NETOBSERV-1186: extract DNS flags rcode field and stringify it

Signed-off-by: msherif1234 <mmahmoud@redhat.com>
netobserv · Jul 12, 2023 · db148b4 · db148b4
1 parent ff26af2
commit db148b4
Show file tree

Hide file tree

Showing 4 changed files with 139 additions and 49 deletions.
diff --git a/pkg/config/generic_map.go b/pkg/config/generic_map.go
@@ -42,3 +42,18 @@ func (m GenericMap) IsDuplicate() bool {
 	}
 	return false
 }
+
+// Append will create new GenericMap that contains n and m GenericMaps
+func (m GenericMap) Append(n GenericMap) GenericMap {
+	result := make(GenericMap, len(m)+len(n))
+
+	for k, v := range m {
+		result[k] = v
+	}
+	for k, v := range n {
+		if _, ok := result[k]; !ok {
+			result[k] = v
+		}
+	}
+	return result
+}
diff --git a/pkg/pipeline/decode/decode_protobuf.go b/pkg/pipeline/decode/decode_protobuf.go
@@ -3,11 +3,14 @@ package decode
 import (
 	"fmt"
 	"net"
+	"syscall"
 	"time"
 
 	"github.com/netobserv/flowlogs-pipeline/pkg/config"
 	"github.com/netobserv/netobserv-ebpf-agent/pkg/pbflow"
+
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 	"google.golang.org/protobuf/proto"
 )
 
@@ -37,36 +40,76 @@ func PBFlowToMap(flow *pbflow.Record) config.GenericMap {
 		return config.GenericMap{}
 	}
 	out := config.GenericMap{
-		"FlowDirection":          int(flow.Direction.Number()),
-		"Bytes":                  flow.Bytes,
-		"SrcAddr":                ipToStr(flow.Network.GetSrcAddr()),
-		"DstAddr":                ipToStr(flow.Network.GetDstAddr()),
-		"SrcMac":                 macToStr(flow.DataLink.GetSrcMac()),
-		"DstMac":                 macToStr(flow.DataLink.GetDstMac()),
-		"SrcPort":                flow.Transport.GetSrcPort(),
-		"DstPort":                flow.Transport.GetDstPort(),
-		"Etype":                  flow.EthProtocol,
-		"Packets":                flow.Packets,
-		"Duplicate":              flow.Duplicate,
-		"Proto":                  flow.Transport.GetProtocol(),
-		"TimeFlowStartMs":        flow.TimeFlowStart.AsTime().UnixMilli(),
-		"TimeFlowEndMs":          flow.TimeFlowEnd.AsTime().UnixMilli(),
-		"TimeReceived":           time.Now().Unix(),
-		"Interface":              flow.Interface,
-		"AgentIP":                ipToStr(flow.AgentIp),
-		"Flags":                  flow.Flags,
-		"IcmpType":               flow.GetIcmpType(),
-		"IcmpCode":               flow.GetIcmpCode(),
-		"TcpDropBytes":           flow.TcpDropBytes,
-		"TcpDropPackets":         flow.TcpDropPackets,
-		"TcpDropLatestFlags":     flow.GetTcpDropLatestFlags(),
-		"TcpDropLatestState":     tcpStateToStr(flow.GetTcpDropLatestState()),
-		"TcpDropLatestDropCause": tcpDropCauseToStr(flow.GetTcpDropLatestDropCause()),
-		"DnsRequestTimeMs":       flow.TimeDnsReq.AsTime().UnixMilli(),
-		"DnsResponseTimeMs":      flow.TimeDnsRsp.AsTime().UnixMilli(),
-		"DnsId":                  flow.GetDnsId(),
-		"DnsFlags":               flow.GetDnsFlags(),
-		"TimeFlowRttMs":          flow.TimeFlowRtt.AsDuration().Milliseconds(),
+		"FlowDirection":   int(flow.Direction.Number()),
+		"Bytes":           flow.Bytes,
+		"SrcAddr":         ipToStr(flow.Network.GetSrcAddr()),
+		"DstAddr":         ipToStr(flow.Network.GetDstAddr()),
+		"SrcMac":          macToStr(flow.DataLink.GetSrcMac()),
+		"DstMac":          macToStr(flow.DataLink.GetDstMac()),
+		"Etype":           flow.EthProtocol,
+		"Packets":         flow.Packets,
+		"Duplicate":       flow.Duplicate,
+		"Proto":           flow.Transport.GetProtocol(),
+		"TimeFlowStartMs": flow.TimeFlowStart.AsTime().UnixMilli(),
+		"TimeFlowEndMs":   flow.TimeFlowEnd.AsTime().UnixMilli(),
+		"TimeReceived":    time.Now().Unix(),
+		"Interface":       flow.Interface,
+		"AgentIP":         ipToStr(flow.AgentIp),
+	}
+
+	proto := flow.Transport.GetProtocol()
+	if proto == unix.IPPROTO_ICMP || proto == syscall.IPPROTO_ICMPV6 {
+		icmpOut := config.GenericMap{
+			"IcmpType": flow.GetIcmpType(),
+			"IcmpCode": flow.GetIcmpCode(),
+		}
+		out = out.Append(icmpOut)
+	}
+
+	if proto == syscall.IPPROTO_TCP || proto == syscall.IPPROTO_UDP || proto == syscall.IPPROTO_SCTP {
+		if proto == syscall.IPPROTO_TCP {
+			protoOut := config.GenericMap{
+				"SrcPort": flow.Transport.GetSrcPort(),
+				"DstPort": flow.Transport.GetDstPort(),
+				"Flags":   flow.Flags,
+			}
+			out = out.Append(protoOut)
+		} else {
+			protoOut := config.GenericMap{
+				"SrcPort": flow.Transport.GetSrcPort(),
+				"DstPort": flow.Transport.GetDstPort(),
+			}
+			out = out.Append(protoOut)
+		}
+	}
+
+	if flow.GetDnsId() != 0 {
+		dnsOut := config.GenericMap{
+			"DnsRequestTimeMs":     flow.TimeDnsReq.AsTime().UnixMilli(),
+			"DnsResponseTimeMs":    flow.TimeDnsRsp.AsTime().UnixMilli(),
+			"DnsId":                flow.GetDnsId(),
+			"DnsFlags":             flow.GetDnsFlags(),
+			"DnsFlagsResponseCode": dnsRcodeToStr(flow.GetDnsFlags() & 0xF),
+		}
+		out = out.Append(dnsOut)
+	}
+
+	if flow.GetTcpDropLatestDropCause() != 0 {
+		tcpDropOut := config.GenericMap{
+			"TcpDropBytes":           flow.TcpDropBytes,
+			"TcpDropPackets":         flow.TcpDropPackets,
+			"TcpDropLatestFlags":     flow.GetTcpDropLatestFlags(),
+			"TcpDropLatestState":     tcpStateToStr(flow.GetTcpDropLatestState()),
+			"TcpDropLatestDropCause": tcpDropCauseToStr(flow.GetTcpDropLatestDropCause()),
+		}
+		out = out.Append(tcpDropOut)
+	}
+
+	if flow.TimeFlowRtt.AsDuration().Milliseconds() != 0 {
+		rttOut := config.GenericMap{
+			"TimeFlowRttMs": flow.TimeFlowRtt.AsDuration().Milliseconds(),
+		}
+		out = out.Append(rttOut)
 	}
 	return out
 }
@@ -276,3 +319,45 @@ func tcpDropCauseToStr(dropCause uint32) string {
 	}
 	return "SKB_DROP_UNKNOWN_CAUSE"
 }
+
+// dnsRcodeToStr decode DNS flags response code bits and return a string
+// https://datatracker.ietf.org/doc/html/rfc2929#section-2.3
+func dnsRcodeToStr(rcode uint32) string {
+	switch rcode {
+	case 0:
+		return "NoError"
+	case 1:
+		return "FormErr"
+	case 2:
+		return "ServFail"
+	case 3:
+		return "NXDomain"
+	case 4:
+		return "NotImp"
+	case 5:
+		return "Refused"
+	case 6:
+		return "YXDomain"
+	case 7:
+		return "YXRRSet"
+	case 8:
+		return "NXRRSet"
+	case 9:
+		return "NotAuth"
+	case 10:
+		return "NotZone"
+	case 16:
+		return "BADVERS"
+	case 17:
+		return "BADKEY"
+	case 18:
+		return "BADTIME"
+	case 19:
+		return "BADMODE"
+	case 20:
+		return "BADNAME"
+	case 21:
+		return "BADALG"
+	}
+	return "UnDefined"
+}
diff --git a/pkg/pipeline/decode/decode_protobuf_test.go b/pkg/pipeline/decode/decode_protobuf_test.go
@@ -58,7 +58,7 @@ func TestDecodeProtobuf(t *testing.T) {
 		TimeDnsReq:             timestamppb.New(someTime),
 		TimeDnsRsp:             timestamppb.New(someTime),
 		DnsId:                  1,
-		DnsFlags:               0x80,
+		DnsFlags:               0x8001,
 		TimeFlowRtt:            durationpb.New(someDuration),
 	}
 	rawPB, err := proto.Marshal(&flow)
@@ -75,8 +75,6 @@ func TestDecodeProtobuf(t *testing.T) {
 		"DstAddr":                "5.6.7.8",
 		"DstMac":                 "11:22:33:44:55:66",
 		"SrcMac":                 "01:02:03:04:05:06",
-		"SrcPort":                uint32(23000),
-		"DstPort":                uint32(443),
 		"Duplicate":              false,
 		"Etype":                  uint32(2048),
 		"Packets":                uint64(123),
@@ -85,7 +83,6 @@ func TestDecodeProtobuf(t *testing.T) {
 		"TimeFlowEndMs":          someTime.UnixMilli(),
 		"Interface":              "eth0",
 		"AgentIP":                "10.9.8.7",
-		"Flags":                  uint32(0x100),
 		"IcmpType":               uint32(8),
 		"IcmpCode":               uint32(0),
 		"TcpDropBytes":           uint64(100),
@@ -96,7 +93,8 @@ func TestDecodeProtobuf(t *testing.T) {
 		"DnsRequestTimeMs":       someTime.UnixMilli(),
 		"DnsResponseTimeMs":      someTime.UnixMilli(),
 		"DnsId":                  uint32(1),
-		"DnsFlags":               uint32(0x80),
+		"DnsFlags":               uint32(0x8001),
+		"DnsFlagsResponseCode":   "FormErr",
 		"TimeFlowRttMs":          someDuration.Milliseconds(),
 	}, out)
 }
@@ -126,16 +124,14 @@ func TestPBFlowToMap(t *testing.T) {
 			SrcMac: 0x010203040506,
 		},
 		Transport: &pbflow.Transport{
-			Protocol: 1,
+			Protocol: 6,
 			SrcPort:  23000,
 			DstPort:  443,
 		},
 		AgentIp: &pbflow.IP{
 			IpFamily: &pbflow.IP_Ipv4{Ipv4: 0x0a090807},
 		},
 		Flags:                  0x100,
-		IcmpType:               10,
-		IcmpCode:               11,
 		TcpDropBytes:           200,
 		TcpDropPackets:         20,
 		TcpDropLatestFlags:     0x100,
@@ -163,14 +159,12 @@ func TestPBFlowToMap(t *testing.T) {
 		"Duplicate":              true,
 		"Etype":                  uint32(2048),
 		"Packets":                uint64(123),
-		"Proto":                  uint32(1),
+		"Proto":                  uint32(6),
 		"TimeFlowStartMs":        someTime.UnixMilli(),
 		"TimeFlowEndMs":          someTime.UnixMilli(),
 		"Interface":              "eth0",
 		"AgentIP":                "10.9.8.7",
 		"Flags":                  uint32(0x100),
-		"IcmpType":               uint32(10),
-		"IcmpCode":               uint32(11),
 		"TcpDropBytes":           uint64(200),
 		"TcpDropPackets":         uint64(20),
 		"TcpDropLatestFlags":     uint32(0x100),
@@ -180,6 +174,7 @@ func TestPBFlowToMap(t *testing.T) {
 		"DnsResponseTimeMs":      someTime.UnixMilli(),
 		"DnsId":                  uint32(1),
 		"DnsFlags":               uint32(0x80),
+		"DnsFlagsResponseCode":   "NoError",
 		"TimeFlowRttMs":          someDuration.Milliseconds(),
 	}, out)
 

diff --git a/pkg/pipeline/pipeline_test.go b/pkg/pipeline/pipeline_test.go
@@ -197,16 +197,13 @@ parameters:
 				SrcMac: 0x010203040506,
 			},
 			Transport: &pbflow.Transport{
-				Protocol: 1,
+				Protocol: 17,
 				SrcPort:  23000,
 				DstPort:  443,
 			},
 			AgentIp: &pbflow.IP{
 				IpFamily: &pbflow.IP_Ipv4{Ipv4: 0x0a0b0c0d},
 			},
-			Flags:                  0x100,
-			IcmpType:               10,
-			IcmpCode:               11,
 			TcpDropBytes:           100,
 			TcpDropPackets:         10,
 			TcpDropLatestFlags:     1,
@@ -241,14 +238,11 @@ parameters:
 		"Duplicate":              false,
 		"Etype":                  float64(2048),
 		"Packets":                float64(123),
-		"Proto":                  float64(1),
+		"Proto":                  float64(17),
 		"TimeFlowStartMs":        float64(startTime.UnixMilli()),
 		"TimeFlowEndMs":          float64(endTime.UnixMilli()),
 		"Interface":              "eth0",
 		"AgentIP":                "10.11.12.13",
-		"Flags":                  float64(0x100),
-		"IcmpType":               float64(10),
-		"IcmpCode":               float64(11),
 		"TcpDropBytes":           float64(100),
 		"TcpDropPackets":         float64(10),
 		"TcpDropLatestFlags":     float64(1),
@@ -258,6 +252,7 @@ parameters:
 		"DnsResponseTimeMs":      float64(endTime.UnixMilli()),
 		"DnsId":                  float64(1),
 		"DnsFlags":               float64(0x80),
+		"DnsFlagsResponseCode":   "NoError",
 		"TimeFlowRttMs":          float64(someDuration.Milliseconds()),
 	}, capturedRecord)
 }