printer: Add support for SockLB events

This adds support for Trace SockLB events. These events are similar to L3/L4 trace events, but are traced on the socket level. This means they have a few differences to regular trace events: - There are events for pre- and post-translation. This means that we now get visibility into the service load balancing, meaning that source/destination service is populated before NAT/after rev-NAT. - These events do not contain the source port or packet related details (such as TCP flags, Ethernet headers etc). - Because the events are emitted on a socket level, there is no meaningful traffic direction or reply status. The reply status and traffic direction of the trace sock events is unknown. - These events have two verdicts: TRACED and TRANSLATED. The former is used when ever the SockLB BPF hook is executed, the latter is additionally emitted if NAT or reverse NAT has been applied. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
cilium · Nov 21, 2022 · d580ee4 · d580ee4
1 parent 8b29eeb
commit d580ee4
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 4 deletions.
diff --git a/cmd/observe/flows.go b/cmd/observe/flows.go
@@ -54,6 +54,8 @@ var verdicts = []string{
 	flowpb.Verdict_AUDIT.String(),
 	flowpb.Verdict_REDIRECTED.String(),
 	flowpb.Verdict_ERROR.String(),
+	flowpb.Verdict_TRACED.String(),
+	flowpb.Verdict_TRANSLATED.String(),
 }
 
 // flowEventTypes are the valid event types supported by observe. This corresponds
@@ -67,6 +69,7 @@ var flowEventTypes = []string{
 	monitorAPI.MessageTypeNameL7,
 	monitorAPI.MessageTypeNamePolicyVerdict,
 	monitorAPI.MessageTypeNameTrace,
+	monitorAPI.MessageTypeNameTraceSock,
 }
 
 // flowEventTypeSubtypes is a map message types and all their subtypes.
@@ -89,6 +92,7 @@ var flowEventTypeSubtypes = map[string][]string{
 	},
 	monitorAPI.MessageTypeNameL7:            nil,
 	monitorAPI.MessageTypeNamePolicyVerdict: nil,
+	monitorAPI.MessageTypeNameTraceSock:     nil,
 }
 
 const (

diff --git a/cmd/observe/flows_test.go b/cmd/observe/flows_test.go
@@ -22,17 +22,15 @@ import (
 func TestEventTypes(t *testing.T) {
 	// Make sure to keep event type slices in sync. Agent events, debug
 	// events and recorder captures have separate subcommands and are not
-	// supported in observe, and trace-sock events aren't supported in the API
-	// yet, thus the 4. See flowEventTypes godoc for details.
-	require.Len(t, flowEventTypes, len(monitorAPI.MessageTypeNames)-4)
+	// supported in observe, thus the 3. See flowEventTypes godoc for details.
+	require.Len(t, flowEventTypes, len(monitorAPI.MessageTypeNames)-3)
 	for _, v := range flowEventTypes {
 		require.Contains(t, monitorAPI.MessageTypeNames, v)
 	}
 	for k := range monitorAPI.MessageTypeNames {
 		switch k {
 		case monitorAPI.MessageTypeNameAgent,
 			monitorAPI.MessageTypeNameDebug,
-			monitorAPI.MessageTypeNameTraceSock,
 			monitorAPI.MessageTypeNameRecCapture:
 			continue
 		}

diff --git a/pkg/printer/color.go b/pkg/printer/color.go
@@ -100,3 +100,11 @@ func (c colorer) verdictDropped(a interface{}) string {
 func (c colorer) verdictAudit(a interface{}) string {
 	return c.yellow.Sprint(a)
 }
+
+func (c colorer) verdictTraced(a interface{}) string {
+	return c.yellow.Sprint(a)
+}
+
+func (c colorer) verdictTranslated(a interface{}) string {
+	return c.yellow.Sprint(a)
+}
diff --git a/pkg/printer/printer.go b/pkg/printer/printer.go
@@ -222,6 +222,18 @@ func GetFlowType(f *pb.Flow) string {
 
 	case api.MessageTypeCapture:
 		return f.GetDebugCapturePoint().String()
+	case api.MessageTypeTraceSock:
+		switch f.GetSockXlatePoint() {
+		case pb.SocketTranslationPoint_SOCK_XLATE_POINT_POST_DIRECTION_FWD:
+			return "post-xlate-fwd"
+		case pb.SocketTranslationPoint_SOCK_XLATE_POINT_POST_DIRECTION_REV:
+			return "post-xlate-rev"
+		case pb.SocketTranslationPoint_SOCK_XLATE_POINT_PRE_DIRECTION_FWD:
+			return "pre-xlate-fwd"
+		case pb.SocketTranslationPoint_SOCK_XLATE_POINT_PRE_DIRECTION_REV:
+			return "pre-xlate-rev"
+		}
+		return f.GetSockXlatePoint().String()
 	}
 
 	return "UNKNOWN"
@@ -246,6 +258,10 @@ func (p Printer) getVerdict(f *pb.Flow) string {
 			msg = "AUDITED"
 		}
 		return p.color.verdictAudit(msg)
+	case pb.Verdict_TRACED:
+		return p.color.verdictTraced(msg)
+	case pb.Verdict_TRANSLATED:
+		return p.color.verdictTranslated(msg)
 	default:
 		return msg
 	}

diff --git a/pkg/printer/printer_test.go b/pkg/printer/printer_test.go
@@ -661,6 +661,32 @@ func Test_getFlowType(t *testing.T) {
 			},
 			want: "policy-verdict:none INGRESS",
 		},
+		{
+			name: "SockLB pre-translate",
+			args: args{
+				f: &pb.Flow{
+					Verdict: pb.Verdict_TRACED,
+					EventType: &pb.CiliumEventType{
+						Type: monitorAPI.MessageTypeTraceSock,
+					},
+					SockXlatePoint: pb.SocketTranslationPoint_SOCK_XLATE_POINT_PRE_DIRECTION_FWD,
+				},
+			},
+			want: "pre-xlate-fwd",
+		},
+		{
+			name: "SockLB post-translate",
+			args: args{
+				f: &pb.Flow{
+					Verdict: pb.Verdict_TRANSLATED,
+					EventType: &pb.CiliumEventType{
+						Type: monitorAPI.MessageTypeTraceSock,
+					},
+					SockXlatePoint: pb.SocketTranslationPoint_SOCK_XLATE_POINT_POST_DIRECTION_FWD,
+				},
+			},
+			want: "post-xlate-fwd",
+		},
 		{
 			name: "Debug Capture",
 			args: args{