IPsec userspace to enable ipsec tracker

Signed-off-by: Mohamed Mahmoud <[email protected]>

.mk/bc.mk

@@ -37,8 +37,8 @@ define MAPS
 	"global_counters":"per_cpu_array",
 	"filter_map":"lpm_trie",
 	"peer_filter_map":"lpm_trie",
-	"sk_buffs_ingress_map":"hash",
-	"sk_buffs_egress_map":"hash"
+	"ipsec_ingress_map":"hash",
+	"ipsec_egress_map":"hash"
 }
 endef
 

pkg/agent/agent.go

@@ -237,6 +237,7 @@ func FlowsAgent(cfg *Config) (*Flows, error) {
 		EnablePktTranslation:           cfg.EnablePktTranslationTracking,
 		UseEbpfManager:                 cfg.EbpfProgramManagerMode,
 		BpfManBpfFSPath:                cfg.BpfManBpfFSPath,
+		EnableIPsecTracker:             cfg.EnableIPsecTracking,
 		FilterConfig:                   filterRules,
 	}
 

pkg/agent/config.go

@@ -236,6 +236,8 @@ type Config struct {
 	BpfManBpfFSPath string `env:"BPFMAN_BPF_FS_PATH" envDefault:"/run/netobserv/maps"`
 	// EnableUDNMapping to allow mapping pod's interface to udn label
 	EnableUDNMapping bool `env:"ENABLE_UDN_MAPPING" envDefault:"false"`
+	// EnableIPsecTracking enable tracking IPsec flows encryption
+	EnableIPsecTracking bool `env:"ENABLE_IPSEC_TRACKING" envDefault:"false"`
 	/* Deprecated configs are listed below this line
 	 * See manageDeprecatedConfigs function for details
 	 */

pkg/decode/decode_protobuf.go

@@ -141,6 +141,10 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 			out["XlatSrcAddr"] = model.IP(fr.Metrics.AdditionalMetrics.TranslatedFlow.Saddr).String()
 			out["XlatDstAddr"] = model.IP(fr.Metrics.AdditionalMetrics.TranslatedFlow.Daddr).String()
 		}
+		if fr.Metrics.AdditionalMetrics.FlowEncrypted || fr.Metrics.AdditionalMetrics.FlowEncryptedRet != 0 {
+			out["EncryptedFlow"] = fr.Metrics.AdditionalMetrics.FlowEncrypted
+			out["EncryptedFlowRet"] = fr.Metrics.AdditionalMetrics.FlowEncryptedRet
+		}
 	}
 
 	if fr.TimeFlowRtt != 0 {

pkg/decode/decode_protobuf_test.go

@@ -96,6 +96,8 @@ func TestPBFlowToMap(t *testing.T) {
 			DstPort: 2,
 			ZoneId:  100,
 		},
+		FlowEncrypted:    1,
+		FlowEncryptedRet: 0,
 	}
 
 	out := PBFlowToMap(flow)
@@ -146,10 +148,12 @@ func TestPBFlowToMap(t *testing.T) {
 				"Direction": "egress",
 			},
 		},
-		"XlatSrcAddr": "1.2.3.4",
-		"XlatDstAddr": "5.6.7.8",
-		"XlatSrcPort": uint16(1),
-		"XlatDstPort": uint16(2),
-		"ZoneId":      uint16(100),
+		"XlatSrcAddr":      "1.2.3.4",
+		"XlatDstAddr":      "5.6.7.8",
+		"XlatSrcPort":      uint16(1),
+		"XlatDstPort":      uint16(2),
+		"ZoneId":           uint16(100),
+		"EncryptedFlow":    true,
+		"EncryptedFlowRet": uint8(0),
 	}, out)
 }

pkg/exporter/converters_test.go

@@ -53,6 +53,7 @@ func TestConversions(t *testing.T) {
 						DnsRecord: ebpf.BpfDnsRecordT{
 							Errno: 0,
 						},
+						FlowEncrypted: true,
 					},
 				},
 				Interfaces:    []model.IntfDirUdn{model.NewIntfDirUdn("eth0", model.DirectionEgress, nil)},
@@ -61,25 +62,27 @@ func TestConversions(t *testing.T) {
 				AgentIP:       net.IPv4(0x0a, 0x0b, 0x0c, 0x0d),
 			},
 			expected: &config.GenericMap{
-				"IfDirections":    []int{1},
-				"Bytes":           456,
-				"SrcAddr":         "6.7.8.9",
-				"DstAddr":         "10.11.12.13",
-				"Dscp":            64,
-				"DstMac":          "0A:0B:0C:0D:0E:0F",
-				"SrcMac":          "04:05:06:07:08:09",
-				"Etype":           2048,
-				"Packets":         123,
-				"Proto":           6,
-				"SrcPort":         23000,
-				"DstPort":         443,
-				"Flags":           0x100,
-				"Sampling":        1,
-				"TimeFlowStartMs": someTime.UnixMilli(),
-				"TimeFlowEndMs":   someTime.UnixMilli(),
-				"Interfaces":      []string{"eth0"},
-				"Udns":            []string{""},
-				"AgentIP":         "10.11.12.13",
+				"IfDirections":     []int{1},
+				"Bytes":            456,
+				"SrcAddr":          "6.7.8.9",
+				"DstAddr":          "10.11.12.13",
+				"Dscp":             64,
+				"DstMac":           "0A:0B:0C:0D:0E:0F",
+				"SrcMac":           "04:05:06:07:08:09",
+				"Etype":            2048,
+				"Packets":          123,
+				"Proto":            6,
+				"SrcPort":          23000,
+				"DstPort":          443,
+				"Flags":            0x100,
+				"Sampling":         1,
+				"TimeFlowStartMs":  someTime.UnixMilli(),
+				"TimeFlowEndMs":    someTime.UnixMilli(),
+				"Interfaces":       []string{"eth0"},
+				"Udns":             []string{""},
+				"AgentIP":          "10.11.12.13",
+				"EncryptedFlow":    true,
+				"EncryptedFlowRet": 0,
 			},
 		},
 		{
@@ -345,6 +348,7 @@ func TestConversions(t *testing.T) {
 							LatestState:     6,
 							LatestDropCause: 5,
 						},
+						FlowEncrypted: true,
 					},
 				},
 				Interfaces:    []model.IntfDirUdn{model.NewIntfDirUdn("eth0", model.DirectionEgress, nil)},
@@ -383,6 +387,8 @@ func TestConversions(t *testing.T) {
 				"DnsFlags":               0x8001,
 				"DnsFlagsResponseCode":   "FormErr",
 				"TimeFlowRttNs":          someDuration.Nanoseconds(),
+				"EncryptedFlow":          true,
+				"EncryptedFlowRet":       0,
 			},
 		},
 		{
@@ -409,6 +415,7 @@ func TestConversions(t *testing.T) {
 						DnsRecord: ebpf.BpfDnsRecordT{
 							Errno: 0,
 						},
+						FlowEncrypted: true,
 					},
 				},
 				Interfaces: []model.IntfDirUdn{
@@ -420,24 +427,26 @@ func TestConversions(t *testing.T) {
 				AgentIP:       net.IPv4(0x0a, 0x0b, 0x0c, 0x0d),
 			},
 			expected: &config.GenericMap{
-				"IfDirections":    []int{0, 1},
-				"Bytes":           64,
-				"SrcAddr":         "6.7.8.9",
-				"DstAddr":         "10.11.12.13",
-				"Dscp":            64,
-				"DstMac":          "0A:0B:0C:0D:0E:0F",
-				"SrcMac":          "04:05:06:07:08:09",
-				"Etype":           2048,
-				"Packets":         1,
-				"Proto":           6,
-				"SrcPort":         23000,
-				"DstPort":         443,
-				"Flags":           0x100,
-				"TimeFlowStartMs": someTime.UnixMilli(),
-				"TimeFlowEndMs":   someTime.UnixMilli(),
-				"Interfaces":      []string{"5e6e92caa1d51cf", "eth0"},
-				"Udns":            []string{"", ""},
-				"AgentIP":         "10.11.12.13",
+				"IfDirections":     []int{0, 1},
+				"Bytes":            64,
+				"SrcAddr":          "6.7.8.9",
+				"DstAddr":          "10.11.12.13",
+				"Dscp":             64,
+				"DstMac":           "0A:0B:0C:0D:0E:0F",
+				"SrcMac":           "04:05:06:07:08:09",
+				"Etype":            2048,
+				"Packets":          1,
+				"Proto":            6,
+				"SrcPort":          23000,
+				"DstPort":          443,
+				"Flags":            0x100,
+				"TimeFlowStartMs":  someTime.UnixMilli(),
+				"TimeFlowEndMs":    someTime.UnixMilli(),
+				"Interfaces":       []string{"5e6e92caa1d51cf", "eth0"},
+				"Udns":             []string{"", ""},
+				"AgentIP":          "10.11.12.13",
+				"EncryptedFlow":    true,
+				"EncryptedFlowRet": 0,
 			},
 		},
 	}

pkg/model/flow_content.go

@@ -117,6 +117,13 @@ func (p *BpfFlowContent) AccumulateAdditional(other *ebpf.BpfAdditionalMetrics)
 	if !AllZeroIP(IP(other.TranslatedFlow.Saddr)) && !AllZeroIP(IP(other.TranslatedFlow.Daddr)) {
 		p.AdditionalMetrics.TranslatedFlow = other.TranslatedFlow
 	}
+	// Encryption
+	if other.FlowEncrypted {
+		p.AdditionalMetrics.FlowEncrypted = other.FlowEncrypted
+	}
+	if p.AdditionalMetrics.FlowEncryptedRet != other.FlowEncryptedRet {
+		p.AdditionalMetrics.FlowEncryptedRet = other.FlowEncryptedRet
+	}
 }
 
 func allZerosMac(s [6]uint8) bool {

pkg/pbflow/proto.go

@@ -84,6 +84,10 @@ func FlowToPB(fr *model.Record) *Record {
 			DstPort: uint32(fr.Metrics.AdditionalMetrics.TranslatedFlow.Dport),
 			ZoneId:  uint32(fr.Metrics.AdditionalMetrics.TranslatedFlow.ZoneId),
 		}
+		pbflowRecord.FlowEncryptedRet = uint32(fr.Metrics.AdditionalMetrics.FlowEncryptedRet)
+		if fr.Metrics.AdditionalMetrics.FlowEncrypted {
+			pbflowRecord.FlowEncrypted = uint32(1)
+		}
 	}
 	pbflowRecord.DupList = make([]*DupMapEntry, 0)
 	for _, intf := range fr.Interfaces {
@@ -166,6 +170,7 @@ func PBToFlow(pb *Record) *model.Record {
 					Dport:  uint16(pb.Xlat.GetDstPort()),
 					ZoneId: uint16(pb.Xlat.GetZoneId()),
 				},
+				FlowEncryptedRet: uint8(pb.FlowEncryptedRet),
 			},
 		},
 		TimeFlowStart: pb.TimeFlowStart.AsTime(),
@@ -174,7 +179,9 @@ func PBToFlow(pb *Record) *model.Record {
 		TimeFlowRtt:   pb.TimeFlowRtt.AsDuration(),
 		DNSLatency:    pb.DnsLatency.AsDuration(),
 	}
-
+	if pb.FlowEncrypted != 0 {
+		out.Metrics.AdditionalMetrics.FlowEncrypted = true
+	}
 	if len(pb.GetDupList()) != 0 {
 		for _, entry := range pb.GetDupList() {
 			out.Interfaces = append(out.Interfaces, model.IntfDirUdn{