IPsec userspace to enable ipsec tracker

Signed-off-by: Mohamed Mahmoud <[email protected]>

Author: msherif1234

pkg/agent/agent.go

@@ -237,6 +237,7 @@ func FlowsAgent(cfg *Config) (*Flows, error) {
 		EnablePktTranslation:           cfg.EnablePktTranslationTracking,
 		UseEbpfManager:                 cfg.EbpfProgramManagerMode,
 		BpfManBpfFSPath:                cfg.BpfManBpfFSPath,
+		EnableIPsecTracker:             cfg.EnableIPsecTracking,
 		FilterConfig:                   filterRules,
 	}
 

pkg/agent/config.go

@@ -236,6 +236,8 @@ type Config struct {
 	BpfManBpfFSPath string `env:"BPFMAN_BPF_FS_PATH" envDefault:"/run/netobserv/maps"`
 	// EnableUDNMapping to allow mapping pod's interface to udn label
 	EnableUDNMapping bool `env:"ENABLE_UDN_MAPPING" envDefault:"false"`
+	// EnableIPsecTracking enable tracking IPsec flows encryption
+	EnableIPsecTracking bool `env:"ENABLE_IPSEC_TRACKING" envDefault:"false"`
 	/* Deprecated configs are listed below this line
 	 * See manageDeprecatedConfigs function for details
 	 */

pkg/decode/decode_protobuf.go

@@ -141,6 +141,10 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 			out["XlatSrcAddr"] = model.IP(fr.Metrics.AdditionalMetrics.TranslatedFlow.Saddr).String()
 			out["XlatDstAddr"] = model.IP(fr.Metrics.AdditionalMetrics.TranslatedFlow.Daddr).String()
 		}
+		if fr.Metrics.AdditionalMetrics.FlowEncrypted || fr.Metrics.AdditionalMetrics.FlowEncryptedRet != 0 {
+			out["IPSecSuccess"] = fr.Metrics.AdditionalMetrics.FlowEncrypted
+			out["IPSecRetCode"] = fr.Metrics.AdditionalMetrics.FlowEncryptedRet
+		}
 	}
 
 	if fr.TimeFlowRtt != 0 {

pkg/decode/decode_protobuf_test.go

@@ -96,6 +96,8 @@ func TestPBFlowToMap(t *testing.T) {
 			DstPort: 2,
 			ZoneId:  100,
 		},
+		FlowEncrypted:    1,
+		FlowEncryptedRet: 0,
 	}
 
 	out := PBFlowToMap(flow)
@@ -146,10 +148,12 @@ func TestPBFlowToMap(t *testing.T) {
 				"Direction": "egress",
 			},
 		},
-		"XlatSrcAddr": "1.2.3.4",
-		"XlatDstAddr": "5.6.7.8",
-		"XlatSrcPort": uint16(1),
-		"XlatDstPort": uint16(2),
-		"ZoneId":      uint16(100),
+		"XlatSrcAddr":  "1.2.3.4",
+		"XlatDstAddr":  "5.6.7.8",
+		"XlatSrcPort":  uint16(1),
+		"XlatDstPort":  uint16(2),
+		"ZoneId":       uint16(100),
+		"IPSecSuccess": true,
+		"IPSecRetCode": uint8(0),
 	}, out)
 }

pkg/exporter/converters_test.go

@@ -53,6 +53,7 @@ func TestConversions(t *testing.T) {
 						DnsRecord: ebpf.BpfDnsRecordT{
 							Errno: 0,
 						},
+						FlowEncrypted: true,
 					},
 				},
 				Interfaces:    []model.IntfDirUdn{model.NewIntfDirUdn("eth0", model.DirectionEgress, nil)},
@@ -80,6 +81,8 @@ func TestConversions(t *testing.T) {
 				"Interfaces":      []string{"eth0"},
 				"Udns":            []string{""},
 				"AgentIP":         "10.11.12.13",
+				"IPSecSuccess":    true,
+				"IPSecRetCode":    0,
 			},
 		},
 		{
@@ -345,6 +348,7 @@ func TestConversions(t *testing.T) {
 							LatestState:     6,
 							LatestDropCause: 5,
 						},
+						FlowEncrypted: true,
 					},
 				},
 				Interfaces:    []model.IntfDirUdn{model.NewIntfDirUdn("eth0", model.DirectionEgress, nil)},
@@ -383,6 +387,8 @@ func TestConversions(t *testing.T) {
 				"DnsFlags":               0x8001,
 				"DnsFlagsResponseCode":   "FormErr",
 				"TimeFlowRttNs":          someDuration.Nanoseconds(),
+				"IPSecSuccess":           true,
+				"IPSecRetCode":           0,
 			},
 		},
 		{
@@ -409,6 +415,7 @@ func TestConversions(t *testing.T) {
 						DnsRecord: ebpf.BpfDnsRecordT{
 							Errno: 0,
 						},
+						FlowEncrypted: true,
 					},
 				},
 				Interfaces: []model.IntfDirUdn{
@@ -438,6 +445,8 @@ func TestConversions(t *testing.T) {
 				"Interfaces":      []string{"5e6e92caa1d51cf", "eth0"},
 				"Udns":            []string{"", ""},
 				"AgentIP":         "10.11.12.13",
+				"IPSecSuccess":    true,
+				"IPSecRetCode":    0,
 			},
 		},
 	}

pkg/model/flow_content.go

@@ -117,6 +117,13 @@ func (p *BpfFlowContent) AccumulateAdditional(other *ebpf.BpfAdditionalMetrics)
 	if !AllZeroIP(IP(other.TranslatedFlow.Saddr)) && !AllZeroIP(IP(other.TranslatedFlow.Daddr)) {
 		p.AdditionalMetrics.TranslatedFlow = other.TranslatedFlow
 	}
+	// IPSec
+	if other.FlowEncrypted && other.FlowEncryptedRet == 0 {
+		p.AdditionalMetrics.FlowEncrypted = other.FlowEncrypted
+	}
+	if p.AdditionalMetrics.FlowEncryptedRet != other.FlowEncryptedRet {
+		p.AdditionalMetrics.FlowEncryptedRet = other.FlowEncryptedRet
+	}
 }
 
 func allZerosMac(s [6]uint8) bool {

pkg/pbflow/flow.pb.go

@@ -84,6 +84,10 @@ func FlowToPB(fr *model.Record) *Record {
 			DstPort: uint32(fr.Metrics.AdditionalMetrics.TranslatedFlow.Dport),
 			ZoneId:  uint32(fr.Metrics.AdditionalMetrics.TranslatedFlow.ZoneId),
 		}
+		pbflowRecord.FlowEncryptedRet = uint32(fr.Metrics.AdditionalMetrics.FlowEncryptedRet)
+		if fr.Metrics.AdditionalMetrics.FlowEncrypted {
+			pbflowRecord.FlowEncrypted = uint32(1)
+		}
 	}
 	pbflowRecord.DupList = make([]*DupMapEntry, 0)
 	for _, intf := range fr.Interfaces {
@@ -166,6 +170,7 @@ func PBToFlow(pb *Record) *model.Record {
 					Dport:  uint16(pb.Xlat.GetDstPort()),
 					ZoneId: uint16(pb.Xlat.GetZoneId()),
 				},
+				FlowEncryptedRet: uint8(pb.FlowEncryptedRet),
 			},
 		},
 		TimeFlowStart: pb.TimeFlowStart.AsTime(),
@@ -174,7 +179,9 @@ func PBToFlow(pb *Record) *model.Record {
 		TimeFlowRtt:   pb.TimeFlowRtt.AsDuration(),
 		DNSLatency:    pb.DnsLatency.AsDuration(),
 	}
-
+	if pb.FlowEncrypted != 0 {
+		out.Metrics.AdditionalMetrics.FlowEncrypted = true
+	}
 	if len(pb.GetDupList()) != 0 {
 		for _, entry := range pb.GetDupList() {
 			out.Interfaces = append(out.Interfaces, model.IntfDirUdn{