bpf:hubble: update trace/drop notify for L2-less packets by smagnani96 · Pull Request #37097 · cilium/cilium

smagnani96 · 2025-01-20T17:36:35Z

Currently we're mistakenly parsing packets sent from an L3 device, as our decoders in Hubble/Monitors assume Ethernet as the first layers of the packet. Therefore, the output looks something like:

-> crypto flow 0x0 , identity 53498->unknown state unknown ifindex cilium_wg0 orig-ip 0.0.0.0: 40:00:3f:01:53:89 -> 45:00:00:54:cd:c8 UnknownEthernetType

Let's fix that by borrowing a bit in the trace/drop notify event to tell whether the packet comes from an L3 device or not:

if from L3 device (ex wireguard), then look at ctx->protocol to additionally tell whether IPv4/6 (we need these info to know which parser to use)
if from L2 device, then use the default parser (starting from Ethernet layer).

The output after this patch should look as follows:

# IPv4
## Cilium Monitor
<- crypto flow 0x0 , identity 37044->unknown state unknown ifindex cilium_wg0 orig-ip 0.0.0.0: 10.244.1.88 -> 10.244.2.35 EchoRequest
-> crypto flow 0x0 , identity 54684->unknown state unknown ifindex cilium_wg0 orig-ip 0.0.0.0: 10.244.2.35 -> 10.244.1.88 EchoReply
## Hubble Observe
Jan 31 14:34:38.876: cilium-test-1/client-7d44dd948b-cjh5k (ID:37044) <> cilium-test-1/echo-other-node-79787668d5-xwg9k (ID:54684) from-crypto FORWARDED (ICMPv4 EchoRequest)
Jan 31 14:34:38.877: cilium-test-1/echo-other-node-79787668d5-xwg9k (ID:54684) <> cilium-test-1/client-7d44dd948b-cjh5k (ID:37044) to-crypto FORWARDED (ICMPv4 EchoReply)

# IPv6
## Cilium Monitor
<- crypto flow 0x0 , identity 37044->unknown state unknown ifindex cilium_wg0 orig-ip ::: fd00:10:244:1::3c72 -> fd00:10:244:2::ca3f EchoRequest
-> crypto flow 0xc0318447 , identity 54684->unknown state unknown ifindex cilium_wg0 orig-ip ::: fd00:10:244:2::ca3f -> fd00:10:244:1::3c72 EchoReply
## Hubble Observe
Jan 31 14:26:26.430: cilium-test-1/client-7d44dd948b-cjh5k (ID:37044) <> cilium-test-1/echo-other-node-79787668d5-xwg9k (ID:54684) from-crypto FORWARDED (ICMPv6 EchoRequest)
Jan 31 14:26:26.430: cilium-test-1/echo-other-node-79787668d5-xwg9k (ID:54684) <> cilium-test-1/client-7d44dd948b-cjh5k (ID:37044) to-crypto FORWARDED (ICMPv6 EchoReply)

Fixes: #37095

smagnani96 · 2025-02-18T17:02:47Z

/test

jschwinger233

what about the update scenario? If hubble always upgrades before bpf loading, then it's fine.

bpf/lib/trace.h

pkg/monitor/datapath_trace.go

pkg/hubble/parser/threefour/parser.go

smagnani96 · 2025-03-12T08:45:30Z

/test

kaworu

Thanks @smagnani96 🙏

Some minor comments, the missing correct decoder selection for DropNotify in the Hubble parser, and a suggestion about drop notification versioning.

pkg/hubble/parser/threefour/parser.go

pkg/monitor/datapath_drop.go

pkg/monitor/dissect_test.go

pkg/hubble/parser/threefour/parser_test.go

pkg/hubble/parser/threefour/parser.go

pkg/monitor/datapath_drop.go

kaworu

Thanks @smagnani96 for the quick update, patch LGTM now 🎉

The logic duplication between the Hubble parser and monitor dissect is not ideal but still manageable. Long term we probably want to dedup it.

smagnani96 · 2025-03-19T16:11:02Z

/test

pkg/hubble/parser/threefour/parser_test.go

smagnani96 · 2025-03-20T16:56:37Z

/test

smagnani96 · 2025-03-20T17:13:55Z

/test

smagnani96 · 2025-03-21T10:03:59Z

/test

GetConnectionInfo is not referenced nor used in any of our sources. Public API should be `GetConnectionSummary`, which internally calls `getConnectionInfoFromCache`. Signed-off-by: Simone Magnani <[email protected]>

The packet decoder in our Cilium Monitor utility never checks for errors returned from the DecodeLayers function. In Hubble, we do have identical code, but with the additional checks on that returned error code. We should try to keep these tool utilities as aligned as possible to avoid misunderstanding: in case of a decode error, Cilium Monitor would still try to use the decoded info. Since v1.1.18, DecodeLayers returns a non-nil error for an empty packet. Skip decoding and truncate layers to avoid accidental re-use. See google/gopacket#846 Signed-off-by: Simone Magnani <[email protected]>

This patch enabled the correct decoding of trace notifications when emitted from an L3 device (ex. Wireguard). Prior to this patch, our Monitor/Hubble logic always attempted to decode the raw bytes starting from the Ethernet Layer. This of course doesn't hold true for L3 devices, where we never see the L2 layer. Since we already have a flag field in the trace notification with some unused padding, let's borrow a bit to indicate whether the packet is being logged from an L3 device or not. This could have been also achieved from Monitor/Hubble directly, since the notification even has the ifindex, but it would have required to add logic to keep ifindexes related to L3 interfaces up-to-date in Hubble/Monitor. IMHO, (1) this might not scale well, and (2) it is much clearer to have all info forwarded from the datapath. I'm not concerned about performance implication here since no new data is being forwarded in the trace event. Signed-off-by: Simone Magnani <[email protected]>

Similarly as the previous commit, this patch enabled the correct decoding of drop notifications when emitted from an L3 device (ex. Wireguard). Since we don't have a flag field or padding in drop notification struct, let's increment the version and add a `__u32` field to hold flags. For now, we use 1 bit to indicate IPv6 and 1 bit to indicate whether the packet is being dropped from a L3 Device. The other 30 bits are kept as padding the preserve the struct alignment. Signed-off-by: Simone Magnani <[email protected]>

smagnani96 · 2025-03-21T15:36:17Z

/test

julianwiedmann · 2025-05-08T18:23:41Z

bpf/lib/drop.h


+#if defined(ENABLE_WIREGUARD) && (defined(IS_BPF_HOST) || defined(IS_BPF_WIREGUARD))
+	if (THIS_INTERFACE_IFINDEX == WG_IFINDEX) {
+		l3_dev = true;


@smagnani96 just driving by - can we make this l3_dev = (ETH_HLEN == 0); instead? That would allow us to capture all types of L3 device, not just the wireguard interface.

smagnani96 added area/monitor Impacts monitoring, access logging, flow logging, visibility of datapath traffic. dont-merge/preview-only Only for preview or testing, don't merge it. labels Jan 20, 2025

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 20, 2025

smagnani96 added the release-note/misc This PR makes changes that have no direct user impact. label Jan 20, 2025

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 20, 2025

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from e1bb0d2 to 8880c82 Compare January 31, 2025 15:02

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from 8880c82 to 934c2fd Compare February 18, 2025 10:05

smagnani96 removed the dont-merge/preview-only Only for preview or testing, don't merge it. label Feb 18, 2025

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from 934c2fd to a317f99 Compare February 18, 2025 10:20

smagnani96 marked this pull request as ready for review February 18, 2025 14:01

smagnani96 requested review from a team as code owners February 18, 2025 14:01

smagnani96 requested review from jschwinger233 and kaworu February 18, 2025 14:01

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from a317f99 to 01f79b3 Compare February 18, 2025 16:15

julianwiedmann added the area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. label Feb 20, 2025

jschwinger233 reviewed Feb 21, 2025

View reviewed changes

bpf/lib/trace.h Show resolved Hide resolved

bpf/lib/trace.h Show resolved Hide resolved

pkg/monitor/datapath_trace.go Outdated Show resolved Hide resolved

pkg/hubble/parser/threefour/parser.go Outdated Show resolved Hide resolved

kaworu mentioned this pull request Mar 4, 2025

hubble: Decode Cilium encapsulated traffic in Hubble #37634

Merged

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from 01f79b3 to 4a2f8c0 Compare March 11, 2025 17:13

jschwinger233 approved these changes Mar 13, 2025

View reviewed changes

kaworu requested changes Mar 17, 2025

View reviewed changes

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch 3 times, most recently from 67deeea to 536dfc0 Compare March 19, 2025 12:55

kaworu approved these changes Mar 19, 2025

View reviewed changes

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from 536dfc0 to f0e5fe0 Compare March 19, 2025 18:58

smagnani96 commented Mar 19, 2025

View reviewed changes

pkg/hubble/parser/threefour/parser_test.go Show resolved Hide resolved

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from f0e5fe0 to 1ad9f95 Compare March 20, 2025 16:18

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from 1ad9f95 to 0395191 Compare March 21, 2025 09:09

kaworu approved these changes Mar 21, 2025

View reviewed changes

smagnani96 added 4 commits March 21, 2025 15:24

monitor: remove unused GetConnectionInfo API

d614ffd

GetConnectionInfo is not referenced nor used in any of our sources. Public API should be `GetConnectionSummary`, which internally calls `getConnectionInfoFromCache`. Signed-off-by: Simone Magnani <[email protected]>

smagnani96 force-pushed the pr/bpf-l3packet-tracing branch from 0395191 to 58497fd Compare March 21, 2025 14:24

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 22, 2025

joestringer added this pull request to the merge queue Mar 24, 2025

Merged via the queue into cilium:main with commit 05192c2 Mar 24, 2025
67 checks passed

julianwiedmann added backport/author The backport will be carried out by the author of the PR. needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Apr 30, 2025

smagnani96 mentioned this pull request Apr 30, 2025

[v1.17] bpf:hubble: update trace/drop notify for L2-less packets #39263

Merged

1 task

julianwiedmann reviewed May 8, 2025

View reviewed changes

github-actions bot added the backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. label May 8, 2025

julianwiedmann removed the needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch label May 10, 2025

smagnani96 deleted the pr/bpf-l3packet-tracing branch May 21, 2025 11:44

Conversation

smagnani96 commented Jan 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

smagnani96 commented Feb 18, 2025

Uh oh!

jschwinger233 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

smagnani96 commented Mar 12, 2025

Uh oh!

kaworu left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kaworu left a comment

Choose a reason for hiding this comment

Uh oh!

smagnani96 commented Mar 19, 2025

Uh oh!

Uh oh!

smagnani96 commented Mar 20, 2025

Uh oh!

smagnani96 commented Mar 20, 2025

Uh oh!

smagnani96 commented Mar 21, 2025

Uh oh!

smagnani96 commented Mar 21, 2025

Uh oh!

Uh oh!

julianwiedmann May 8, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

smagnani96 commented Jan 20, 2025 •

edited

Loading

kaworu left a comment •

edited

Loading