IPsec userspace to enable ipsec tracker

msherif1234 · msherif1234 · commit 539f3684decd · 2025-01-30T11:09:25.000-05:00
Signed-off-by: Mohamed Mahmoud &lt;mmahmoud@redhat.com&gt;
diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
@@ -235,6 +235,7 @@ func FlowsAgent(cfg *Config) (*Flows, error) {
 		EnablePktTranslation:           cfg.EnablePktTranslationTracking,
 		UseEbpfManager:                 cfg.EbpfProgramManagerMode,
 		BpfManBpfFSPath:                cfg.BpfManBpfFSPath,
+		EnableIPsecTracker:             cfg.EnableIPsecTracking,
 		FilterConfig:                   filterRules,
 	}
 
diff --git a/pkg/agent/config.go b/pkg/agent/config.go
@@ -236,6 +236,8 @@ type Config struct {
 	BpfManBpfFSPath string `env:"BPFMAN_BPF_FS_PATH" envDefault:"/run/netobserv/maps"`
 	// EnableUDNMapping to allow mapping pod's interface to udn label
 	EnableUDNMapping bool `env:"ENABLE_UDN_MAPPING" envDefault:"false"`
+	// EnableIPsecTracking enable tracking IPsec flows encryption
+	EnableIPsecTracking bool `env:"ENABLE_IPSEC_TRACKING" envDefault:"false"`
 	/* Deprecated configs are listed below this line
 	 * See manageDeprecatedConfigs function for details
 	 */
diff --git a/pkg/tracer/tracer.go b/pkg/tracer/tracer.go
@@ -62,6 +62,7 @@ const (
 	rhNetworkEventsMonitoringHook       = "rh_psample_sample_packet"
 	networkEventsMonitoringHook         = "psample_sample_packet"
 	defaultNetworkEventsGroupID         = 10
+	constEnableIPsec                    = "enable_ipsec"
 )
 
 var log = logrus.WithField("component", "ebpf.FlowFetcher")
@@ -87,6 +88,8 @@ type FlowFetcher struct {
 	ingressTCXLink              map[ifaces.Interface]link.Link
 	networkEventsMonitoringLink link.Link
 	nfNatManIPLink              link.Link
+	xfrmInputLink               link.Link
+	xfrmOutputLink              link.Link
 	lookupAndDeleteSupported    bool
 	useEbpfManager              bool
 	pinDir                      string
@@ -109,6 +112,7 @@ type FlowFetcherConfig struct {
 	EnablePktTranslation           bool
 	UseEbpfManager                 bool
 	BpfManBpfFSPath                string
+	EnableIPsecTracker             bool
 	FilterConfig                   []*FilterConfig
 }
 
@@ -120,7 +124,7 @@ type variablesMapping struct {
 // nolint:golint,cyclop
 func NewFlowFetcher(cfg *FlowFetcherConfig) (*FlowFetcher, error) {
 	var pktDropsLink, networkEventsMonitoringLink, rttFentryLink, rttKprobeLink link.Link
-	var nfNatManIPLink link.Link
+	var nfNatManIPLink, xfrmInputLink, xfrmOutputLink link.Link
 	var err error
 	objects := ebpf.BpfObjects{}
 	var pinDir string
@@ -243,6 +247,19 @@ func NewFlowFetcher(cfg *FlowFetcherConfig) (*FlowFetcher, error) {
 				return nil, fmt.Errorf("failed to attach the BPF program to nat_manip kprobe: %w", err)
 			}
 		}
+
+		if cfg.EnableIPsecTracker {
+			xfrmInputLink, err = link.Kretprobe("xfrm_input", objects.XfrmInputKprobe, nil)
+			if err != nil {
+				log.Warningf("failed to attach the BPF program to xfrm_input: %v", err)
+				return nil, fmt.Errorf("failed to attach the BPF program to xfrm_input: %w", err)
+			}
+			xfrmOutputLink, err = link.Kretprobe("xfrm_output", objects.XfrmOutputKprobe, nil)
+			if err != nil {
+				log.Warningf("failed to attach the BPF program to xfrm_output: %v", err)
+				return nil, fmt.Errorf("failed to attach the BPF program to xfrm_output: %w", err)
+			}
+		}
 	} else {
 		pinDir = cfg.BpfManBpfFSPath
 		opts := &cilium.LoadPinOptions{
@@ -325,6 +342,8 @@ func NewFlowFetcher(cfg *FlowFetcherConfig) (*FlowFetcher, error) {
 		rttFentryLink:               rttFentryLink,
 		rttKprobeLink:               rttKprobeLink,
 		nfNatManIPLink:              nfNatManIPLink,
+		xfrmInputLink:               xfrmInputLink,
+		xfrmOutputLink:              xfrmOutputLink,
 		egressTCXLink:               map[ifaces.Interface]link.Link{},
 		ingressTCXLink:              map[ifaces.Interface]link.Link{},
 		networkEventsMonitoringLink: networkEventsMonitoringLink,
@@ -703,6 +722,18 @@ func (m *FlowFetcher) Close() error {
 			errs = append(errs, err)
 		}
 	}
+
+	if m.xfrmInputLink != nil {
+		if err := m.xfrmInputLink.Close(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	if m.xfrmOutputLink != nil {
+		if err := m.xfrmOutputLink.Close(); err != nil {
+			errs = append(errs, err)
+		}
+	}
 	// m.ringbufReader.Read is a blocking operation, so we need to close the ring buffer
 	// from another goroutine to avoid the system not being able to exit if there
 	// isn't traffic in a given interface
@@ -1063,6 +1094,8 @@ func kernelSpecificLoadAndAssign(oldKernel, rtKernel, supportNetworkEvents bool,
 			TcxEgressPcaParse   *cilium.Program `ebpf:"tcx_egress_pca_parse"`
 			TcxIngressPcaParse  *cilium.Program `ebpf:"tcx_ingress_pca_parse"`
 			TrackNatManipPkt    *cilium.Program `ebpf:"track_nat_manip_pkt"`
+			XfrmInputKprobe     *cilium.Program `ebpf:"xfrm_input_kprobe"`
+			XfrmOutputKprobe    *cilium.Program `ebpf:"xfrm_output_kprobe"`
 		}
 		type newBpfObjects struct {
 			newBpfPrograms
@@ -1088,6 +1121,8 @@ func kernelSpecificLoadAndAssign(oldKernel, rtKernel, supportNetworkEvents bool,
 				TcxEgressPcaParse:         newObjects.TcxEgressPcaParse,
 				TcxIngressPcaParse:        newObjects.TcxIngressPcaParse,
 				TrackNatManipPkt:          newObjects.TrackNatManipPkt,
+				XfrmInputKprobe:           newObjects.XfrmInputKprobe,
+				XfrmOutputKprobe:          newObjects.XfrmOutputKprobe,
 				TcpRcvKprobe:              nil,
 				TcpRcvFentry:              nil,
 				KfreeSkb:                  nil,
@@ -1116,6 +1151,8 @@ func kernelSpecificLoadAndAssign(oldKernel, rtKernel, supportNetworkEvents bool,
 			TcxIngressPcaParse  *cilium.Program `ebpf:"tcx_ingress_pca_parse"`
 			TCPRcvKprobe        *cilium.Program `ebpf:"tcp_rcv_kprobe"`
 			TrackNatManipPkt    *cilium.Program `ebpf:"track_nat_manip_pkt"`
+			XfrmInputKprobe     *cilium.Program `ebpf:"xfrm_input_kprobe"`
+			XfrmOutputKprobe    *cilium.Program `ebpf:"xfrm_output_kprobe"`
 		}
 		type newBpfObjects struct {
 			newBpfPrograms
@@ -1141,6 +1178,8 @@ func kernelSpecificLoadAndAssign(oldKernel, rtKernel, supportNetworkEvents bool,
 				TcxIngressPcaParse:        newObjects.TcxIngressPcaParse,
 				TcpRcvKprobe:              newObjects.TCPRcvKprobe,
 				TrackNatManipPkt:          newObjects.TrackNatManipPkt,
+				XfrmInputKprobe:           newObjects.XfrmInputKprobe,
+				XfrmOutputKprobe:          newObjects.XfrmOutputKprobe,
 				TcpRcvFentry:              nil,
 				KfreeSkb:                  nil,
 				RhNetworkEventsMonitoring: nil,
@@ -1168,6 +1207,8 @@ func kernelSpecificLoadAndAssign(oldKernel, rtKernel, supportNetworkEvents bool,
 			TcxIngressPcaParse  *cilium.Program `ebpf:"tcx_ingress_pca_parse"`
 			TCPRcvFentry        *cilium.Program `ebpf:"tcp_rcv_fentry"`
 			TrackNatManipPkt    *cilium.Program `ebpf:"track_nat_manip_pkt"`
+			XfrmInputKprobe     *cilium.Program `ebpf:"xfrm_input_kprobe"`
+			XfrmOutputKprobe    *cilium.Program `ebpf:"xfrm_output_kprobe"`
 		}
 		type newBpfObjects struct {
 			newBpfPrograms
@@ -1193,6 +1234,8 @@ func kernelSpecificLoadAndAssign(oldKernel, rtKernel, supportNetworkEvents bool,
 				TcxIngressPcaParse:        newObjects.TcxIngressPcaParse,
 				TcpRcvFentry:              newObjects.TCPRcvFentry,
 				TrackNatManipPkt:          newObjects.TrackNatManipPkt,
+				XfrmInputKprobe:           newObjects.XfrmInputKprobe,
+				XfrmOutputKprobe:          newObjects.XfrmOutputKprobe,
 				TcpRcvKprobe:              nil,
 				KfreeSkb:                  nil,
 				RhNetworkEventsMonitoring: nil,
@@ -1222,6 +1265,8 @@ func kernelSpecificLoadAndAssign(oldKernel, rtKernel, supportNetworkEvents bool,
 			TCPRcvKprobe        *cilium.Program `ebpf:"tcp_rcv_kprobe"`
 			KfreeSkb            *cilium.Program `ebpf:"kfree_skb"`
 			TrackNatManipPkt    *cilium.Program `ebpf:"track_nat_manip_pkt"`
+			XfrmInputKprobe     *cilium.Program `ebpf:"xfrm_input_kprobe"`
+			XfrmOutputKprobe    *cilium.Program `ebpf:"xfrm_output_kprobe"`
 		}
 		type newBpfObjects struct {
 			newBpfPrograms
@@ -1248,6 +1293,8 @@ func kernelSpecificLoadAndAssign(oldKernel, rtKernel, supportNetworkEvents bool,
 				TcpRcvKprobe:              newObjects.TCPRcvKprobe,
 				KfreeSkb:                  newObjects.KfreeSkb,
 				TrackNatManipPkt:          newObjects.TrackNatManipPkt,
+				XfrmInputKprobe:           newObjects.XfrmInputKprobe,
+				XfrmOutputKprobe:          newObjects.XfrmOutputKprobe,
 				RhNetworkEventsMonitoring: nil,
 			},
 			BpfMaps: ebpf.BpfMaps{
@@ -1838,6 +1885,10 @@ func configureFlowSpecVariables(spec *cilium.CollectionSpec, cfg *FlowFetcherCon
 	if cfg.EnablePktTranslation {
 		enablePktTranslation = 1
 	}
+	enableIPsec := 0
+	if cfg.EnableIPsecTracker {
+		enableIPsec = 1
+	}
 	// When adding constants here, remember to delete them in NewPacketFetcher
 	variables := []variablesMapping{
 		{constSampling, uint32(cfg.Sampling)},
@@ -1850,6 +1901,7 @@ func configureFlowSpecVariables(spec *cilium.CollectionSpec, cfg *FlowFetcherCon
 		{constEnableNetworkEventsMonitoring, uint8(enableNetworkEventsMonitoring)},
 		{constNetworkEventsMonitoringGroupID, uint8(networkEventsMonitoringGroupID)},
 		{constEnablePktTranslation, uint8(enablePktTranslation)},
+		{constEnableIPsec, uint8(enableIPsec)},
 	}
 
 	for _, mapping := range variables {

Original file line number	Diff line number	Diff line change
`@@ -235,6 +235,7 @@ func FlowsAgent(cfg Config) (Flows, error) {`
`235`	`235`	`EnablePktTranslation: cfg.EnablePktTranslationTracking,`
`236`	`236`	`UseEbpfManager: cfg.EbpfProgramManagerMode,`
`237`	`237`	`BpfManBpfFSPath: cfg.BpfManBpfFSPath,`
	`238`	`+ EnableIPsecTracker: cfg.EnableIPsecTracking,`
`238`	`239`	`FilterConfig: filterRules,`
`239`	`240`	`}`
`240`	`241`