IPsec userspace to enable ipsec tracker

Signed-off-by: Mohamed Mahmoud <[email protected]>
netobserv · Jan 31, 2025 · f73f9d5 · f73f9d5
1 parent 1a6bb3f
commit f73f9d5
Show file tree

Hide file tree

Showing 8 changed files with 194 additions and 37 deletions.
diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
@@ -235,6 +235,7 @@ func FlowsAgent(cfg *Config) (*Flows, error) {
 		EnablePktTranslation:           cfg.EnablePktTranslationTracking,
 		UseEbpfManager:                 cfg.EbpfProgramManagerMode,
 		BpfManBpfFSPath:                cfg.BpfManBpfFSPath,
+		EnableIPsecTracker:             cfg.EnableIPsecTracking,
 		FilterConfig:                   filterRules,
 	}
 

diff --git a/pkg/agent/config.go b/pkg/agent/config.go
@@ -236,6 +236,8 @@ type Config struct {
 	BpfManBpfFSPath string `env:"BPFMAN_BPF_FS_PATH" envDefault:"/run/netobserv/maps"`
 	// EnableUDNMapping to allow mapping pod's interface to udn label
 	EnableUDNMapping bool `env:"ENABLE_UDN_MAPPING" envDefault:"false"`
+	// EnableIPsecTracking enable tracking IPsec flows encryption
+	EnableIPsecTracking bool `env:"ENABLE_IPSEC_TRACKING" envDefault:"false"`
 	/* Deprecated configs are listed below this line
 	 * See manageDeprecatedConfigs function for details
 	 */

diff --git a/pkg/decode/decode_protobuf.go b/pkg/decode/decode_protobuf.go
@@ -141,6 +141,9 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 			out["XlatSrcAddr"] = model.IP(fr.Metrics.AdditionalMetrics.TranslatedFlow.Saddr).String()
 			out["XlatDstAddr"] = model.IP(fr.Metrics.AdditionalMetrics.TranslatedFlow.Daddr).String()
 		}
+		if fr.Metrics.AdditionalMetrics.FlowEncrypted {
+			out["EncryptedFlow"] = fr.Metrics.AdditionalMetrics.FlowEncrypted
+		}
 	}
 
 	if fr.TimeFlowRtt != 0 {

diff --git a/pkg/model/flow_content.go b/pkg/model/flow_content.go
@@ -116,6 +116,10 @@ func (p *BpfFlowContent) AccumulateAdditional(other *ebpf.BpfAdditionalMetrics)
 	if !AllZeroIP(IP(other.TranslatedFlow.Saddr)) && !AllZeroIP(IP(other.TranslatedFlow.Daddr)) {
 		p.AdditionalMetrics.TranslatedFlow = other.TranslatedFlow
 	}
+	// Encryption
+	if p.AdditionalMetrics.FlowEncrypted != other.FlowEncrypted {
+		p.AdditionalMetrics.FlowEncrypted = other.FlowEncrypted
+	}
 }
 
 func allZerosMac(s [6]uint8) bool {

diff --git a/pkg/pbflow/flow.pb.go b/pkg/pbflow/flow.pb.go
diff --git a/pkg/pbflow/proto.go b/pkg/pbflow/proto.go
@@ -84,6 +84,7 @@ func FlowToPB(fr *model.Record) *Record {
 			DstPort: uint32(fr.Metrics.AdditionalMetrics.TranslatedFlow.Dport),
 			ZoneId:  uint32(fr.Metrics.AdditionalMetrics.TranslatedFlow.ZoneId),
 		}
+		pbflowRecord.FlowEncrypted = fr.Metrics.AdditionalMetrics.FlowEncrypted
 	}
 	pbflowRecord.DupList = make([]*DupMapEntry, 0)
 	for _, intf := range fr.Interfaces {
@@ -166,6 +167,7 @@ func PBToFlow(pb *Record) *model.Record {
 					Dport:  uint16(pb.Xlat.GetDstPort()),
 					ZoneId: uint16(pb.Xlat.GetZoneId()),
 				},
+				FlowEncrypted: pb.FlowEncrypted,
 			},
 		},
 		TimeFlowStart: pb.TimeFlowStart.AsTime(),