Skip to content

Commit

Permalink
[BPF] counters to detect source port collisions
Browse files Browse the repository at this point in the history
  • Loading branch information
tomastigera committed Dec 20, 2024
1 parent fb7ee21 commit cfd824f
Show file tree
Hide file tree
Showing 7 changed files with 28 additions and 7 deletions.
2 changes: 2 additions & 0 deletions felix/bpf-gpl/conntrack.h
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,7 @@ static CALI_BPF_INLINE int calico_ct_v4_create_tracking(struct cali_tc_ctx *ctx,
int i;

CALI_DEBUG("Source collision for " IP_FMT ":%d", debug_ip(ct_ctx->src), sport);
counter_inc(ctx, CALI_REASON_SOURCE_COLLISION);

ct_value.orig_sport = sport;

Expand All @@ -258,6 +259,7 @@ static CALI_BPF_INLINE int calico_ct_v4_create_tracking(struct cali_tc_ctx *ctx,
CALI_INFO("Source collision unresolved " IP_FMT ":%d",
debug_ip(ct_ctx->src), ct_value.orig_sport);
err = -17; /* EEXIST */
counter_inc(ctx, CALI_REASON_SOURCE_COLLISION_FAILED);
}
}

Expand Down
4 changes: 2 additions & 2 deletions felix/bpf-gpl/counters.h
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

#include "bpf.h"

#define MAX_COUNTERS_SIZE 14
#define MAX_COUNTERS_SIZE 17

typedef __u64 counters_t[MAX_COUNTERS_SIZE];

Expand All @@ -20,7 +20,7 @@ struct counters_key {
#define COUNTERS_TC_EGRESS 1
#define COUNTERS_XDP 2

CALI_MAP(cali_counters, 2,
CALI_MAP(cali_counters, 3,
BPF_MAP_TYPE_PERCPU_HASH,
struct counters_key, counters_t, 20000,
0)
Expand Down
3 changes: 3 additions & 0 deletions felix/bpf-gpl/reasons.h
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ enum calico_reason {
CALI_REASON_UNAUTH_SOURCE,
CALI_REASON_RT_UNKNOWN,
CALI_REASON_BLACK_HOLE,
CALI_REASON_SOURCE_COLLISION,
CALI_REASON_SOURCE_COLLISION_FAILED,
CALI_REASON_CT_CREATE_FAILED,
CALI_REASON_ACCEPTED_BY_XDP, // Not used by counters map
CALI_REASON_WEP_NOT_READY,
CALI_REASON_NATIFACE,
Expand Down
3 changes: 2 additions & 1 deletion felix/bpf-gpl/tc.c
Original file line number Diff line number Diff line change
Expand Up @@ -806,6 +806,7 @@ static CALI_BPF_INLINE enum do_nat_res do_nat(struct cali_tc_ctx *ctx,
int err;
if ((err = conntrack_create(ctx, ct_ctx_nat))) {
CALI_DEBUG("Creating NAT conntrack failed with %d", err);
deny_reason(ctx, CALI_REASON_CT_CREATE_FAILED);
goto deny;
}
STATE->ct_result.nat_sip = ct_ctx_nat->src;
Expand Down Expand Up @@ -1399,7 +1400,7 @@ int calico_tc_skb_new_flow_entrypoint(struct __sk_buff *skb)
CALI_DEBUG("Allowing local host traffic without CT");
goto allow;
}

deny_reason(ctx, CALI_REASON_CT_CREATE_FAILED);
goto deny;
}
goto allow;
Expand Down
17 changes: 16 additions & 1 deletion felix/bpf/counters/counters.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ import (
)

const (
MaxCounterNumber int = 14
MaxCounterNumber int = 17
counterMapKeySize int = 8
counterMapValueSize int = 8
)
Expand Down Expand Up @@ -73,6 +73,9 @@ const (
DroppedUnauthSource
DroppedUnknownRoute
DroppedBlackholeRoute
SourceCollision
SourceCollisionFailed
ConntrackCreateFailed
)

type Description struct {
Expand Down Expand Up @@ -155,6 +158,18 @@ var descriptions DescList = DescList{
Counter: DroppedBlackholeRoute,
Category: "Dropped", Caption: "packets hitting blackhole route",
},
{
Counter: SourceCollision,
Category: "Other", Caption: "packets hitting NAT source collision",
},
{
Counter: ConntrackCreateFailed,
Category: "Dropped", Caption: "failed to create conntrack",
},
{
Counter: SourceCollisionFailed,
Category: "Dropped", Caption: "packets hitting NAT source collision failed",
},
}

func Descriptions() DescList {
Expand Down
2 changes: 1 addition & 1 deletion felix/bpf/counters/map.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ var MapParameters = maps.MapParameters{
ValueSize: counterMapValueSize * MaxCounterNumber,
MaxEntries: 20000,
Name: "cali_counters",
Version: 2,
Version: 3,
}

func Map() maps.Map {
Expand Down
4 changes: 2 additions & 2 deletions felix/cmd/calico-bpf/commands/conntrack.go
Original file line number Diff line number Diff line change
Expand Up @@ -216,8 +216,8 @@ func (cmd *conntrackDumpCmd) prettyDump(k conntrack.KeyInterface, v conntrack.Va
}

now := bpf.KTimeNanos()
cmd.Printf(" Age: %s Active ago %s",
time.Duration(now-v.Created()), time.Duration(now-v.LastSeen()))
cmd.Printf(" Age: %s Active ago %s Duration %s",
time.Duration(now-v.Created()), time.Duration(now-v.LastSeen()), time.Duration(v.LastSeen()-v.Created()))

if k.Proto() == 6 {
if (v.IsForwardDSR() && d.FINsSeenDSR()) || d.FINsSeen() || d.RSTSeen() {
Expand Down

0 comments on commit cfd824f

Please sign in to comment.