobserv/netobserv-ebpf-agent/pull/307): >## Description > >This PR allow provisioning global filter to limit what goes to eBPF flows table >this also fix #266 > > >## Dependencies > > >n/a > >## Checklist > >If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that. > >* [X] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist. >* [X] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix _(in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes)._ >* [X] Does this PR require product documentation? > * [X] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs. >* [ ] Does this PR require a product release notes entry? > * [ ] If so, fill in "Release Note Text" in the JIRA. >* [X] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc. > * [ ] If so, make sure it is described in the JIRA ticket. >* QE requirements (check 1 from the list): > * [X] Standard QE validation, with pre-merge tests unless stated otherwise. > * [ ] Regression tests only (e.g. refactoring with no user-facing change). > * [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team). > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=netobserv%2Fnetobserv-ebpf-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
msherif1234 commented 2 months ago

/approve

openshift-ci[bot] commented 2 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: msherif1234

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/netobserv/netobserv-ebpf-agent/blob/main/OWNERS)~~ [msherif1234] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment