Fix Issue #6976: Modified the logic to capture either source or destination traffic in PacketCapture CRD #6997
Conversation
| oneOf: | ||
| - properties: | ||
| source: | ||
| required: [pod] | ||
| required: [source] | ||
| - properties: | ||
| destination: | ||
| required: [pod] | ||
| required: [destination] |
There was a problem hiding this comment.
that doesn't seem right to me: if I define a PacketCapture with both .spec.source.pod and .spec.destination.pod, I believe validation will fail as both alternatives in the oneOf will match
I am also not sure I understand the rationale behind the change. I think the previous requirement (with the anyOf) as fine. What we are trying to ensure is that at least one one .spec.source.pod and .spec.destination.pod is provided. If at least one of them is provided, then of course at least one of .spec.source and .spec.destination is provided.
There was a problem hiding this comment.
Thanks, @antoninbas, for your feedback!
I've updated the Packet Capture CRD to capture packets in the following scenarios:
- Egress traffic – packets originating from a pod.
- Ingress traffic – packets destined for a pod.
- Pod-to-pod traffic – packets where at least one endpoint (source or destination) is a pod.
Let me know if any further improvements are needed!
|
|
||
| var sourceIP, destIP net.IP | ||
| // Parse only one IP either source or destination | ||
| podIP, isSource, err := c.parseOneIP(ctx, pc) |
There was a problem hiding this comment.
both IPs can still be provided, so returning a single IP here is incorrect
it seems to me that the existing implementation of parseIPs is correct actually, and compatible with what we are trying to achieve with this PR
There was a problem hiding this comment.
I've removed parseOneIP and kept the previous parseIPs logic.
Additionally, I made little changes in bpf.go to ensure that the instruction count
is correctly calculated based on the Pod CRD for all types of traffic.
… or dest pod traffic Signed-off-by: ifrah-ashraf <[email protected]>
…o-destination traffic Signed-off-by: ifrah-ashraf <[email protected]>
ifrah-ashraf
force-pushed
the
ifrah-fix-issue--6976
branch
from
088808c to
0710ce5
Compare
|
Hey @antoninbas, thanks for the feedback! I've made the necessary changes to ensure correct packet capture and verified Let me know if any further improvements are needed. Otherwise, I'll test it |
| required: [pod] | ||
| - properties: | ||
| destination: | ||
| required: [pod] |
There was a problem hiding this comment.
@ifrah-ashraf
what if both src and dst is provided? Then doesn't you think then both src and dst must be pod?
There was a problem hiding this comment.
Hey @devc007 , if both (source and dest) is specified then it will work as it was working before but either of them must be a pod as to store the pcapng file one pod must be specified and yeah if both source and destination are defined then by default it will store the file at source pod.
I hope it is clear now.
There was a problem hiding this comment.
Thanks for clarification @ifrah-ashraf but i am still trying to understand the things you have pointed out. And thanks to explain me why one of them must be a pod.
There was a problem hiding this comment.
I don't think I understand why we don't just have this:
required:
- captureConfig
anyOf:
- properties:
source:
required: [pod]
- properties:
destination:
required: [pod]
wouldn't that work?
| required: [pod] | ||
| - properties: | ||
| destination: | ||
| required: [pod] |
There was a problem hiding this comment.
I don't think I understand why we don't just have this:
required:
- captureConfig
anyOf:
- properties:
source:
required: [pod]
- properties:
destination:
required: [pod]
wouldn't that work?
| @@ -76,7 +76,16 @@ func compareProtocol(protocol uint32, skipTrue, skipFalse uint8) bpf.Instruction | |||
| // ipv4 traffic. Compared to the raw BPF filter supported by libpcap, we only need to support | |||
| // limited use cases, so an expression parser is not needed. | |||
| func compilePacketFilter(packetSpec *crdv1alpha1.Packet, srcIP, dstIP net.IP) []bpf.Instruction { | |||
| size := uint8(calculateInstructionsSize(packetSpec)) | |||
| //size := uint8(calculateInstructionsSize(packetSpec)) | |||
There was a problem hiding this comment.
please remove such commented out lines when you submit a PR for review
| @@ -212,8 +221,16 @@ func calculateInstructionsSize(packet *crdv1alpha1.Packet) int { | |||
| } | |||
| } | |||
| // src and dst ip | |||
| count += 4 | |||
| //count += 4 | |||
|
|
||
| // generate traffic for source pod (egress) |
There was a problem hiding this comment.
I don't understand the new comments here. What does "generate traffic" mean here?
| srcIP, dstIP, err := c.parseIPs(ctx, pc) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
|
|
||
| /* var sourceIP, destIP net.IP |
There was a problem hiding this comment.
again, remove all the commented out code that is not needed
| @@ -447,11 +447,26 @@ func (c *Controller) performCapture( | |||
| file afero.File, | |||
| device string, | |||
| ) (bool, error) { | |||
|
|
|||
| // here is the IP parsing when both source and destination pod is specified | |||
| @@ -447,11 +447,26 @@ func (c *Controller) performCapture( | |||
| file afero.File, | |||
| device string, | |||
| ) (bool, error) { | |||
|
|
|||
There was a problem hiding this comment.
don't add an empty line at the beginning of functions
Description
This PR fixes Issue #6976 by ensuring that PacketCapture CRD properly validates source and destination separately.
packetcapture.yamlschema to enforceoneOfvalidation.bpf.goto handle traffic capturing based on either source or destination.packetcapture_controller.gologic to correctly process packet captures for either source or destination.Source Pod traffic (egressing from a pod)
Destination Pod traffic (ingressing into a pod)
Note:
For destination pod traffic (ingress), I need to further verify whether externally sent traffic is properly captured at the destination. Initial tests with locally exposed pod service indicate that ingress traffic might be translated at the gateway, making it appear as if it's coming from another internal source pod. If any modifications are required in this regard, please let me know. Otherwise, I will update the e2e test suite accordingly to validate this scenario and share my findings.