cilium · YutaroHayakawa · Mar 3, 2023 · Mar 1, 2023 · Mar 1, 2023
diff --git a/Documentation/security/policy-creation.rst b/Documentation/security/policy-creation.rst
@@ -26,7 +26,7 @@ Scale down the deathstar Deployment
 ===================================
 
 In this guide we're going to scale down the deathstar Deployment in order to
-next steps:
+simplify the next steps:
 
 .. code-block:: shell-session
 

diff --git a/api/v1/flow/README.md b/api/v1/flow/README.md
@@ -322,6 +322,7 @@ multiple fields are set, then all fields must match for the filter to match.
 | destination_label | [string](#string) | repeated | destination_label filters on a list of destination label selectors |
 | destination_service | [string](#string) | repeated | destination_service filters on a list of destination service names |
 | destination_workload | [Workload](#flow-Workload) | repeated | destination_workload filters by a list of destination workload. |
+| traffic_direction | [TrafficDirection](#flow-TrafficDirection) | repeated | traffic_direction filters flow by direction of the connection, e.g. ingress or egress. |
 | verdict | [Verdict](#flow-Verdict) | repeated | only return Flows that were classified with a particular verdict. |
 | event_type | [EventTypeFilter](#flow-EventTypeFilter) | repeated | event_type is the list of event types to filter on |
 | http_status_code | [string](#string) | repeated | http_status_code is a list of string prefixes (e.g. &#34;4&#43;&#34;, &#34;404&#34;, &#34;5&#43;&#34;) to filter on the HTTP status code |

diff --git a/api/v1/flow/flow.pb.go b/api/v1/flow/flow.pb.go
diff --git a/api/v1/flow/flow.proto b/api/v1/flow/flow.proto
@@ -464,6 +464,10 @@ message FlowFilter {
     // destination_workload filters by a list of destination workload.
     repeated Workload destination_workload = 27;
 
+    // traffic_direction filters flow by direction of the connection, e.g.
+    // ingress or egress.
+    repeated TrafficDirection traffic_direction = 30;
+
     // only return Flows that were classified with a particular verdict.
     repeated Verdict verdict = 5;
     // event_type is the list of event types to filter on

diff --git a/pkg/hubble/filters/filters.go b/pkg/hubble/filters/filters.go
@@ -142,4 +142,5 @@ var DefaultFilters = []OnBuildFilter{
 	&NodeNameFilter{},
 	&IPVersionFilter{},
 	&TraceIDFilter{},
+	&TrafficDirectionFilter{},
 }
diff --git a/pkg/hubble/filters/traffic_direction.go b/pkg/hubble/filters/traffic_direction.go
@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Hubble
+
+package filters
+
+import (
+	"context"
+
+	flowpb "github.com/cilium/cilium/api/v1/flow"
+	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
+)
+
+func filterByTrafficDirection(directions []flowpb.TrafficDirection) FilterFunc {
+	return func(ev *v1.Event) bool {
+		flow := ev.GetFlow()
+		if flow == nil {
+			return false
+		}
+		for _, d := range directions {
+			if d == flow.GetTrafficDirection() {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+// TrafficDirectionFilter implements filtering based on flow traffic direction
+// (e.g. ingress or egress).
+type TrafficDirectionFilter struct{}
+
+// OnBuildFilter builds a a flow traffic direction filter.
+func (e *TrafficDirectionFilter) OnBuildFilter(ctx context.Context, ff *flowpb.FlowFilter) ([]FilterFunc, error) {
+	var fs []FilterFunc
+
+	if directions := ff.GetTrafficDirection(); len(directions) > 0 {
+		fs = append(fs, filterByTrafficDirection(directions))
+	}
+
+	return fs, nil
+}
diff --git a/pkg/hubble/filters/traffic_direction_test.go b/pkg/hubble/filters/traffic_direction_test.go
@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Hubble
+
+package filters
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	flowpb "github.com/cilium/cilium/api/v1/flow"
+	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
+)
+
+func TestTrafficDirectionFilter(t *testing.T) {
+	type args struct {
+		f  []*flowpb.FlowFilter
+		ev *v1.Event
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "nil",
+			args: args{
+				f: []*flowpb.FlowFilter{{
+					TrafficDirection: []flowpb.TrafficDirection{
+						flowpb.TrafficDirection_INGRESS,
+					},
+				}},
+				ev: nil,
+			},
+			want: false,
+		},
+		{
+			name: "match",
+			args: args{
+				f: []*flowpb.FlowFilter{{
+					TrafficDirection: []flowpb.TrafficDirection{
+						flowpb.TrafficDirection_INGRESS,
+					},
+				}},
+				ev: &v1.Event{Event: &flowpb.Flow{
+					TrafficDirection: flowpb.TrafficDirection_INGRESS,
+				}},
+			},
+			want: true,
+		},
+		{
+			name: "no-match",
+			args: args{
+				f: []*flowpb.FlowFilter{{
+					TrafficDirection: []flowpb.TrafficDirection{
+						flowpb.TrafficDirection_INGRESS,
+					},
+				}},
+				ev: &v1.Event{Event: &flowpb.Flow{
+					TrafficDirection: flowpb.TrafficDirection_TRAFFIC_DIRECTION_UNKNOWN,
+				}},
+			},
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fl, err := BuildFilterList(context.Background(), tt.args.f, []OnBuildFilter{&TrafficDirectionFilter{}})
+			assert.NoError(t, err)
+			assert.Equal(t, tt.want, fl.MatchOne(tt.args.ev))
+		})
+	}
+}