NETOBSERV-2198: IPsec support

apis/flowcollector/v1beta1/flowcollector_types.go

@@ -155,7 +155,8 @@ type FlowCollectorIPFIX struct {
 // - `PacketTranslation`, to enrich flows with packets translation information. <br>
 // - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
 // - `UDNMapping`, to enable interfaces mapping to udn [Developer Preview]. <br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping"
+// - `IPSec`, to track flows with IPsec encryption. <br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSec"
 type AgentFeature string
 
 const (
@@ -166,6 +167,7 @@ const (
 	PacketTranslation AgentFeature = "PacketTranslation"
 	EbpfManager       AgentFeature = "EbpfManager"
 	UDNMapping        AgentFeature = "UDNMapping"
+	IPSec             AgentFeature = "IPSec"
 )
 
 // Name of an eBPF agent alert.
@@ -367,6 +369,7 @@ type FlowCollectorEBPF struct {
 	// - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
 	// - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
 	// - `UDNMapping`, to enable interfaces mapping to udn. <br>
+	// - `IPSec`, to track flows with IPsec encryption. <br>
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

apis/flowcollector/v1beta2/flowcollector_types.go

@@ -178,7 +178,8 @@ type FlowCollectorIPFIX struct {
 // - `PacketTranslation`, to enrich flows with packets translation information, such as Service NAT.<br>
 // - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
 // - `UDNMapping`, to enable interfaces mapping to UDN. [Unsupported (*)].<br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping"
+// - `IPSec`, to track flows with IPsec encryption. <br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSec"
 type AgentFeature string
 
 const (
@@ -189,6 +190,7 @@ const (
 	PacketTranslation AgentFeature = "PacketTranslation"
 	EbpfManager       AgentFeature = "EbpfManager"
 	UDNMapping        AgentFeature = "UDNMapping"
+	IPSec             AgentFeature = "IPSec"
 )
 
 // Name of an eBPF agent alert.
@@ -395,6 +397,7 @@ type FlowCollectorEBPF struct {
 	// - `UDNMapping`: [Unsupported (*)]. Enable interfaces mapping to User Defined Networks (UDN). <br>
 	// This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged.
 	// It requires using the OVN-Kubernetes network plugin with the Observability feature.
+	// - `IPSec`, to track flows with IPsec encryption. <br>
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -138,6 +138,7 @@ spec:
                           - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
                           - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                           - `UDNMapping`, to enable interfaces mapping to udn. <br>
+                          - `IPSec`, to track flows with IPsec encryption. <br>
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
@@ -148,6 +149,7 @@ spec:
                             - `PacketTranslation`, to enrich flows with packets translation information. <br>
                             - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                             - `UDNMapping`, to enable interfaces mapping to udn [Developer Preview]. <br>
+                            - `IPSec`, to track flows with IPsec encryption. <br>
                           enum:
                           - PacketDrop
                           - DNSTracking
@@ -156,6 +158,7 @@ spec:
                           - PacketTranslation
                           - EbpfManager
                           - UDNMapping
+                          - IPSec
                           type: string
                         type: array
                       flowFilter:
@@ -3966,6 +3969,7 @@ spec:
                           - `UDNMapping`: [Unsupported (*)]. Enable interfaces mapping to User Defined Networks (UDN). <br>
                           This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged.
                           It requires using the OVN-Kubernetes network plugin with the Observability feature.
+                          - `IPSec`, to track flows with IPsec encryption. <br>
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
@@ -3976,6 +3980,7 @@ spec:
                             - `PacketTranslation`, to enrich flows with packets translation information, such as Service NAT.<br>
                             - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                             - `UDNMapping`, to enable interfaces mapping to UDN. [Unsupported (*)].<br>
+                            - `IPSec`, to track flows with IPsec encryption. <br>
                           enum:
                           - PacketDrop
                           - DNSTracking
@@ -3984,6 +3989,7 @@ spec:
                           - PacketTranslation
                           - EbpfManager
                           - UDNMapping
+                          - IPSec
                           type: string
                         type: array
                       flowFilter:

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -123,6 +123,7 @@ spec:
                             - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
                             - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                             - `UDNMapping`, to enable interfaces mapping to udn. <br>
+                            - `IPSec`, to track flows with IPsec encryption. <br>
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
@@ -133,6 +134,7 @@ spec:
                               - `PacketTranslation`, to enrich flows with packets translation information. <br>
                               - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                               - `UDNMapping`, to enable interfaces mapping to udn [Developer Preview]. <br>
+                              - `IPSec`, to track flows with IPsec encryption. <br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -141,6 +143,7 @@ spec:
                               - PacketTranslation
                               - EbpfManager
                               - UDNMapping
+                              - IPSec
                             type: string
                           type: array
                         flowFilter:
@@ -3649,6 +3652,7 @@ spec:
                             - `UDNMapping`: [Unsupported (*)]. Enable interfaces mapping to User Defined Networks (UDN). <br>
                             This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged.
                             It requires using the OVN-Kubernetes network plugin with the Observability feature.
+                            - `IPSec`, to track flows with IPsec encryption. <br>
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
@@ -3659,6 +3663,7 @@ spec:
                               - `PacketTranslation`, to enrich flows with packets translation information, such as Service NAT.<br>
                               - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                               - `UDNMapping`, to enable interfaces mapping to UDN. [Unsupported (*)].<br>
+                              - `IPSec`, to track flows with IPsec encryption. <br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -3667,6 +3672,7 @@ spec:
                               - PacketTranslation
                               - EbpfManager
                               - UDNMapping
+                              - IPSec
                             type: string
                           type: array
                         flowFilter:

config/samples/flows_v1beta2_flowcollector.yaml

@@ -26,6 +26,7 @@ spec:
       # - "PacketTranslation"
       # - "EbpfManager"
       # - "UDNMapping"
+      # - "IPSec"
       interfaces: []
       excludeInterfaces: ["lo"]
       kafkaBatchSize: 1048576

controllers/consoleplugin/config/static-frontend-config.yaml

@@ -657,6 +657,20 @@ columns:
     default: false
     width: 15
     feature: packetTranslation
+  - id: IPSec
+    name: Is IPSec operation successful?
+    field: IPSecSuccess
+    filter: ipsec_success
+    default: true
+    width: 10
+    feature: ipsec
+  - id: IPSecCode
+    name: IPSec Return Code
+    field: IPSecRetCode
+    filter: ipsec_retcode
+    default: true
+    width: 10
+    feature: ipsec
 filters:
   - id: cluster_name
     name: Cluster
@@ -1057,6 +1071,12 @@ filters:
     component: autocomplete
     category: destination
     hint: Specify a single port number or name.
+  - id: ipsec_success
+    name: IPSec processing succeeded ?
+    component: number
+  - id: ipsec_retcode
+    name: IPSec processing return code
+    component: number
 scopes:
   - id: cluster
     name: Cluster
@@ -1415,6 +1435,12 @@ fields:
   - name: K8S_ClusterName
     type: string
     description: Cluster name or identifier
+  - name: IPSecRetCode
+    type: number
+    description: IPSec operation return code
+  - name: IPSecSuccess
+    type: boolean
+    description: IPSec processing succeeded
   - name: _RecordType
     type: string
     description: "Type of record: `flowLog` for regular flow logs, or `newConnection`, `heartbeat`, `endConnection` for conversation tracking"

controllers/consoleplugin/consoleplugin_objects.go

@@ -465,6 +465,10 @@ func (b *builder) setFrontendConfig(fconf *cfg.FrontendConfig) error {
 		fconf.Features = append(fconf.Features, "udnMapping")
 	}
 
+	if helper.IsIPSecEnabled(&b.desired.Agent.EBPF) {
+		fconf.Features = append(fconf.Features, "ipsec")
+	}
+
 	if b.desired.Agent.EBPF.Advanced != nil {
 		if v, ok := b.desired.Agent.EBPF.Advanced.Env[ebpf.EnvDedupeJustMark]; ok {
 			dedupJustMark, err = strconv.ParseBool(v)

controllers/ebpf/agent_controller.go

@@ -70,6 +70,7 @@ const (
 	envEnablePacketTranslation    = "ENABLE_PKT_TRANSLATION"
 	envEnableEbpfMgr              = "EBPF_PROGRAM_MANAGER_MODE"
 	envEnableUDNMapping           = "ENABLE_UDN_MAPPING"
+	envEnableIPsec                = "ENABLE_IPSEC_TRACKING"
 	envListSeparator              = ","
 )
 
@@ -370,7 +371,8 @@ func (c *AgentController) desired(ctx context.Context, coll *flowslatest.FlowCol
 					Driver: "csi.bpfman.io",
 					VolumeAttributes: map[string]string{
 						"csi.bpfman.io/program": "netobserv",
-						"csi.bpfman.io/maps":    "aggregated_flows,additional_flow_metrics,direct_flows,dns_flows,filter_map,peer_filter_map,global_counters,packet_record",
+						"csi.bpfman.io/maps": "aggregated_flows,additional_flow_metrics,direct_flows," +
+							"dns_flows,filter_map,peer_filter_map,global_counters,packet_record,ipsec_ingress_map,ipsec_egress_map",
 					},
 				},
 			},
@@ -752,6 +754,13 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 		})
 	}
 
+	if helper.IsIPSecEnabled(&coll.Spec.Agent.EBPF) {
+		config = append(config, corev1.EnvVar{
+			Name:  envEnableIPsec,
+			Value: "true",
+		})
+	}
+
 	if helper.IsEBPFMetricsEnabled(&coll.Spec.Agent.EBPF) {
 		config = append(config, corev1.EnvVar{
 			Name:  envEnableMetrics,

controllers/ebpf/bpfmanager-controller.go

@@ -87,7 +87,7 @@ func (c *AgentController) bpfmanAttachNetobserv(ctx context.Context, fc *flowsla
 func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *flowslatest.FlowCollector, netobservBCImage string) {
 	samplingValue := make([]byte, 4)
 	dnsPortValue := make([]byte, 2)
-	var enableDNSValue, enableRTTValue, enableFLowFilterValue, enableNetworkEvents, traceValue, networkEventsGroupIDValue, enablePktTranslation []byte
+	var enableDNSValue, enableRTTValue, enableFLowFilterValue, enableNetworkEvents, traceValue, networkEventsGroupIDValue, enablePktTranslation, enableIPSecValue []byte
 
 	binary.NativeEndian.PutUint32(samplingValue, uint32(*fc.Spec.Agent.EBPF.Sampling))
 
@@ -115,6 +115,10 @@ func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *f
 		enablePktTranslation = append(enablePktTranslation, uint8(1))
 	}
 
+	if helper.IsIPSecEnabled(&fc.Spec.Agent.EBPF) {
+		enableIPSecValue = append(enableIPSecValue, uint8(1))
+	}
+
 	bpfApp.Labels = map[string]string{
 		"app": netobservApp,
 	}
@@ -145,6 +149,7 @@ func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *f
 		"enable_network_events_monitoring":  enableNetworkEvents,
 		"network_events_monitoring_groupid": networkEventsGroupIDValue,
 		"enable_pkt_translation_tracking":   enablePktTranslation,
+		"enable_ipsec":                      enableIPSecValue,
 	}
 
 	bpfApp.Spec.BpfAppCommon.ByteCode = bpfmaniov1alpha1.ByteCodeSelector{
@@ -252,6 +257,61 @@ func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *f
 			},
 		}...)
 	}
+
+	if helper.IsIPSecEnabled(&fc.Spec.Agent.EBPF) {
+		bpfApp.Spec.Programs = append(bpfApp.Spec.Programs, []bpfmaniov1alpha1.ClBpfApplicationProgram{
+			{
+				Name: "xfrm_input_kprobe",
+				Type: bpfmaniov1alpha1.ProgTypeKprobe,
+				KProbe: &bpfmaniov1alpha1.ClKprobeProgramInfo{
+					Links: []bpfmaniov1alpha1.ClKprobeAttachInfo{
+						{
+							Function: "xfrm_input",
+						},
+					},
+				},
+			},
+		}...)
+		bpfApp.Spec.Programs = append(bpfApp.Spec.Programs, []bpfmaniov1alpha1.ClBpfApplicationProgram{
+			{
+				Name: "xfrm_input_kretprobe",
+				Type: bpfmaniov1alpha1.ProgTypeKretprobe,
+				KRetProbe: &bpfmaniov1alpha1.ClKretprobeProgramInfo{
+					Links: []bpfmaniov1alpha1.ClKretprobeAttachInfo{
+						{
+							Function: "xfrm_input",
+						},
+					},
+				},
+			},
+		}...)
+		bpfApp.Spec.Programs = append(bpfApp.Spec.Programs, []bpfmaniov1alpha1.ClBpfApplicationProgram{
+			{
+				Name: "xfrm_output_kprobe",
+				Type: bpfmaniov1alpha1.ProgTypeKprobe,
+				KProbe: &bpfmaniov1alpha1.ClKprobeProgramInfo{
+					Links: []bpfmaniov1alpha1.ClKprobeAttachInfo{
+						{
+							Function: "xfrm_output",
+						},
+					},
+				},
+			},
+		}...)
+		bpfApp.Spec.Programs = append(bpfApp.Spec.Programs, []bpfmaniov1alpha1.ClBpfApplicationProgram{
+			{
+				Name: "xfrm_output_kretprobe",
+				Type: bpfmaniov1alpha1.ProgTypeKretprobe,
+				KRetProbe: &bpfmaniov1alpha1.ClKretprobeProgramInfo{
+					Links: []bpfmaniov1alpha1.ClKretprobeAttachInfo{
+						{
+							Function: "xfrm_output",
+						},
+					},
+				},
+			},
+		}...)
+	}
 }
 
 func (c *AgentController) deleteBpfApplication(ctx context.Context, bpfApp *bpfmaniov1alpha1.ClusterBpfApplication) error {

docs/FlowCollector.md

@@ -294,7 +294,8 @@ If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported.<
 the kernel debug filesystem, so the eBPF pod has to run as privileged.
 - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
 - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
-- `UDNMapping`, to enable interfaces mapping to udn. <br><br/>
+- `UDNMapping`, to enable interfaces mapping to udn. <br>
+- `IPSec`, to track flows with IPsec encryption. <br><br/>
         </td>
         <td>false</td>
       </tr><tr>
@@ -6286,7 +6287,8 @@ IMPORTANT: This feature is available as a Technology Preview.<br>
 - `EbpfManager`: [Unsupported (*)]. Use eBPF Manager to manage NetObserv eBPF programs. Pre-requisite: the eBPF Manager operator (or upstream bpfman operator) must be installed.<br>
 - `UDNMapping`: [Unsupported (*)]. Enable interfaces mapping to User Defined Networks (UDN). <br>
 This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged.
-It requires using the OVN-Kubernetes network plugin with the Observability feature.<br/>
+It requires using the OVN-Kubernetes network plugin with the Observability feature.
+- `IPSec`, to track flows with IPsec encryption. <br><br/>
         </td>
         <td>false</td>
       </tr><tr>