CFP: Support drop_reason_desc in flow filter

[sathieu]

Cilium Feature Proposal

Is your proposed feature related to a problem?

We are using hubble exporter and want to exclude events with drop_reason_desc UNSUPPORTED_L3_PROTOCOL.

We tried:

hubble:
  export:
  # ...
      dynamic:
        enabled: true
        config:
         # ...
          content:
          - name: principal
            # ...
            excludeFilters: 
            - drop_reason_desc:
              - UNSUPPORTED_L3_PROTOCOL
            - drop_reason:
              - "139" # UNSUPPORTED_L3_PROTOCOL
            - event_type:
              - type: 1
                match_sub_type: true
                sub_type: 139

Only third (event_type) way works, but this is not user-friendly. The two others fail to load.

Describe the feature you'd like

drop_reason_desc to be supported as filter type.

See:

cilium/api/v1/flow/flow.pb.go

Lines 2892 to 2980 in aef6814

	// FlowFilter represent an individual flow filter. All fields are optional. If
	// multiple fields are set, then all fields must match for the filter to match.
	type FlowFilter struct {
	state protoimpl.MessageState
	sizeCache protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields
	// uuid filters by a list of flow uuids.
	Uuid []string `protobuf:"bytes,29,rep,name=uuid,proto3" json:"uuid,omitempty"`
	// source_ip filters by a list of source ips. Each of the source ips can be
	// specified as an exact match (e.g. "1.1.1.1") or as a CIDR range (e.g.
	// "1.1.1.0/24").
	SourceIp []string `protobuf:"bytes,1,rep,name=source_ip,json=sourceIp,proto3" json:"source_ip,omitempty"`
	// source_pod filters by a list of source pod name prefixes, optionally
	// within a given namespace (e.g. "xwing", "kube-system/coredns-").
	// The pod name can be omitted to only filter by namespace
	// (e.g. "kube-system/") or the namespace can be omitted to filter for
	// pods in any namespace (e.g. "/xwing")
	SourcePod []string `protobuf:"bytes,2,rep,name=source_pod,json=sourcePod,proto3" json:"source_pod,omitempty"`
	// source_fqdn filters by a list of source fully qualified domain names
	SourceFqdn []string `protobuf:"bytes,7,rep,name=source_fqdn,json=sourceFqdn,proto3" json:"source_fqdn,omitempty"`
	// source_labels filters on a list of source label selectors. Selectors
	// support the full Kubernetes label selector syntax.
	SourceLabel []string `protobuf:"bytes,10,rep,name=source_label,json=sourceLabel,proto3" json:"source_label,omitempty"`
	// source_service filters on a list of source service names. This field
	// supports the same syntax as the source_pod field.
	SourceService []string `protobuf:"bytes,16,rep,name=source_service,json=sourceService,proto3" json:"source_service,omitempty"`
	// source_workload filters by a list of source workload.
	SourceWorkload []*Workload `protobuf:"bytes,26,rep,name=source_workload,json=sourceWorkload,proto3" json:"source_workload,omitempty"`
	// destination_ip filters by a list of destination ips. Each of the
	// destination ips can be specified as an exact match (e.g. "1.1.1.1") or
	// as a CIDR range (e.g. "1.1.1.0/24").
	DestinationIp []string `protobuf:"bytes,3,rep,name=destination_ip,json=destinationIp,proto3" json:"destination_ip,omitempty"`
	// destination_pod filters by a list of destination pod names
	DestinationPod []string `protobuf:"bytes,4,rep,name=destination_pod,json=destinationPod,proto3" json:"destination_pod,omitempty"`
	// destination_fqdn filters by a list of destination fully qualified domain names
	DestinationFqdn []string `protobuf:"bytes,8,rep,name=destination_fqdn,json=destinationFqdn,proto3" json:"destination_fqdn,omitempty"`
	// destination_label filters on a list of destination label selectors
	DestinationLabel []string `protobuf:"bytes,11,rep,name=destination_label,json=destinationLabel,proto3" json:"destination_label,omitempty"`
	// destination_service filters on a list of destination service names
	DestinationService []string `protobuf:"bytes,17,rep,name=destination_service,json=destinationService,proto3" json:"destination_service,omitempty"`
	// destination_workload filters by a list of destination workload.
	DestinationWorkload []*Workload `protobuf:"bytes,27,rep,name=destination_workload,json=destinationWorkload,proto3" json:"destination_workload,omitempty"`
	// traffic_direction filters flow by direction of the connection, e.g.
	// ingress or egress.
	TrafficDirection []TrafficDirection `protobuf:"varint,30,rep,packed,name=traffic_direction,json=trafficDirection,proto3,enum=flow.TrafficDirection" json:"traffic_direction,omitempty"`
	// only return Flows that were classified with a particular verdict.
	Verdict []Verdict `protobuf:"varint,5,rep,packed,name=verdict,proto3,enum=flow.Verdict" json:"verdict,omitempty"`
	// event_type is the list of event types to filter on
	EventType []*EventTypeFilter `protobuf:"bytes,6,rep,name=event_type,json=eventType,proto3" json:"event_type,omitempty"`
	// http_status_code is a list of string prefixes (e.g. "4+", "404", "5+")
	// to filter on the HTTP status code
	HttpStatusCode []string `protobuf:"bytes,9,rep,name=http_status_code,json=httpStatusCode,proto3" json:"http_status_code,omitempty"`
	// protocol filters flows by L4 or L7 protocol, e.g. (e.g. "tcp", "http")
	Protocol []string `protobuf:"bytes,12,rep,name=protocol,proto3" json:"protocol,omitempty"`
	// source_port filters flows by L4 source port
	SourcePort []string `protobuf:"bytes,13,rep,name=source_port,json=sourcePort,proto3" json:"source_port,omitempty"`
	// destination_port filters flows by L4 destination port
	DestinationPort []string `protobuf:"bytes,14,rep,name=destination_port,json=destinationPort,proto3" json:"destination_port,omitempty"`
	// reply filters flows based on the direction of the flow.
	Reply []bool `protobuf:"varint,15,rep,packed,name=reply,proto3" json:"reply,omitempty"`
	// dns_query filters L7 DNS flows by query patterns (RE2 regex), e.g. 'kube.*local'.
	DnsQuery []string `protobuf:"bytes,18,rep,name=dns_query,json=dnsQuery,proto3" json:"dns_query,omitempty"`
	// source_identity filters by the security identity of the source endpoint.
	SourceIdentity []uint32 `protobuf:"varint,19,rep,packed,name=source_identity,json=sourceIdentity,proto3" json:"source_identity,omitempty"`
	// destination_identity filters by the security identity of the destination endpoint.
	DestinationIdentity []uint32 `protobuf:"varint,20,rep,packed,name=destination_identity,json=destinationIdentity,proto3" json:"destination_identity,omitempty"`
	// GET, POST, PUT, etc. methods. This type of field is well suited for an
	// enum but every single existing place is using a string already.
	HttpMethod []string `protobuf:"bytes,21,rep,name=http_method,json=httpMethod,proto3" json:"http_method,omitempty"`
	// http_path is a list of regular expressions to filter on the HTTP path.
	HttpPath []string `protobuf:"bytes,22,rep,name=http_path,json=httpPath,proto3" json:"http_path,omitempty"`
	// http_url is a list of regular expressions to filter on the HTTP URL.
	HttpUrl []string `protobuf:"bytes,31,rep,name=http_url,json=httpUrl,proto3" json:"http_url,omitempty"`
	// http_header is a list of key:value pairs to filter on the HTTP headers.
	HttpHeader []*HTTPHeader `protobuf:"bytes,32,rep,name=http_header,json=httpHeader,proto3" json:"http_header,omitempty"`
	// tcp_flags filters flows based on TCP header flags
	TcpFlags []*TCPFlags `protobuf:"bytes,23,rep,name=tcp_flags,json=tcpFlags,proto3" json:"tcp_flags,omitempty"`
	// node_name is a list of patterns to filter on the node name, e.g. "k8s*",
	// "test-cluster/*.domain.com", "cluster-name/" etc.
	NodeName []string `protobuf:"bytes,24,rep,name=node_name,json=nodeName,proto3" json:"node_name,omitempty"`
	// filter based on IP version (ipv4 or ipv6)
	IpVersion []IPVersion `protobuf:"varint,25,rep,packed,name=ip_version,json=ipVersion,proto3,enum=flow.IPVersion" json:"ip_version,omitempty"`
	// trace_id filters flows by trace ID
	TraceId []string `protobuf:"bytes,28,rep,name=trace_id,json=traceId,proto3" json:"trace_id,omitempty"`
	// experimental contains filters that are not stable yet. Support for
	// experimental features is always optional and subject to change.
	Experimental *FlowFilter_Experimental `protobuf:"bytes,999,opt,name=experimental,proto3" json:"experimental,omitempty"`
	}

[chaunceyjiang]

I'm quite interested in this feature. Could you assign this issue to me?

[sathieu]

/assign @chaunceyjiang