NETOBSERV-1617: reuse flow filter capability with pcap feature (#359)

* NETOBSERV-1617: reuse flow filter capability with pcap feature

rename all flow filters to just filter to allow reuse the same configs
modify pca to use filter config
update userspace, examples and doc

Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>

* Allow sampling configs to be applied for PCA

Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>

---------

Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>

bpf/configs.h

@@ -6,8 +6,7 @@
 volatile const u32 sampling = 0;
 volatile const u8 trace_messages = 0;
 volatile const u8 enable_rtt = 0;
-volatile const u16 pca_port = 0;
-volatile const u8 pca_proto = 0;
+volatile const u8 enable_pca = 0;
 volatile const u8 enable_dns_tracking = 0;
 volatile const u8 enable_flows_filtering = 0;
 #endif //__CONFIGS_H__

bpf/pca.h

@@ -36,93 +36,72 @@ static int attach_packet_payload(void *data, void *data_end, struct __sk_buff *s
     return TC_ACT_UNSPEC;
 }
 
-static inline bool validate_pca_filter(u8 ipproto, void *ipheaderend, void *data_end) {
-    // If filters: pca_proto and pca_port are not specified, export packet
-    if (pca_proto == 0 && pca_port == 0)
-        return true;
-
-    //Only export packets with protocol set by ENV var PCA_FILTER
-    u16 sourcePort, destPort;
-    if (ipproto != pca_proto) {
-        return false;
-    }
+static inline bool validate_pca_filter(struct __sk_buff *skb, direction dir) {
+    pkt_info pkt;
+    __builtin_memset(&pkt, 0, sizeof(pkt));
+    flow_id id;
+    __builtin_memset(&id, 0, sizeof(id));
 
-    if (ipproto == IPPROTO_TCP) {
-        struct tcphdr *tcp_header = ipheaderend;
-        if ((void *)tcp_header + sizeof(*tcp_header) > data_end) {
-            return false;
-        }
-        sourcePort = tcp_header->source;
-        destPort = tcp_header->dest;
-    } else if (ipproto == IPPROTO_UDP) {
-        struct udphdr *udp_header = ipheaderend;
-        if ((void *)udp_header + sizeof(*udp_header) > data_end) {
-            return false;
-        }
-        sourcePort = udp_header->source;
-        destPort = udp_header->dest;
-    } else if (ipproto == IPPROTO_SCTP) {
-        struct sctphdr *sctp_header = ipheaderend;
-        if ((void *)sctp_header + sizeof(*sctp_header) > data_end) {
-            return false;
-        }
-        sourcePort = sctp_header->source;
-        destPort = sctp_header->dest;
-    } else {
-        return false;
-    }
-    u16 pca_port_end = bpf_htons(pca_port);
-    if (sourcePort == pca_port_end || destPort == pca_port_end) {
-        return true;
-    }
-    return false;
-}
+    pkt.id = &id;
 
-static inline int export_packet_payload(struct __sk_buff *skb) {
     void *data_end = (void *)(long)skb->data_end;
     void *data = (void *)(long)skb->data;
-    struct ethhdr *eth = data;
-    struct iphdr *ip;
+    struct ethhdr *eth = (struct ethhdr *)data;
 
-    if ((void *)eth + sizeof(*eth) > data_end) {
-        return TC_ACT_UNSPEC;
+    if (fill_ethhdr(eth, data_end, &pkt) == DISCARD) {
+        return false;
     }
 
-    // Only IPv4 and IPv6 packets captured
-    u16 ethType = bpf_ntohs(eth->h_proto);
-    if (ethType != ETH_P_IP && ethType != ETH_P_IPV6) {
-        return TC_ACT_UNSPEC;
+    //Set extra fields
+    id.if_index = skb->ifindex;
+    id.direction = dir;
+
+    // check if this packet need to be filtered if filtering feature is enabled
+    bool skip = check_and_do_flow_filtering(&id);
+    if (skip) {
+        return false;
     }
 
-    ip = data + sizeof(*eth);
-    if ((void *)ip + sizeof(*ip) > data_end) {
-        return TC_ACT_UNSPEC;
+    return true;
+}
+
+static inline int export_packet_payload(struct __sk_buff *skb, direction dir) {
+    // If sampling is defined, will only parse 1 out of "sampling" flows
+    if (sampling > 1 && (bpf_get_prandom_u32() % sampling) != 0) {
+        return 0;
     }
 
-    if (validate_pca_filter(ip->protocol, (void *)ip + sizeof(*ip), data_end)) {
+    void *data_end = (void *)(long)skb->data_end;
+    void *data = (void *)(long)skb->data;
+
+    if (validate_pca_filter(skb, dir)) {
         return attach_packet_payload(data, data_end, skb);
     }
-    return TC_ACT_UNSPEC;
+    return 0;
 }
 
 SEC("tc_pca_ingress")
 int tc_ingress_pca_parse(struct __sk_buff *skb) {
-    return export_packet_payload(skb);
+    export_packet_payload(skb, INGRESS);
+    return TC_ACT_OK;
 }
 
 SEC("tc_pca_egress")
 int tc_egress_pca_parse(struct __sk_buff *skb) {
-    return export_packet_payload(skb);
+    export_packet_payload(skb, EGRESS);
+    return TC_ACT_OK;
 }
 
 SEC("tcx_pca_ingress")
 int tcx_ingress_pca_parse(struct __sk_buff *skb) {
-    return export_packet_payload(skb);
+    export_packet_payload(skb, INGRESS);
+    return TCX_NEXT;
 }
 
 SEC("tcx_pca_egress")
 int tcx_egress_pca_parse(struct __sk_buff *skb) {
-    return export_packet_payload(skb);
+    export_packet_payload(skb, EGRESS);
+    return TCX_NEXT;
 }
 
 #endif /* __PCA_H__ */

bpf/types.h

@@ -177,9 +177,9 @@ typedef struct dns_flow_id_t {
 // Enum to define global counters keys and share it with userspace
 typedef enum global_counters_key_t {
     HASHMAP_FLOWS_DROPPED_KEY = 0,
-    FILTER_FLOWS_REJECT_KEY = 1,
-    FILTER_FLOWS_ACCEPT_KEY = 2,
-    FILTER_FLOWS_NOMATCH_KEY = 3,
+    FILTER_REJECT_KEY = 1,
+    FILTER_ACCEPT_KEY = 2,
+    FILTER_NOMATCH_KEY = 3,
     MAX_DROPPED_FLOWS_KEY = 4,
 } global_counters_key;
 

bpf/utils.h

@@ -284,14 +284,14 @@ static inline long pkt_drop_lookup_and_update_flow(struct sk_buff *skb, flow_id
  */
 static inline bool check_and_do_flow_filtering(flow_id *id) {
     // check if this packet need to be filtered if filtering feature is enabled
-    if (enable_flows_filtering) {
+    if (enable_flows_filtering || enable_pca) {
         filter_action action = ACCEPT;
         u32 *filter_counter_p = NULL;
         u32 initVal = 1, key = 0;
         if (is_flow_filtered(id, &action) != 0 && action != MAX_FILTER_ACTIONS) {
             // we have matching rules follow through the actions to decide if we should accept or reject the flow
             // and update global counter for both cases
-            u32 reject_key = FILTER_FLOWS_REJECT_KEY, accept_key = FILTER_FLOWS_ACCEPT_KEY;
+            u32 reject_key = FILTER_REJECT_KEY, accept_key = FILTER_ACCEPT_KEY;
             bool skip = false;
 
             switch (action) {
@@ -319,7 +319,7 @@ static inline bool check_and_do_flow_filtering(flow_id *id) {
             }
         } else {
             // we have no matching rules so we update global counter for flows that are not matched by any rule
-            key = FILTER_FLOWS_NOMATCH_KEY;
+            key = FILTER_NOMATCH_KEY;
             filter_counter_p = bpf_map_lookup_elem(&global_counters, &key);
             if (!filter_counter_p) {
                 bpf_map_update_elem(&global_counters, &key, &initVal, BPF_ANY);

cmd/netobserv-ebpf-agent.go

@@ -54,9 +54,6 @@ func main() {
 	logrus.WithField("configuration", fmt.Sprintf("%#v", config)).Debugf("configuration loaded")
 
 	if config.EnablePCA {
-		if config.PCAFilters == "" {
-			logrus.Info("[PCA] NetObserv eBPF Agent instantiated without filters to identify packets. All packets will be captured. This might cause reduced performance.")
-		}
 		packetsAgent, err := agent.PacketsAgent(&config)
 		if err != nil {
 			logrus.WithError(err).Fatal("[PCA] can't instantiate NetObserv eBPF Agent")

docs/flow_filtering.md

-# eBPF Flow Rule Based Filtering
+# eBPF Rule Based Filtering
 
 ## Introduction 
 
-Flow rule-base filtering is a method to control the flow of packets cached in the eBPF flows table based on certain configuration
+Rule-base filtering is a method to control the flow of packets cached in the eBPF flows table based on certain configuration
 
-## Flow filter rule configuration
+## Filter rule configuration
 
- The Flow filter rule consists of two parts mandatory and optional parameters.
+ The filter rule consists of two parts mandatory and optional parameters.
  
 ### Mandatory parameters
 
-- `FLOW_FILTER_IP_CIDR` - IP address and CIDR mask for the flow filter rule, supports IPv4 and IPv6 address format.
+- `FILTER_IP_CIDR` - IP address and CIDR mask for the flow filter rule, supports IPv4 and IPv6 address format.
   If wanted to match against any IP, user can use `0.0.0.0/0` or `::/0` for IPv4 and IPv6 respectively.
-- `FLOW_FILTER_ACTION` - Action to be taken for the flow filter rule. Possible values are `Accept` and `Reject`.
-  - For the matching rule with `Accept` action this flow will be allowed to be cached in eBPF table, with updated global metric `FlowFilterAcceptCounter`.
-  - For the matching rule with `Reject` action this flow will not be cached in eBPF table, with updated global metric `FlowFilterRejectCounter`.
+- `FILTER_ACTION` - Action to be taken for the flow filter rule. Possible values are `Accept` and `Reject`.
+  - For the matching rule with `Accept` action this flow will be allowed to be cached in eBPF table, with updated global metric `FilterAcceptCounter`.
+  - For the matching rule with `Reject` action this flow will not be cached in eBPF table, with updated global metric `FilterRejectCounter`.
   - If the rule is not matched, based on the configured action if its `Accept` the flow will not be cached in eBPF table, 
-   if the action is `Reject` then the flow will be cached in the eBPF table and a global metric `FlowFilterNoMatchCounter` will be updated.
+   if the action is `Reject` then the flow will be cached in the eBPF table and a global metric `FilterNoMatchCounter` will be updated.
 
 ### Optional parameters
 
-- `FLOW_FILTER_DIRECTION` - Direction of the flow filter rule. Possible values are `Ingress` and `Egress`.
-- `FLOW_FILTER_PROTOCOL` - Protocol of the flow filter rule. Possible values are `TCP`, `UDP`, `SCTP`, `ICMP`, `ICMPv6`.
-- `FLOW_FILTER_SOURCE_PORT` - Single Source port of the flow filter rule.
-- `FLOW_FILTER_SOURCE_PORT_RANGE` - Source port range of the flow filter rule. using "80-100" format.
-- `FLOW_FILTER_DESTINATION_PORT` - Single Destination port of the flow filter rule.
-- `FLOW_FILTER_DESTINATION_PORT_RANGE` - Destination port range of the flow filter rule. using "80-100" format.
-- `FLOW_FILTER_PORT` - Single L4 port of the flow filter rule, can be either source or destination port.
-- `FLOW_FILTER_PORT_RANGE` - L4 port range of the flow filter rule. using "80-100" format can be either source or destination ports range.
-- `FLOW_FILTER_ICMP_TYPE` - ICMP type of the flow filter rule.
-- `FLOW_FILTER_ICMP_CODE` - ICMP code of the flow filter rule.
-- `FLOW_FILTER_PEER_IP` - Specific Peer IP address of the flow filter rule.
+- `FILTER_DIRECTION` - Direction of the flow filter rule. Possible values are `Ingress` and `Egress`.
+- `FILTER_PROTOCOL` - Protocol of the flow filter rule. Possible values are `TCP`, `UDP`, `SCTP`, `ICMP`, `ICMPv6`.
+- `FILTER_SOURCE_PORT` - Single Source port of the flow filter rule.
+- `FILTER_SOURCE_PORT_RANGE` - Source port range of the flow filter rule. using "80-100" format.
+- `FILTER_DESTINATION_PORT` - Single Destination port of the flow filter rule.
+- `FILTER_DESTINATION_PORT_RANGE` - Destination port range of the flow filter rule. using "80-100" format.
+- `FILTER_PORT` - Single L4 port of the flow filter rule, can be either source or destination port.
+- `FILTER_PORT_RANGE` - L4 port range of the flow filter rule. using "80-100" format can be either source or destination ports range.
+- `FILTER_ICMP_TYPE` - ICMP type of the flow filter rule.
+- `FILTER_ICMP_CODE` - ICMP code of the flow filter rule.
+- `FILTER_PEER_IP` - Specific Peer IP address of the flow filter rule.
 
 Note: 
-- for L4 ports configuration you can use either single port config options or the range but not both.
-- use either specific src and/or dst ports or the generic port config that works for both direction.
+- for L4 ports configuration, you can use either single port config options or the range but not both.
+- use either specific src and/or dst ports or the generic port config that works for both directions.
 
 ## How does Flow Filtering work
 
-### Flow Filter and CIDR Matching
+### Filter and CIDR Matching
 
 The flow filter examines incoming or outgoing packets and attempts to match the source IP address or the destination IP address
-of each packet against a CIDR range specified in the `FLOW_FILTER_IP_CIDR` parameter. 
+of each packet against a CIDR range specified in the `FILTER_IP_CIDR` parameter. 
 If the packet's source or destination IP address falls within the specified CIDR range, the filter takes action based on the configured rules. 
 This action could involve allowing the packet to be cached in an eBPF flow table or blocking it.
 
-### Matching Specific Endpoints with `FLOW_FILTER_PEER_IP`
+### Matching Specific Endpoints with `FILTER_PEER_IP`
 
-The `FLOW_FILTER_PEER_IP` parameter specifies the IP address of a specific endpoint.
+The `FILTER_PEER_IP` parameter specifies the IP address of a specific endpoint.
 Depending on whether the traffic is ingress (incoming) or egress (outgoing), this IP address is used to further refine
 the filtering process:
-- In ingress traffic filtering, the `FLOW_FILTER_PEER_IP` is used to match against the destination IP address of the packet. 
+- In ingress traffic filtering, the `FILTER_PEER_IP` is used to match against the destination IP address of the packet. 
 After the initial CIDR matching, the filter then narrows down the scope to packets destined for a specific endpoint
 specified by `FLOW_FILTER_PEER_IP`.
-- In egress traffic filtering, the `FLOW_FILTER_PEER_IP` is used to match against the source IP address of the packet.
+- In egress traffic filtering, the `FILTER_PEER_IP` is used to match against the source IP address of the packet.
 After the initial CIDR matching, the filter narrows down the scope to packets originating from a specific endpoint
-specified by `FLOW_FILTER_PEER_IP`.
+specified by `FILTER_PEER_IP`.
 
-### How to fine tune the flow filter rule configuration?
+### How to fine-tune the flow filter rule configuration?
 
 We have many configuration options available for the flow filter rule configuration, but we can use them in combination to achieve the desired
-flow filter rule configuration. Let's use some examples to understand how to fine tune the flow filter rule configuration.
+flow filter rule configuration. Let's use some examples to understand how to fine-tune the flow filter rule configuration.
 
 #### Use-case 1:
 
 Filter k8s service traffic to specific POD IP endpoint.
-For example if we wanted to filter in incoming k8s service traffic coming from source `172.210.150.100` for `SCTP` protocol, 
-on specific dport range 80-100, and targeting specific POD IP endpoint at `10.10.10.10` we can use the following configuration:
+For example, if we wanted to filter in incoming k8s service traffic coming from source `172.210.150.100` for `SCTP` protocol, 
+on specific dport range 80–100, and targeting specific POD IP endpoint at `10.10.10.10` we can use the following configuration:
 
 ```shell
-    FLOW_FILTER_IP_CIDR=172.210.150.1/24
-    FLOW_FILTER_ACTION=Accept
-    FLOW_FILTER_PROTOCOL=SCTP
-    FLOW_FILTER_DIRECTION=Ingress
-    FLOW_FILTER_DESTINATION_PORT_RANGE=80-100
-    FLOW_FILTER_PEER_IP=10.10.10.10
+    FILTER_IP_CIDR=172.210.150.1/24
+    FILTER_ACTION=Accept
+    FILTER_PROTOCOL=SCTP
+    FILTER_DIRECTION=Ingress
+    FILTER_DESTINATION_PORT_RANGE=80-100
+    FILTER_PEER_IP=10.10.10.10
 ```
  
 #### Use-case 2:
@@ -83,12 +83,12 @@ Users wanted to see flows after EgressIP feature is configured with EgressIP `19
 to any cluster's outside addresses (destinations is unknown or don't care), so they can use the following configuration:
 
 ```shell
-    FLOW_FILTER_IP_CIDR=0.0.0.0/0
-    FLOW_FILTER_ACTION=Accept
-    FLOW_FILTER_PROTOCOL=TCP
-    FLOW_FILTER_DIRECTION=Egress
-    FLOW_FILTER_SOURCE_PORT=100
-    FLOW_FILTER_PEER_IP=192.168.127.12
+    FILTER_IP_CIDR=0.0.0.0/0
+    FILTER_ACTION=Accept
+    FILTER_PROTOCOL=TCP
+    FILTER_DIRECTION=Egress
+    FILTER_SOURCE_PORT=100
+    FILTER_PEER_IP=192.168.127.12
 ```
 
 #### Use-case 3:
@@ -97,22 +97,22 @@ OpenShift ovn kubernetes CNI uses `169.254.169.1-4` as masquerade addresses when
 I am not interested in capturing any those packets, so I can use the following configuration:
 
 ```shell
-    FLOW_FILTER_IP_CIDR=169.254.169.1/24
-    FLOW_FILTER_ACTION=Reject
-    FLOW_FILTER_DIRECTION=Ingress
+    FILTER_IP_CIDR=169.254.169.1/24
+    FILTER_ACTION=Reject
+    FILTER_DIRECTION=Ingress
 ```
 
 #### Use-case 4:
 
-We have case where ping traffic is going between PODA `1.1.1.10` to PODB in different node `1.2.1.10` for that we can use the following configuration:
+We have a case where ping traffic is going between PODA `1.1.1.10` to PODB in different node `1.2.1.10` for that we can use the following configuration:
 
 ```shell
-    FLOW_FILTER_IP_CIDR=1.1.1.10/32
-    FLOW_FILTER_ACTION=Accept
-    FLOW_FILTER_DIRECTION=Ingress
-    FLOW_FILTER_PROTOCOL=ICMP
-    FLOW_FILTER_PEER_IP=1.2.1.10
-    FLOW_FILTER_ICMP_TYPE=8
+    FILTER_IP_CIDR=1.1.1.10/32
+    FILTER_ACTION=Accept
+    FILTER_DIRECTION=Ingress
+    FILTER_PROTOCOL=ICMP
+    FILTER_PEER_IP=1.2.1.10
+    FILTER_ICMP_TYPE=8
 ```
 
 #### Use-case 5:
@@ -121,9 +121,9 @@ We wanted to filter in `curl` request and response for TCP flow going from PODA
 for that we can use the following configuration:
 
 ```shell
-    FLOW_FILTER_IP_CIDR=1.1.1.10/32
-    FLOW_FILTER_ACTION=Accept
-    FLOW_FILTER_PROTOCOL=TCP
-    FLOW_FILTER_PORT=80
-    FLOW_FILTER_PEER_IP=1.2.1.10
+    FILTER_IP_CIDR=1.1.1.10/32
+    FILTER_ACTION=Accept
+    FILTER_PROTOCOL=TCP
+    FILTER_PORT=80
+    FILTER_PEER_IP=1.2.1.10
 ```

examples/packetcapture-dump/README.md

@@ -19,7 +19,7 @@ Start the packetcapture-client using: (in a secondary shell)
 
 Start the agent using:
 ```bash
-sudo TARGET_HOST=localhost TARGET_PORT=9990 ENABLE_PCA=true PCA_FILTER=tcp,22 ./bin/netobserv-ebpf-agent
+sudo TARGET_HOST=localhost TARGET_PORT=9990 ENABLE_PCA="true" FILTER_IP_CIDR="0.0.0.0/0" FILTER_PROTOCOL="TCP" FILTER_PORT=22 FILTER_ACTION="Accept" ./bin/netobserv-ebpf-agent
 ```
 
 You should see output such as:

pkg/agent/agent.go

@@ -187,15 +187,15 @@ func FlowsAgent(cfg *Config) (*Flows, error) {
 		DNSTracker:       cfg.EnableDNSTracking,
 		EnableRTT:        cfg.EnableRTT,
 		EnableFlowFilter: cfg.EnableFlowFilter,
-		FlowFilterConfig: &ebpf.FlowFilterConfig{
-			FlowFilterAction:          cfg.FlowFilterAction,
-			FlowFilterDirection:       cfg.FlowFilterDirection,
-			FlowFilterIPCIDR:          cfg.FlowFilterIPCIDR,
-			FlowFilterProtocol:        cfg.FlowFilterProtocol,
-			FlowFilterPeerIP:          cfg.FlowFilterPeerIP,
-			FlowFilterDestinationPort: ebpf.ConvertFilterPortsToInstr(cfg.FlowFilterDestinationPort, cfg.FlowFilterDestinationPortRange),
-			FlowFilterSourcePort:      ebpf.ConvertFilterPortsToInstr(cfg.FlowFilterSourcePort, cfg.FlowFilterSourcePortRange),
-			FlowFilterPort:            ebpf.ConvertFilterPortsToInstr(cfg.FlowFilterPort, cfg.FlowFilterPortRange),
+		FilterConfig: &ebpf.FilterConfig{
+			FilterAction:          cfg.FilterAction,
+			FilterDirection:       cfg.FilterDirection,
+			FilterIPCIDR:          cfg.FilterIPCIDR,
+			FilterProtocol:        cfg.FilterProtocol,
+			FilterPeerIP:          cfg.FilterPeerIP,
+			FilterDestinationPort: ebpf.ConvertFilterPortsToInstr(cfg.FilterDestinationPort, cfg.FilterDestinationPortRange),
+			FilterSourcePort:      ebpf.ConvertFilterPortsToInstr(cfg.FilterSourcePort, cfg.FilterSourcePortRange),
+			FilterPort:            ebpf.ConvertFilterPortsToInstr(cfg.FilterPort, cfg.FilterPortRange),
 		},
 	}
 

pkg/agent/config.go

@@ -164,11 +164,8 @@ type Config struct {
 	// StaleEntriesEvictTimeout specifies the maximum duration that stale entries are kept
 	// before being deleted, default is 5 seconds.
 	StaleEntriesEvictTimeout time.Duration `env:"STALE_ENTRIES_EVICT_TIMEOUT" envDefault:"5s"`
-	// EnablePCA enables Packet Capture Agent (PCA). By default PCA is off.
+	// EnablePCA enables Packet Capture Agent (PCA). By default, PCA is off.
 	EnablePCA bool `env:"ENABLE_PCA" envDefault:"false"`
-	// PCAFilters set the filters to determine packets to filter using Packet Capture Agent (PCA). It is a comma separated set.
-	// The format is [protocol], [port number] Example: PCA_FILTER = "tcp,80". Currently, we support 'tcp','udp','sctp' for protocol.
-	PCAFilters string `env:"PCA_FILTER"`
 	// MetricsEnable enables http server to collect ebpf agent metrics, default is false.
 	MetricsEnable bool `env:"METRICS_ENABLE" envDefault:"false"`
 	// MetricsServerAddress is the address of the server that collects ebpf agent metrics.
@@ -184,40 +181,40 @@ type Config struct {
 
 	// EnableFlowFilter enables flow filter, default is false.
 	EnableFlowFilter bool `env:"ENABLE_FLOW_FILTER" envDefault:"false"`
-	// FlowFilterDirection is the direction of the flow filter.
+	// FilterDirection is the direction of the flow filter.
 	// Possible values are "Ingress" or "Egress".
-	FlowFilterDirection string `env:"FLOW_FILTER_DIRECTION"`
-	// FlowFilterIPCIDR is the IP CIDR to filter flows.
+	FilterDirection string `env:"FILTER_DIRECTION"`
+	// FilterIPCIDR is the IP CIDR to filter flows.
 	// Example: 10.10.10.0/24 or 100:100:100:100::/64
-	FlowFilterIPCIDR string `env:"FLOW_FILTER_IP_CIDR"`
-	// FlowFilterProtocol is the protocol to filter flows.
+	FilterIPCIDR string `env:"FILTER_IP_CIDR"`
+	// FilterProtocol is the protocol to filter flows.
 	// Example: TCP, UDP, SCTP, ICMP, ICMPv6
-	FlowFilterProtocol string `env:"FLOW_FILTER_PROTOCOL"`
-	// FlowFilterSourcePort is the source port to filter flows.
-	FlowFilterSourcePort int32 `env:"FLOW_FILTER_SOURCE_PORT"`
-	// FlowFilterDestinationPort is the destination port to filter flows.
-	FlowFilterDestinationPort int32 `env:"FLOW_FILTER_DESTINATION_PORT"`
-	// FlowFilterPort is the port to filter flows, can be use for either source or destination port.
-	FlowFilterPort int32 `env:"FLOW_FILTER_PORT"`
-	// FlowFilterSourcePortRange is the source port range to filter flows.
+	FilterProtocol string `env:"FILTER_PROTOCOL"`
+	// FilterSourcePort is the source port to filter flows.
+	FilterSourcePort int32 `env:"FILTER_SOURCE_PORT"`
+	// FilterDestinationPort is the destination port to filter flows.
+	FilterDestinationPort int32 `env:"FILTER_DESTINATION_PORT"`
+	// FilterPort is the port to filter flows, can be use for either source or destination port.
+	FilterPort int32 `env:"FILTER_PORT"`
+	// FilterSourcePortRange is the source port range to filter flows.
 	// Example: 8000-8010
-	FlowFilterSourcePortRange string `env:"FLOW_FILTER_SOURCE_PORT_RANGE"`
-	// FlowFilterDestinationPortRange is the destination port range to filter flows.
+	FilterSourcePortRange string `env:"FILTER_SOURCE_PORT_RANGE"`
+	// FilterDestinationPortRange is the destination port range to filter flows.
 	// Example: 8000-8010
-	FlowFilterDestinationPortRange string `env:"FLOW_FILTER_DESTINATION_PORT_RANGE"`
-	// FlowFilterPortRange is the port range to filter flows, can be used for either source or destination port.
+	FilterDestinationPortRange string `env:"FILTER_DESTINATION_PORT_RANGE"`
+	// FilterPortRange is the port range to filter flows, can be used for either source or destination port.
 	// Example: 8000-8010
-	FlowFilterPortRange string `env:"FLOW_FILTER_PORT_RANGE"`
-	// FlowFilterICMPType is the ICMP type to filter flows.
-	FlowFilterICMPType int `env:"FLOW_FILTER_ICMP_TYPE"`
-	// FlowFilterICMPCode is the ICMP code to filter flows.
-	FlowFilterICMPCode int `env:"FLOW_FILTER_ICMP_CODE"`
-	// FlowFilterPeerIP is the IP to filter flows.
+	FilterPortRange string `env:"FILTER_PORT_RANGE"`
+	// FilterICMPType is the ICMP type to filter flows.
+	FilterICMPType int `env:"FILTER_ICMP_TYPE"`
+	// FilterICMPCode is the ICMP code to filter flows.
+	FilterICMPCode int `env:"FILTER_ICMP_CODE"`
+	// FilterPeerIP is the IP to filter flows.
 	// Example: 10.10.10.10
-	FlowFilterPeerIP string `env:"FLOW_FILTER_PEER_IP"`
-	// FlowFilterAction is the action to filter flows.
+	FilterPeerIP string `env:"FILTER_PEER_IP"`
+	// FilterAction is the action to filter flows.
 	// Possible values are "Accept" or "Reject".
-	FlowFilterAction string `env:"FLOW_FILTER_ACTION"`
+	FilterAction string `env:"FILTER_ACTION"`
 
 	/* Deprecated configs are listed below this line
 	 * See manageDeprecatedConfigs function for details

pkg/agent/packets_agent.go

@@ -14,6 +14,7 @@ import (
 	"github.com/netobserv/netobserv-ebpf-agent/pkg/metrics"
 
 	"github.com/cilium/ebpf/perf"
+	"github.com/sirupsen/logrus"
 )
 
 // Packets reporting agent
@@ -68,8 +69,30 @@ func PacketsAgent(cfg *Config) (*Packets, error) {
 	}
 
 	ingress, egress := flowDirections(cfg)
+	debug := false
+	if cfg.LogLevel == logrus.TraceLevel.String() || cfg.LogLevel == logrus.DebugLevel.String() {
+		debug = true
+	}
+	ebpfConfig := &ebpf.FlowFetcherConfig{
+		EnableIngress: ingress,
+		EnableEgress:  egress,
+		Debug:         debug,
+		Sampling:      cfg.Sampling,
+		CacheMaxSize:  cfg.CacheMaxFlows,
+		EnablePCA:     cfg.EnablePCA,
+		FilterConfig: &ebpf.FilterConfig{
+			FilterAction:          cfg.FilterAction,
+			FilterDirection:       cfg.FilterDirection,
+			FilterIPCIDR:          cfg.FilterIPCIDR,
+			FilterProtocol:        cfg.FilterProtocol,
+			FilterPeerIP:          cfg.FilterPeerIP,
+			FilterDestinationPort: ebpf.ConvertFilterPortsToInstr(cfg.FilterDestinationPort, cfg.FilterDestinationPortRange),
+			FilterSourcePort:      ebpf.ConvertFilterPortsToInstr(cfg.FilterSourcePort, cfg.FilterSourcePortRange),
+			FilterPort:            ebpf.ConvertFilterPortsToInstr(cfg.FilterPort, cfg.FilterPortRange),
+		},
+	}
 
-	fetcher, err := ebpf.NewPacketFetcher(cfg.CacheMaxFlows, cfg.PCAFilters, ingress, egress)
+	fetcher, err := ebpf.NewPacketFetcher(ebpfConfig)
 	if err != nil {
 		return nil, err
 	}

pkg/ebpf/bpf_arm64_bpfel.go

@@ -105,9 +105,9 @@ type BpfGlobalCountersKeyT uint32
 
 const (
 	BpfGlobalCountersKeyTHASHMAP_FLOWS_DROPPED_KEY BpfGlobalCountersKeyT = 0
-	BpfGlobalCountersKeyTFILTER_FLOWS_REJECT_KEY   BpfGlobalCountersKeyT = 1
-	BpfGlobalCountersKeyTFILTER_FLOWS_ACCEPT_KEY   BpfGlobalCountersKeyT = 2
-	BpfGlobalCountersKeyTFILTER_FLOWS_NOMATCH_KEY  BpfGlobalCountersKeyT = 3
+	BpfGlobalCountersKeyTFILTER_REJECT_KEY         BpfGlobalCountersKeyT = 1
+	BpfGlobalCountersKeyTFILTER_ACCEPT_KEY         BpfGlobalCountersKeyT = 2
+	BpfGlobalCountersKeyTFILTER_NOMATCH_KEY        BpfGlobalCountersKeyT = 3
 	BpfGlobalCountersKeyTMAX_DROPPED_FLOWS_KEY     BpfGlobalCountersKeyT = 4
 )
 

pkg/ebpf/bpf_powerpc_bpfel.go

@@ -105,9 +105,9 @@ type BpfGlobalCountersKeyT uint32
 
 const (
 	BpfGlobalCountersKeyTHASHMAP_FLOWS_DROPPED_KEY BpfGlobalCountersKeyT = 0
-	BpfGlobalCountersKeyTFILTER_FLOWS_REJECT_KEY   BpfGlobalCountersKeyT = 1
-	BpfGlobalCountersKeyTFILTER_FLOWS_ACCEPT_KEY   BpfGlobalCountersKeyT = 2
-	BpfGlobalCountersKeyTFILTER_FLOWS_NOMATCH_KEY  BpfGlobalCountersKeyT = 3
+	BpfGlobalCountersKeyTFILTER_REJECT_KEY         BpfGlobalCountersKeyT = 1
+	BpfGlobalCountersKeyTFILTER_ACCEPT_KEY         BpfGlobalCountersKeyT = 2
+	BpfGlobalCountersKeyTFILTER_NOMATCH_KEY        BpfGlobalCountersKeyT = 3
 	BpfGlobalCountersKeyTMAX_DROPPED_FLOWS_KEY     BpfGlobalCountersKeyT = 4
 )
 

pkg/ebpf/bpf_s390_bpfeb.go

@@ -105,9 +105,9 @@ type BpfGlobalCountersKeyT uint32
 
 const (
 	BpfGlobalCountersKeyTHASHMAP_FLOWS_DROPPED_KEY BpfGlobalCountersKeyT = 0
-	BpfGlobalCountersKeyTFILTER_FLOWS_REJECT_KEY   BpfGlobalCountersKeyT = 1
-	BpfGlobalCountersKeyTFILTER_FLOWS_ACCEPT_KEY   BpfGlobalCountersKeyT = 2
-	BpfGlobalCountersKeyTFILTER_FLOWS_NOMATCH_KEY  BpfGlobalCountersKeyT = 3
+	BpfGlobalCountersKeyTFILTER_REJECT_KEY         BpfGlobalCountersKeyT = 1
+	BpfGlobalCountersKeyTFILTER_ACCEPT_KEY         BpfGlobalCountersKeyT = 2
+	BpfGlobalCountersKeyTFILTER_NOMATCH_KEY        BpfGlobalCountersKeyT = 3
 	BpfGlobalCountersKeyTMAX_DROPPED_FLOWS_KEY     BpfGlobalCountersKeyT = 4
 )
 

pkg/ebpf/bpf_x86_bpfel.go

@@ -105,9 +105,9 @@ type BpfGlobalCountersKeyT uint32
 
 const (
 	BpfGlobalCountersKeyTHASHMAP_FLOWS_DROPPED_KEY BpfGlobalCountersKeyT = 0
-	BpfGlobalCountersKeyTFILTER_FLOWS_REJECT_KEY   BpfGlobalCountersKeyT = 1
-	BpfGlobalCountersKeyTFILTER_FLOWS_ACCEPT_KEY   BpfGlobalCountersKeyT = 2
-	BpfGlobalCountersKeyTFILTER_FLOWS_NOMATCH_KEY  BpfGlobalCountersKeyT = 3
+	BpfGlobalCountersKeyTFILTER_REJECT_KEY         BpfGlobalCountersKeyT = 1
+	BpfGlobalCountersKeyTFILTER_ACCEPT_KEY         BpfGlobalCountersKeyT = 2
+	BpfGlobalCountersKeyTFILTER_NOMATCH_KEY        BpfGlobalCountersKeyT = 3
 	BpfGlobalCountersKeyTMAX_DROPPED_FLOWS_KEY     BpfGlobalCountersKeyT = 4
 )
 

pkg/ebpf/flow_filter.go

@@ -11,58 +11,58 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
-type FlowFilterConfig struct {
-	FlowFilterDirection       string
-	FlowFilterIPCIDR          string
-	FlowFilterProtocol        string
-	FlowFilterSourcePort      intstr.IntOrString
-	FlowFilterDestinationPort intstr.IntOrString
-	FlowFilterPort            intstr.IntOrString
-	FlowFilterIcmpType        int
-	FlowFilterIcmpCode        int
-	FlowFilterPeerIP          string
-	FlowFilterAction          string
+type FilterConfig struct {
+	FilterDirection       string
+	FilterIPCIDR          string
+	FilterProtocol        string
+	FilterSourcePort      intstr.IntOrString
+	FilterDestinationPort intstr.IntOrString
+	FilterPort            intstr.IntOrString
+	FilterIcmpType        int
+	FilterIcmpCode        int
+	FilterPeerIP          string
+	FilterAction          string
 }
 
-type FlowFilter struct {
+type Filter struct {
 	// eBPF objs to create/update eBPF maps
 	objects *BpfObjects
-	config  *FlowFilterConfig
+	config  *FilterConfig
 }
 
-func NewFlowFilter(objects *BpfObjects, cfg *FlowFilterConfig) *FlowFilter {
-	return &FlowFilter{
+func NewFilter(objects *BpfObjects, cfg *FilterConfig) *Filter {
+	return &Filter{
 		objects: objects,
 		config:  cfg,
 	}
 }
 
-func (f *FlowFilter) ProgramFlowFilter() error {
+func (f *Filter) ProgramFilter() error {
 	log.Infof("Flow filter config: %v", f.config)
-	key, err := f.getFlowFilterKey(f.config)
+	key, err := f.getFilterKey(f.config)
 	if err != nil {
-		return fmt.Errorf("failed to get flow filter key: %w", err)
+		return fmt.Errorf("failed to get filter key: %w", err)
 	}
 
-	val, err := f.getFlowFilterValue(f.config)
+	val, err := f.getFilterValue(f.config)
 	if err != nil {
-		return fmt.Errorf("failed to get flow filter value: %w", err)
+		return fmt.Errorf("failed to get filter value: %w", err)
 	}
 
 	err = f.objects.FilterMap.Update(key, val, ebpf.UpdateAny)
 	if err != nil {
-		return fmt.Errorf("failed to update flow filter map: %w", err)
+		return fmt.Errorf("failed to update filter map: %w", err)
 	}
 
-	log.Infof("Programmed flow filter with key: %v, value: %v", key, val)
+	log.Infof("Programmed filter with key: %v, value: %v", key, val)
 
 	return nil
 }
 
-func (f *FlowFilter) getFlowFilterKey(config *FlowFilterConfig) (BpfFilterKeyT, error) {
+func (f *Filter) getFilterKey(config *FilterConfig) (BpfFilterKeyT, error) {
 	key := BpfFilterKeyT{}
 
-	ip, ipNet, err := net.ParseCIDR(config.FlowFilterIPCIDR)
+	ip, ipNet, err := net.ParseCIDR(config.FilterIPCIDR)
 	if err != nil {
 		return key, fmt.Errorf("failed to parse FlowFilterIPCIDR: %w", err)
 	}
@@ -77,10 +77,10 @@ func (f *FlowFilter) getFlowFilterKey(config *FlowFilterConfig) (BpfFilterKeyT,
 	return key, nil
 }
 
-func (f *FlowFilter) getFlowFilterValue(config *FlowFilterConfig) (BpfFilterValueT, error) {
+func (f *Filter) getFilterValue(config *FilterConfig) (BpfFilterValueT, error) {
 	val := BpfFilterValueT{}
 
-	switch config.FlowFilterDirection {
+	switch config.FilterDirection {
 	case "Ingress":
 		val.Direction = BpfDirectionTINGRESS
 	case "Egress":
@@ -89,7 +89,7 @@ func (f *FlowFilter) getFlowFilterValue(config *FlowFilterConfig) (BpfFilterValu
 		val.Direction = BpfDirectionTMAX_DIRECTION
 	}
 
-	switch config.FlowFilterAction {
+	switch config.FilterAction {
 	case "Reject":
 		val.Action = BpfFilterActionTREJECT
 	case "Accept":
@@ -98,7 +98,7 @@ func (f *FlowFilter) getFlowFilterValue(config *FlowFilterConfig) (BpfFilterValu
 		val.Action = BpfFilterActionTMAX_FILTER_ACTIONS
 	}
 
-	switch config.FlowFilterProtocol {
+	switch config.FilterProtocol {
 	case "TCP":
 		val.Protocol = syscall.IPPROTO_TCP
 		val.DstPortStart, val.DstPortEnd = getDstPorts(config)
@@ -116,16 +116,16 @@ func (f *FlowFilter) getFlowFilterValue(config *FlowFilterConfig) (BpfFilterValu
 		val.PortStart, val.PortEnd = getPorts(config)
 	case "ICMP":
 		val.Protocol = syscall.IPPROTO_ICMP
-		val.IcmpType = uint8(config.FlowFilterIcmpType)
-		val.IcmpCode = uint8(config.FlowFilterIcmpCode)
+		val.IcmpType = uint8(config.FilterIcmpType)
+		val.IcmpCode = uint8(config.FilterIcmpCode)
 	case "ICMPv6":
 		val.Protocol = syscall.IPPROTO_ICMPV6
-		val.IcmpType = uint8(config.FlowFilterIcmpType)
-		val.IcmpCode = uint8(config.FlowFilterIcmpCode)
+		val.IcmpType = uint8(config.FilterIcmpType)
+		val.IcmpCode = uint8(config.FilterIcmpCode)
 	}
 
-	if config.FlowFilterPeerIP != "" {
-		ip := net.ParseIP(config.FlowFilterPeerIP)
+	if config.FilterPeerIP != "" {
+		ip := net.ParseIP(config.FilterPeerIP)
 		if ip.To4() != nil {
 			copy(val.Ip[:], ip.To4())
 		} else {
@@ -135,33 +135,33 @@ func (f *FlowFilter) getFlowFilterValue(config *FlowFilterConfig) (BpfFilterValu
 	return val, nil
 }
 
-func getSrcPorts(config *FlowFilterConfig) (uint16, uint16) {
-	if config.FlowFilterSourcePort.Type == intstr.Int {
-		return uint16(config.FlowFilterSourcePort.IntVal), 0
+func getSrcPorts(config *FilterConfig) (uint16, uint16) {
+	if config.FilterSourcePort.Type == intstr.Int {
+		return uint16(config.FilterSourcePort.IntVal), 0
 	}
-	start, end, err := getPortsFromString(config.FlowFilterSourcePort.String())
+	start, end, err := getPortsFromString(config.FilterSourcePort.String())
 	if err != nil {
 		return 0, 0
 	}
 	return start, end
 }
 
-func getDstPorts(config *FlowFilterConfig) (uint16, uint16) {
-	if config.FlowFilterDestinationPort.Type == intstr.Int {
-		return uint16(config.FlowFilterDestinationPort.IntVal), 0
+func getDstPorts(config *FilterConfig) (uint16, uint16) {
+	if config.FilterDestinationPort.Type == intstr.Int {
+		return uint16(config.FilterDestinationPort.IntVal), 0
 	}
-	start, end, err := getPortsFromString(config.FlowFilterDestinationPort.String())
+	start, end, err := getPortsFromString(config.FilterDestinationPort.String())
 	if err != nil {
 		return 0, 0
 	}
 	return start, end
 }
 
-func getPorts(config *FlowFilterConfig) (uint16, uint16) {
-	if config.FlowFilterDestinationPort.Type == intstr.Int {
-		return uint16(config.FlowFilterPort.IntVal), 0
+func getPorts(config *FilterConfig) (uint16, uint16) {
+	if config.FilterDestinationPort.Type == intstr.Int {
+		return uint16(config.FilterPort.IntVal), 0
 	}
-	start, end, err := getPortsFromString(config.FlowFilterPort.String())
+	start, end, err := getPortsFromString(config.FilterPort.String())
 	if err != nil {
 		return 0, 0
 	}

pkg/ebpf/flow_filter_test.go

@@ -57,31 +57,31 @@ func TestGetPortsFromString(t *testing.T) {
 	}
 }
 
-func TestFlowFilter_getFlowFilterKey(t *testing.T) {
-	f := FlowFilter{}
-	config := &FlowFilterConfig{
-		FlowFilterIPCIDR: "192.168.1.0/24",
+func TestFilter_getFlowFilterKey(t *testing.T) {
+	f := Filter{}
+	config := &FilterConfig{
+		FilterIPCIDR: "192.168.1.0/24",
 	}
 	expectedIP := net.ParseIP("192.168.1.0").To4()
 	expectedPrefixLen := uint32(24)
 
-	key, err := f.getFlowFilterKey(config)
+	key, err := f.getFilterKey(config)
 
 	assert.Nil(t, err)
 	assert.Equal(t, []uint8(expectedIP), key.IpData[:4])
 	assert.Equal(t, expectedPrefixLen, key.PrefixLen)
 }
 
-func TestFlowFilter_getFlowFilterValue(t *testing.T) {
-	f := FlowFilter{}
-	config := &FlowFilterConfig{
-		FlowFilterDirection:       "Ingress",
-		FlowFilterProtocol:        "TCP",
-		FlowFilterSourcePort:      intstr.FromInt32(8080),
-		FlowFilterDestinationPort: intstr.FromString("8000-9000"),
+func TestFilter_getFlowFilterValue(t *testing.T) {
+	f := Filter{}
+	config := &FilterConfig{
+		FilterDirection:       "Ingress",
+		FilterProtocol:        "TCP",
+		FilterSourcePort:      intstr.FromInt32(8080),
+		FilterDestinationPort: intstr.FromString("8000-9000"),
 	}
 
-	value, err := f.getFlowFilterValue(config)
+	value, err := f.getFilterValue(config)
 
 	assert.Nil(t, err)
 	assert.Equal(t, BpfDirectionTINGRESS, value.Direction)
@@ -93,8 +93,8 @@ func TestFlowFilter_getFlowFilterValue(t *testing.T) {
 }
 
 func TestGetSrcPorts(t *testing.T) {
-	config := &FlowFilterConfig{
-		FlowFilterSourcePort: intstr.FromString("8000-9000"),
+	config := &FilterConfig{
+		FilterSourcePort: intstr.FromString("8000-9000"),
 	}
 	start, end := getSrcPorts(config)
 
@@ -103,8 +103,8 @@ func TestGetSrcPorts(t *testing.T) {
 }
 
 func TestGetDstPorts(t *testing.T) {
-	config := &FlowFilterConfig{
-		FlowFilterDestinationPort: intstr.FromInt32(8080),
+	config := &FilterConfig{
+		FilterDestinationPort: intstr.FromInt32(8080),
 	}
 	start, end := getDstPorts(config)