-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hubble: fix traffic direction and is reply when IPSec is enabled #31211
Hubble: fix traffic direction and is reply when IPSec is enabled #31211
Conversation
Before this patch, Hubble would wrongly report known traffic direction and reply status when IPSec was enabled. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
c32237f
to
e76fce6
Compare
After closer inspection: while it's clear that in the datapath Lines 1093 to 1094 in 7e4ad4a
cc @learnitall to confirm this it's related to #29616 and the coccinelle script assumes no masking of If correct and with the masking logic in mind,
Consequently, while this patch fixes the monitor helper functions the behaviour should be unchanged by the patch. So I'm unsure whether it is correct to qualify the PR as either bug fix nor need backport. Since it doesn't fix any actual bug it could be misleading to report it as bug fix in the release notes, and while the backport should be very low risk IMHO it's not worth the effort (we could close this PR and the fix will land in |
If |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Datapath logic here looks good. Not sure if we're going far enough on fixing up usage of the encrypted trace mask, but that doesn't have to be addressed here.
/test |
/ci-ginkgo |
/ci-runtime |
/ci-ginkgo |
Backport note: this patch won't apply cleanly on top of v1.13 which doesn't have the SRV6 encap/decap trace reasons, in v1.13 we only need the
TraceReasonIsKnown()
change indatapath_trace.go
and the couple ofTRACE_FROM_LXC
test cases added inparser_test.go
.Before this patch, Hubble would wrongly report known traffic direction and reply status when IPSec was enabled.
The Cilium datapath uses
trace_reason
to convey both the trace reason and encryption status of trace notifications.The trace reason is decoded as-is in by userspace in theTraceNotify.Reason
field, and users of theReason
field must carefully check the encrypt bit (see for example here or here). Unfortunately,TraceReasonIsKnown
,TraceReasonIsEncap
, andTraceReasonIsDecap
didn't take the encrypt bit into account and thus returned wrong results when the encrypt bit was set.One proper fix would be to refactor the monitor code to provide enough helpers for users so that they would not need to directly access the
Reason
field. This will be implemented in a separate PR in order to avoid backporting refactoring commits.Related to #31202