bpf: add drop reason for TTL exceeded

Make the TTL drops from ipv4_l3() more visible. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
cilium · Jul 21, 2023 · 4e9bbcd · 4e9bbcd
1 parent c8ce545
commit 4e9bbcd
Show file tree

Hide file tree

Showing 7 changed files with 179 additions and 169 deletions.
diff --git a/api/v1/flow/README.md b/api/v1/flow/README.md
@@ -978,6 +978,7 @@ here.
 | UNSUPPORTED_PROTOCOL_FOR_DSR_ENCAP | 193 |  |
 | NO_EGRESS_GATEWAY | 194 |  |
 | UNENCRYPTED_TRAFFIC | 195 |  |
+| TTL_EXCEEDED | 196 |  |
 
 
 

diff --git a/api/v1/flow/flow.pb.go b/api/v1/flow/flow.pb.go
diff --git a/api/v1/flow/flow.proto b/api/v1/flow/flow.proto
@@ -392,6 +392,7 @@ enum DropReason {
     UNSUPPORTED_PROTOCOL_FOR_DSR_ENCAP = 193;
     NO_EGRESS_GATEWAY = 194;
     UNENCRYPTED_TRAFFIC = 195;
+    TTL_EXCEEDED = 196;
 }
 
 enum TrafficDirection {

diff --git a/api/v1/observer/observer.pb.go b/api/v1/observer/observer.pb.go
diff --git a/bpf/lib/common.h b/bpf/lib/common.h
@@ -611,6 +611,7 @@ enum {
 #define DROP_DSR_ENCAP_UNSUPP_PROTO	-193
 #define DROP_NO_EGRESS_GATEWAY	-194
 #define DROP_UNENCRYPTED_TRAFFIC -195
+#define DROP_TTL_EXCEEDED	-196
 
 #define NAT_PUNT_TO_STACK	DROP_NAT_NOT_NEEDED
 #define NAT_NEEDED		CTX_ACT_OK

diff --git a/bpf/lib/l3.h b/bpf/lib/l3.h
@@ -55,7 +55,7 @@ static __always_inline int ipv4_l3(struct __ctx_buff *ctx, int l3_off,
 {
 	if (ipv4_dec_ttl(ctx, l3_off, ip4)) {
 		/* FIXME: Send ICMP TTL */
-		return DROP_INVALID;
+		return DROP_TTL_EXCEEDED;
 	}
 
 	if (smac && eth_store_saddr(ctx, smac, 0) < 0)

diff --git a/pkg/monitor/api/drop.go b/pkg/monitor/api/drop.go
@@ -91,6 +91,7 @@ var errors = map[uint8]string{
 	193: "Unsupported packet protocol for DSR encapsulation",
 	194: "No egress gateway found",
 	195: "Traffic is unencrypted",
+	196: "TTL exceeded",
 }
 
 func extendedReason(reason uint8, extError int8) string {