Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support outputting and filtering by vxlan/geneve tunnel data #494

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Support outputting and filtering by vxlan/geneve tunnel data #494

wants to merge 3 commits into from
+227 −23

Conversation

tommyp1ckles
Copy link

@tommyp1ckles tommyp1ckles commented Jan 28, 2025
edited
Loading

If the flag is enabled, packets that appear to be vxlan encapsulated will have the filtering function applied. Note: Therefore, to avoid getting non-vxlan traffic you will want to apply a general pcap filter on the vxlan udp ports.

As well, the flag --output-tunnel will result in output of vxlan header data (i.e. flag/vin) as well as inner address tuple.

Example Output

sudo ./pwru --output-tuple  --filter-func=udp_queue_rcv_skb  'port 8472' --output-tunnel --filter-tunnel-pcap-l3 'port 8080'  --output-tcp-flags
2025/01/27 16:35:45 Attaching kprobes (via kprobe)...
1 / 1 [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s
2025/01/27 16:35:45 Attached (ignored 0)
2025/01/27 16:35:45 Listening for events..
SKB                CPU PROCESS          NETNS      MARK/x        IFACE       PROTO  MTU   LEN   TUPLE FUNC TUNNEL
0xffff0000ea5d7ce8 7   <empty>:2287425  4026532458 0            eth0:353     0x0800 65536 90    172.18.0.5:54806->172.18.0.2:8472(udp) udp_queue_rcv_skb 52:2e:36:8d:11:23 -> ba:44:d8:6c:66:5a 10.244.1.205:36739->10.244.3.122:8080(tcp:SYN)
0xffff00011e41e900 7   <empty>:2287425  4026532646 0            eth0:359     0x0800 65536 90    172.18.0.2:53786->172.18.0.5:8472(udp) udp_queue_rcv_skb 92:53:8f:3a:e7:ef -> 7e:16:77:14:df:0d 10.244.3.122:8080->10.244.1.205:36739(tcp:SYN|ACK)
0xffff00011e41ef00 7   <empty>:2287425  4026532458 0            eth0:353     0x0800 65536 82    172.18.0.5:54806->172.18.0.2:8472(udp) udp_queue_rcv_skb 52:2e:36:8d:11:23 -> ba:44:d8:6c:66:5a 10.244.1.205:36739->10.244.3.122:8080(tcp:ACK)
0xffff0000ea5d7ce8 7   <empty>:2287425  4026532458 0            eth0:353     0x0800 65536 82    172.18.0.5:54806->172.18.0.2:8472(udp) udp_queue_rcv_skb 52:2e:36:8d:11:23 -> ba:44:d8:6c:66:5a 10.244.1.205:36739->10.244.3.122:8080(tcp:FIN|ACK)
0xffff0000e9b75ce8 6   node:2108761     4026532646 0            eth0:359     0x0800 65536 82    172.18.0.2:53786->172.18.0.5:8472(udp) udp_queue_rcv_skb 92:53:8f:3a:e7:ef -> 7e:16:77:14:df:0d 10.244.3.122:8080->10.244.1.205:36739(tcp:FIN|ACK)

Follow up work

  • Add support for Geneve
  • Add support for ip encap ip

@tommyp1ckles tommyp1ckles mentioned this pull request Jan 28, 2025
Open
3 tasks
@tommyp1ckles tommyp1ckles changed the title Add tunnel l2 pcap flag for optiona vxlan pcap. Add tunnel l2 pcap flag for optiona vxlan filtering Jan 28, 2025
@tommyp1ckles tommyp1ckles changed the title Add tunnel l2 pcap flag for optiona vxlan filtering Support outputting and filtering by vxlan tunnel data Jan 28, 2025
@tommyp1ckles tommyp1ckles force-pushed the pr/tp/tunnel-l2-pcap branch 2 times, most recently from 0fe178f to e757528 Compare February 14, 2025 04:19
@tommyp1ckles
Add tunnel l2 pcap flag for optiona vxlan pcap.
a54bcbe 
If the flag is enabled, packets that appear to be vxlan
encapsulated will have the filtering function applied.
Note: Therefore, to avoid getting non-vxlan traffic you
will want to apply a general pcap filter on the vxlan udp
ports.

As well, the flag --output-tunnel will result in output
of vxlan header data (i.e. flag/vin) as well as inner
address tuple.

Signed-off-by: Tom Hadlaw <[email protected]>
@tommyp1ckles
add support for geneve tunnel type.
698e31d 
When reading optional tunnel data, look at ports to try to determine
the tunnel type. We now use this to get a header length based on the
expected tunnel header type allowing us to read into the tunnel l{2,3}
data.

Signed-off-by: Tom Hadlaw <[email protected]>
@tommyp1ckles
use seperate pcap flags for tunnel.
d03f7ea 
Trying to use a l2 based expression such as
'host ether xx-xx-xx-xx-xx-xx' results in a error
as it is not a valid l3 expression (thus compilation fails)
however, in order to be able to have both l2&l3 expressions
we need to seperate out the flags and pass them seperately.

Signed-off-by: Tom Hadlaw <[email protected]>
@tommyp1ckles tommyp1ckles changed the title Support outputting and filtering by vxlan tunnel data Support outputting and filtering by vxlan/geneve tunnel data Feb 14, 2025
@tommyp1ckles tommyp1ckles marked this pull request as ready for review February 14, 2025 23:47
@tommyp1ckles tommyp1ckles requested a review from a team as a code owner February 14, 2025 23:47
@tommyp1ckles tommyp1ckles requested review from smagnani96 and removed request for a team February 14, 2025 23:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smagnani96 smagnani96 Awaiting requested review from smagnani96 smagnani96 is a code owner automatically assigned from cilium/pwru

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tommyp1ckles