Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

conntrack: handle TCP flags #391

Merged
merged 24 commits into from
Mar 1, 2023
Merged

Conversation

ronensc
Copy link
Collaborator

@ronensc ronensc commented Feb 16, 2023

This PR adds the ability to read the TCP flags field and perform the following actions:

  • Ending a connection when the FIN_ACK flag is set and avoid waiting the EndConnectionTimeout.
  • Swapping source and destination when SYN_ACK is set on the first flowlog.

Each action can be enabled/disabled by a feature flag in the conntrack config:

conntrack:
  # ...
  tcpFlags:
    fieldName: "TCPFlags"
    detectEndConnection: true
    swapAB: true

An operational metric was added to track how many of these actions were performed:

conntrack_tcp_flags{action="detectEndConnection"} 1
conntrack_tcp_flags{action="swapAB"} 1

Additional changes:

  • Updated go.mod to 1.18 to be able to update netobserv-ebpf-agent
  • Updated netobserv-ebpf-agent dependency to get the Flags field in the flow protobuf
  • Added json tag to the conntrack API

Solves #299

@ronensc ronensc force-pushed the conntrack-tcp-flags branch from 0585d4c to 1a0fa34 Compare February 16, 2023 14:09
@ronensc ronensc marked this pull request as ready for review February 16, 2023 15:52
@ronensc ronensc added the enhancement New feature or request label Feb 16, 2023
@ronensc ronensc force-pushed the conntrack-tcp-flags branch from 4e2d06f to 60245a3 Compare February 20, 2023 08:46
@@ -34,7 +34,7 @@ func (m GenericMap) Copy() GenericMap {

func (m GenericMap) IsDuplicate() bool {
if duplicate, hasKey := m["Duplicate"]; hasKey {
if isDuplicate, err := utils.ConvertToBool(duplicate); err != nil {
if isDuplicate, err := utils.ConvertToBool(duplicate); err == nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While testing this PR I noticed I've made a mistake here 👼
Sorry about that

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix! I missed that too...

Comment on lines +242 to +243
detectEndConnection: detect end connections by FIN_ACK flag
swapAB: swap source and destination when the first flowlog contains the SYN_ACK flag
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if these two should be the default behavior as it's more reliable & convenient than the timeouts

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The swapAB feature isn't related to the timeouts.
The detectEndConnection feature is in addition to the timeouts. It can't replace the timeouts because it's not guaranteed that will receive a flowlog with FIN_ACK flag for every TCP connection (either because of sampling or because of SYN attack). But, it may allow us to increase the endConnectionTimeout for TCP.

KalmanMeth
KalmanMeth previously approved these changes Feb 21, 2023
OutputFields []OutputField `yaml:"outputFields,omitempty" json:"outputFields,omitempty" doc:"list of output fields"`
Scheduling []ConnTrackSchedulingGroup `yaml:"scheduling,omitempty" json:"scheduling,omitempty" doc:"list of timeouts and intervals to apply per selector"`
MaxConnectionsTracked int `yaml:"maxConnectionsTracked,omitempty" json:"maxConnectionsTracked,omitempty" doc:"maximum number of connections we keep in our cache (0 means no limit)"`
TCPFlags ConnTrackTCPFlags `yaml:"tcpFlags,omitempty" json:"tcpFlags" doc:"settings for handling TCP flags"`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing ",omitempty" for json:

TCPFlags ConnTrackTCPFlags `yaml:"tcpFlags,omitempty" json:"tcpFlags,omitempty" doc:"settings for handling TCP flags"`

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! good catch

@openshift-ci
Copy link

openshift-ci bot commented Feb 22, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from kalmanmeth. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov-commenter
Copy link

Codecov Report

Merging #391 (3b48145) into main (8d5b93c) will increase coverage by 0.53%.
The diff coverage is 88.34%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##             main     #391      +/-   ##
==========================================
+ Coverage   60.98%   61.51%   +0.53%     
==========================================
  Files          91       91              
  Lines        6297     6390      +93     
==========================================
+ Hits         3840     3931      +91     
  Misses       2223     2223              
- Partials      234      236       +2     
Flag Coverage Δ
unittests 61.51% <88.34%> (+0.53%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/pipeline/pipeline.go 91.42% <ø> (ø)
pkg/pipeline/extract/conntrack/store.go 80.64% <50.00%> (-3.53%) ⬇️
pkg/api/conntrack.go 88.81% <84.61%> (-0.87%) ⬇️
pkg/config/generic_map.go 100.00% <100.00%> (+23.07%) ⬆️
pkg/pipeline/decode/decode_protobuf.go 77.55% <100.00%> (+0.46%) ⬆️
pkg/pipeline/extract/conntrack/conn.go 78.15% <100.00%> (+2.45%) ⬆️
pkg/pipeline/extract/conntrack/conntrack.go 93.37% <100.00%> (+1.11%) ⬆️
pkg/pipeline/extract/conntrack/metrics.go 100.00% <100.00%> (ø)
pkg/pipeline/pipeline_builder.go 71.06% <100.00%> (ø)
pkg/pipeline/utils/multiorderedmap.go 100.00% <100.00%> (ø)
... and 2 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@openshift-ci openshift-ci bot added the lgtm label Feb 27, 2023
@ronensc ronensc merged commit 9740aa3 into netobserv:main Mar 1, 2023
@ronensc ronensc deleted the conntrack-tcp-flags branch March 1, 2023 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request lgtm
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants