NETOBSERV-1275: Introduce new "INNER" direction for inner-node traffic (#483)

jotak · web-flow · commit 058bc4ea0f04 · 2023-09-08T15:19:54.000+02:00
* Introduce new "INNER" direction for inner-node traffic

The flows (and duplicates) generated for inner-node traffic differs
compared to node-to-node traffic, and reinterpret direction isn't able
to decide between ingress or egress. This is causing discrepancies with
the dedup mechanism that filters out flows where Duplicate=true and also
favors ingress over egress.

To fix that, the proposed solution is to create this new INNER direction
specifically for this kind of traffic. Deduping this INNER traffic can
then rely solely on the Duplicate flag, since that flag was set from a
single Agent (single node) there will always be only one
Duplicate=false.

* update doc

* Enable reinterpret on conversations
diff --git a/docs/api.md b/docs/api.md
@@ -158,7 +158,7 @@ Following is the supported API format for network transformations:
                      add_location: add output location fields from input
                      add_service: add output network service field from input port and parameters protocol field
                      add_kubernetes: add output kubernetes fields from input
-                     reinterpret_direction: reinterpret flow direction at a higher level than the interface
+                     reinterpret_direction: reinterpret flow direction at the node level (instead of net interface), to ease the deduplication process
                      add_ip_category: categorize IPs based on known subnets configuration
                  parameters: parameters specific to type
                  assignee: value needs to assign to output field
diff --git a/pkg/api/transform_network.go b/pkg/api/transform_network.go
@@ -52,7 +52,7 @@ type TransformNetworkOperationEnum struct {
 	AddLocation          string `yaml:"add_location" json:"add_location" doc:"add output location fields from input"`
 	AddService           string `yaml:"add_service" json:"add_service" doc:"add output network service field from input port and parameters protocol field"`
 	AddKubernetes        string `yaml:"add_kubernetes" json:"add_kubernetes" doc:"add output kubernetes fields from input"`
-	ReinterpretDirection string `yaml:"reinterpret_direction" json:"reinterpret_direction" doc:"reinterpret flow direction at a higher level than the interface"`
+	ReinterpretDirection string `yaml:"reinterpret_direction" json:"reinterpret_direction" doc:"reinterpret flow direction at the node level (instead of net interface), to ease the deduplication process"`
 	AddIPCategory        string `yaml:"add_ip_category" json:"add_ip_category" doc:"categorize IPs based on known subnets configuration"`
 }
 
diff --git a/pkg/pipeline/transform/transform_network.go b/pkg/pipeline/transform/transform_network.go
@@ -124,10 +124,7 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo
 				}
 			}
 		case api.OpReinterpretDirection:
-			// only reinterpret direction on flowlogs
-			if rt, ok := outputEntry["_RecordType"]; !ok || rt == "flowLog" {
-				reinterpretDirection(outputEntry, &n.DirectionInfo)
-			}
+			reinterpretDirection(outputEntry, &n.DirectionInfo)
 		case api.OpAddIPCategory:
 			if strIP, ok := outputEntry[rule.Input].(string); ok {
 				cat, ok := n.ipCatCache.GetCacheEntry(strIP)
diff --git a/pkg/pipeline/transform/transform_network_direction.go b/pkg/pipeline/transform/transform_network_direction.go
@@ -10,6 +10,7 @@ import (
 const (
 	ingress = 0
 	egress  = 1
+	inner   = 2
 )
 
 func validateReinterpretDirectionConfig(info *api.NetworkTransformDirectionInfo) error {
@@ -57,5 +58,7 @@ func reinterpretDirection(output config.GenericMap, info *api.NetworkTransformDi
 		} else if dstNode == reporter {
 			output[info.FlowDirectionField] = ingress
 		}
+	} else if srcNode != "" {
+		output[info.FlowDirectionField] = inner
 	}
 }
diff --git a/pkg/pipeline/transform/transform_network_test.go b/pkg/pipeline/transform/transform_network_test.go
@@ -370,6 +370,22 @@ func Test_ReinterpretDirection(t *testing.T) {
 		"FlowDirection": 0,
 	}, output)
 
+	output, ok = tr.Transform(config.GenericMap{
+		"ReporterIP":    "10.1.2.3",
+		"SrcHostIP":     "10.1.2.3",
+		"DstHostIP":     "10.1.2.3",
+		"FlowDirection": "whatever",
+	})
+	require.True(t, ok)
+	// Inner node => inner (2)
+	require.Equal(t, config.GenericMap{
+		"ReporterIP":    "10.1.2.3",
+		"SrcHostIP":     "10.1.2.3",
+		"DstHostIP":     "10.1.2.3",
+		"IfDirection":   "whatever",
+		"FlowDirection": 2,
+	}, output)
+
 	output, ok = tr.Transform(config.GenericMap{
 		"ReporterIP":    "10.1.2.100",
 		"SrcHostIP":     "10.1.2.3",

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ type TransformNetworkOperationEnum struct {`
`52`	`52`	AddLocation string `yaml:"add_location" json:"add_location" doc:"add output location fields from input"`
`53`	`53`	AddService string `yaml:"add_service" json:"add_service" doc:"add output network service field from input port and parameters protocol field"`
`54`	`54`	AddKubernetes string `yaml:"add_kubernetes" json:"add_kubernetes" doc:"add output kubernetes fields from input"`
`55`		- ReinterpretDirection string `yaml:"reinterpret_direction" json:"reinterpret_direction" doc:"reinterpret flow direction at a higher level than the interface"`
	`55`	+ ReinterpretDirection string `yaml:"reinterpret_direction" json:"reinterpret_direction" doc:"reinterpret flow direction at the node level (instead of net interface), to ease the deduplication process"`
`56`	`56`	AddIPCategory string `yaml:"add_ip_category" json:"add_ip_category" doc:"categorize IPs based on known subnets configuration"`
`57`	`57`	`}`
`58`	`58`
Original file line number	Diff line number	Diff line change
`@@ -124,10 +124,7 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo`
`124`	`124`	`}`
`125`	`125`	`}`
`126`	`126`	`case api.OpReinterpretDirection:`
`127`		`- // only reinterpret direction on flowlogs`
`128`		`- if rt, ok := outputEntry["_RecordType"]; !ok \|\| rt == "flowLog" {`
`129`		`- reinterpretDirection(outputEntry, &n.DirectionInfo)`
`130`		`- }`
	`127`	`+ reinterpretDirection(outputEntry, &n.DirectionInfo)`
`131`	`128`	`case api.OpAddIPCategory:`
`132`	`129`	`if strIP, ok := outputEntry[rule.Input].(string); ok {`
`133`	`130`	`cat, ok := n.ipCatCache.GetCacheEntry(strIP)`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ import (`
`10`	`10`	`const (`
`11`	`11`	`ingress = 0`
`12`	`12`	`egress = 1`
	`13`	`+ inner = 2`
`13`	`14`	`)`
`14`	`15`
`15`	`16`	`func validateReinterpretDirectionConfig(info *api.NetworkTransformDirectionInfo) error {`
`@@ -57,5 +58,7 @@ func reinterpretDirection(output config.GenericMap, info *api.NetworkTransformDi`
`57`	`58`	`} else if dstNode == reporter {`
`58`	`59`	`output[info.FlowDirectionField] = ingress`
`59`	`60`	`}`
	`61`	`+ } else if srcNode != "" {`
	`62`	`+ output[info.FlowDirectionField] = inner`
`60`	`63`	`}`
`61`	`64`	`}`