cmd: Display decryption interfaces in encrypt status

This commit adds a new line to cilium encrypt status, with the list of interfaces on which decryption can happen: $ ks exec ds/cilium -c cilium-agent -- cilium encrypt status Encryption: IPsec Decryption interface(s): eth0, eth1, eth2 Keys in use: 1 Max Seq. Number: 0x6e/0xffffffff Errors: 0 This can be useful to check that Cilium is attached to all the interfaces it should be attached to (all those that can receive remote pod traffic). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
cilium · Oct 23, 2023 · 5fe02cc · 5fe02cc
1 parent 3f499b4
commit 5fe02cc
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/Documentation/security/network/encryption-ipsec.rst b/Documentation/security/network/encryption-ipsec.rst
@@ -205,14 +205,17 @@ Troubleshooting
 
        $ cilium-dbg encrypt status
        Encryption: IPsec
+       Decryption interface(s): eth0, eth1, eth2
        Keys in use: 1
        Max Seq. Number: 0x1e3/0xffffffff
        Errors: 0
 
    If the error counter is non-zero, additional information will be displayed
    with the specific errors the kernel encountered. If the sequence number
    reaches its maximum value, it will also result in errors. The number of
-   keys in use should be 2 during a key rotation and always 1 otherwise.
+   keys in use should be 2 during a key rotation and always 1 otherwise. The
+   list of decryption interfaces should have all native devices that may
+   receive pod traffic (ex. ENI interfaces).
 
  * All XFRM errors correspond to a packet drop in the kernel. Except for
    ``XfrmFwdHdrError`` and ``XfrmInError``, all XFRM errors indicate a bug in

diff --git a/cilium-dbg/cmd/encrypt_status.go b/cilium-dbg/cmd/encrypt_status.go
@@ -123,13 +123,51 @@ func getEncryptionMode() {
 	}
 }
 
+func isDecryptionInterface(link netlink.Link) (bool, error) {
+	filters, err := netlink.FilterList(link, tcFilterParentIngress)
+	if err != nil {
+		return false, err
+	}
+	for _, f := range filters {
+		if bpfFilter, ok := f.(*netlink.BpfFilter); ok {
+			// We consider the interface a decryption interface if it has the
+			// BPF program we use to mark ESP packets for decryption, that is
+			// the cil_from_network BPF program.
+			if strings.Contains(bpfFilter.Name, "cil_from_network") {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
+
+func getDecryptionInterfaces() []string {
+	decryptionIfaces := []string{}
+	links, err := netlink.LinkList()
+	if err != nil {
+		Fatalf("Failed to list interfaces: %s", err)
+	}
+	for _, link := range links {
+		itIs, err := isDecryptionInterface(link)
+		if err != nil {
+			Fatalf("Failed to list BPF programs for %s: %s", link.Attrs().Name, err)
+		}
+		if itIs {
+			decryptionIfaces = append(decryptionIfaces, link.Attrs().Name)
+		}
+	}
+	return decryptionIfaces
+}
+
 func dumpIPsecStatus() {
 	xfrmStates, err := netlink.XfrmStateList(netlink.FAMILY_ALL)
 	if err != nil {
 		Fatalf("Cannot get xfrm state: %s", err)
 	}
 	keys := ipsec.CountUniqueIPsecKeys(xfrmStates)
 	oseq := maxSequenceNumber()
+	interfaces := getDecryptionInterfaces()
+	fmt.Printf("Decryption interface(s): %s\n", strings.Join(interfaces, ", "))
 	fmt.Printf("Keys in use: %-26d\n", keys)
 	fmt.Printf("Max Seq. Number: %s\n", oseq)
 	errCount, errMap := getXfrmStats("")