netobserv · openshift-merge-bot · Jan 24, 2025 · Jan 15, 2025 · Jan 16, 2025 · Jan 21, 2025
diff --git a/bpf/flows.c b/bpf/flows.c
@@ -6,13 +6,10 @@
     to/from an interface.
 
     Logic:
-        1) Store flow information in a per-cpu hash map.
-        2) Upon flow completion (tcp->fin event), evict the entry from map, and
-           send to userspace through ringbuffer.
-           Eviction for non-tcp flows need to done by userspace
-        3) When the map is full, we send the new flow entry to userspace via ringbuffer,
+        1) Store flow information in a hash map.
+        2) Periodically evict the entry from map from userspace.
+        3) When the map is full/busy, we send the new flow entry to userspace via ringbuffer,
             until an entry is available.
-        4) When hash collision is detected, we send the new entry to userpace via ringbuffer.
 */
 #include <vmlinux.h>
 #include <bpf_helpers.h>
@@ -55,16 +52,59 @@
  */
 #include "pkt_translation.h"
 
-static inline void update_existing_flow(flow_metrics *aggregate_flow, pkt_info *pkt, u64 len,
-                                        u32 sampling) {
+// return 0 on success, 1 if capacity reached
+static __always_inline int add_observed_intf(flow_metrics *value, pkt_info *pkt, u32 if_index,
+                                             u8 direction) {
+    if (value->nb_observed_intf >= MAX_OBSERVED_INTERFACES) {
+        return 1;
+    }
+    for (u8 i = 0; i < value->nb_observed_intf; i++) {
+        if (value->observed_intf[i] == if_index) {
+            if (value->observed_direction[i] != direction &&
+                value->observed_direction[i] != OBSERVED_DIRECTION_BOTH) {
+                // Same interface seen on a different direction => mark as both directions
+                value->observed_direction[i] = OBSERVED_DIRECTION_BOTH;
+            }
+            // Interface already seen -> skip
+            return 0;
+        }
+    }
+    value->observed_intf[value->nb_observed_intf] = if_index;
+    value->observed_direction[value->nb_observed_intf] = direction;
+    value->nb_observed_intf++;
+    return 0;
+}
+
+static __always_inline void update_existing_flow(flow_metrics *aggregate_flow, pkt_info *pkt,
+                                                 u64 len, u32 sampling, u32 if_index,
+                                                 u8 direction) {
+    // Count only packets seen from the same interface as previously to avoid duplicate counts
+    int maxReached = 0;
     bpf_spin_lock(&aggregate_flow->lock);
-    aggregate_flow->packets += 1;
-    aggregate_flow->bytes += len;
-    aggregate_flow->end_mono_time_ts = pkt->current_ts;
-    aggregate_flow->flags |= pkt->flags;
-    aggregate_flow->dscp = pkt->dscp;
-    aggregate_flow->sampling = sampling;
+    if (aggregate_flow->if_index_first_seen == if_index) {
+        aggregate_flow->packets += 1;
+        aggregate_flow->bytes += len;
+        aggregate_flow->end_mono_time_ts = pkt->current_ts;
+        aggregate_flow->flags |= pkt->flags;
+        aggregate_flow->dscp = pkt->dscp;
+        aggregate_flow->sampling = sampling;
+    } else if (if_index != 0) {
+        // Only add info that we've seen this interface (we can also update end time & flags)
+        aggregate_flow->end_mono_time_ts = pkt->current_ts;
+        aggregate_flow->flags |= pkt->flags;
+        maxReached = add_observed_intf(aggregate_flow, pkt, if_index, direction);
+    }
     bpf_spin_unlock(&aggregate_flow->lock);
+    if (maxReached > 0) {
+        BPF_PRINTK("observed interface missed (array capacity reached); ifindex=%d, eth_type=%d, "
+                   "proto=%d, sport=%d, dport=%d\n",
+                   if_index, aggregate_flow->eth_protocol, pkt->id->transport_protocol,
+                   pkt->id->src_port, pkt->id->dst_port);
+        if (pkt->id->transport_protocol != 0) {
+            // Only raise counter on non-zero proto; zero proto traffic is very likely to have its interface max count reached
+            increase_counter(OBSERVED_INTF_MISSED);
+        }
+    }
 }
 
 static inline void update_dns(additional_metrics *extra_metrics, pkt_info *pkt, int dns_errno) {
@@ -79,23 +119,6 @@ static inline void update_dns(additional_metrics *extra_metrics, pkt_info *pkt,
     }
 }
 
-static inline void add_observed_intf(additional_metrics *value, u32 if_index, u8 direction) {
-    if (value->nb_observed_intf < MAX_OBSERVED_INTERFACES) {
-        for (u8 i = 0; i < value->nb_observed_intf; i++) {
-            if (value->observed_intf[i].if_index == if_index &&
-                value->observed_intf[i].direction == direction) {
-                return;
-            }
-        }
-        value->observed_intf[value->nb_observed_intf].if_index = if_index;
-        value->observed_intf[value->nb_observed_intf].direction = direction;
-        value->nb_observed_intf++;
-    } else {
-        increase_counter(OBSERVED_INTF_MISSED);
-        BPF_PRINTK("observed interface missed (array capacity reached) for ifindex %d\n", if_index);
-    }
-}
-
 static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
     if (!has_filter_sampling) {
         // When no filter sampling is defined, run the sampling check at the earliest for better performances
@@ -151,34 +174,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
     }
     flow_metrics *aggregate_flow = (flow_metrics *)bpf_map_lookup_elem(&aggregated_flows, &id);
     if (aggregate_flow != NULL) {
-        if (aggregate_flow->if_index_first_seen == skb->ifindex) {
-            update_existing_flow(aggregate_flow, &pkt, len, filter_sampling);
-        } else if (skb->ifindex != 0) {
-            // Only add info that we've seen this interface
-            additional_metrics *extra_metrics =
-                (additional_metrics *)bpf_map_lookup_elem(&additional_flow_metrics, &id);
-            if (extra_metrics != NULL) {
-                add_observed_intf(extra_metrics, skb->ifindex, direction);
-            } else {
-                additional_metrics new_metrics = {
-                    .eth_protocol = eth_protocol,
-                    .start_mono_time_ts = pkt.current_ts,
-                    .end_mono_time_ts = pkt.current_ts,
-                };
-                add_observed_intf(&new_metrics, skb->ifindex, direction);
-                long ret =
-                    bpf_map_update_elem(&additional_flow_metrics, &id, &new_metrics, BPF_NOEXIST);
-                if (ret == -EEXIST) {
-                    extra_metrics =
-                        (additional_metrics *)bpf_map_lookup_elem(&additional_flow_metrics, &id);
-                    if (extra_metrics != NULL) {
-                        add_observed_intf(extra_metrics, skb->ifindex, direction);
-                    }
-                } else if (ret != 0 && trace_messages) {
-                    bpf_printk("error creating new observed_intf: %d\n", ret);
-                }
-            }
-        }
+        update_existing_flow(aggregate_flow, &pkt, len, filter_sampling, skb->ifindex, direction);
     } else {
         // Key does not exist in the map, and will need to create a new entry.
         flow_metrics new_flow;
@@ -205,7 +201,8 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
                 flow_metrics *aggregate_flow =
                     (flow_metrics *)bpf_map_lookup_elem(&aggregated_flows, &id);
                 if (aggregate_flow != NULL) {
-                    update_existing_flow(aggregate_flow, &pkt, len, filter_sampling);
+                    update_existing_flow(aggregate_flow, &pkt, len, filter_sampling, skb->ifindex,
+                                         direction);
                 } else {
                     if (trace_messages) {
                         bpf_printk("failed to update an exising flow\n");

diff --git a/bpf/types.h b/bpf/types.h
@@ -66,7 +66,8 @@ typedef __u64 u64;
 #define MAX_FILTER_ENTRIES 16
 #define MAX_EVENT_MD 8
 #define MAX_NETWORK_EVENTS 4
-#define MAX_OBSERVED_INTERFACES 4
+#define MAX_OBSERVED_INTERFACES 6
+#define OBSERVED_DIRECTION_BOTH 3
 
 // according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml
 typedef enum direction_t {
@@ -104,6 +105,9 @@ typedef struct flow_metrics_t {
     // https://chromium.googlesource.com/chromiumos/docs/+/master/constants/errnos.md
     u8 errno;
     u8 dscp;
+    u8 nb_observed_intf;
+    u8 observed_direction[MAX_OBSERVED_INTERFACES];
+    u32 observed_intf[MAX_OBSERVED_INTERFACES];
 } flow_metrics;
 
 // Force emitting enums/structs into the ELF
@@ -134,13 +138,8 @@ typedef struct additional_metrics_t {
         u16 dport;
         u16 zone_id;
     } translated_flow;
-    struct observed_intf_t {
-        u8 direction;
-        u32 if_index;
-    } observed_intf[MAX_OBSERVED_INTERFACES];
     u16 eth_protocol;
     u8 network_events_idx;
-    u8 nb_observed_intf;
 } additional_metrics;
 
 // Force emitting enums/structs into the ELF

diff --git a/bpf/utils.h b/bpf/utils.h
@@ -153,7 +153,6 @@ static inline int fill_ethhdr(struct ethhdr *eth, void *data_end, pkt_info *pkt,
     if ((void *)eth + sizeof(*eth) > data_end) {
         return DISCARD;
     }
-    flow_id *id = pkt->id;
     *eth_protocol = bpf_ntohs(eth->h_proto);
 
     if (*eth_protocol == ETH_P_IP) {
@@ -162,16 +161,9 @@ static inline int fill_ethhdr(struct ethhdr *eth, void *data_end, pkt_info *pkt,
     } else if (*eth_protocol == ETH_P_IPV6) {
         struct ipv6hdr *ip6 = (void *)eth + sizeof(*eth);
         return fill_ip6hdr(ip6, data_end, pkt);
-    } else {
-        // TODO : Need to implement other specific ethertypes if needed
-        // For now other parts of flow id remain zero
-        __builtin_memset(&(id->src_ip), 0, sizeof(struct in6_addr));
-        __builtin_memset(&(id->dst_ip), 0, sizeof(struct in6_addr));
-        id->transport_protocol = 0;
-        id->src_port = 0;
-        id->dst_port = 0;
     }
-    return SUBMIT;
+    // Only IP-based flows are managed
+    return DISCARD;
 }
 
 static inline bool is_filter_enabled() {

diff --git a/pkg/agent/agent_test.go b/pkg/agent/agent_test.go
@@ -65,18 +65,18 @@ func TestFlowsAgent_Decoration(t *testing.T) {
 		BpfFlowMetrics: &ebpf.BpfFlowMetrics{Packets: 3, Bytes: 44, StartMonoTimeTs: now + 1000, EndMonoTimeTs: now + 1_000_000_000,
 			IfIndexFirstSeen:   1,
 			DirectionFirstSeen: 1,
-		},
-		AdditionalMetrics: &ebpf.BpfAdditionalMetrics{NbObservedIntf: 1,
-			ObservedIntf: [model.MaxObservedInterfaces]ebpf.BpfObservedIntfT{{IfIndex: 3, Direction: 0}},
+			NbObservedIntf:     1,
+			ObservedIntf:       [model.MaxObservedInterfaces]uint32{3},
+			ObservedDirection:  [model.MaxObservedInterfaces]uint8{0},
 		},
 	}
 	metrics2 := model.BpfFlowContent{
 		BpfFlowMetrics: &ebpf.BpfFlowMetrics{Packets: 7, Bytes: 33, StartMonoTimeTs: now, EndMonoTimeTs: now + 2_000_000_000,
 			IfIndexFirstSeen:   4,
 			DirectionFirstSeen: 0,
-		},
-		AdditionalMetrics: &ebpf.BpfAdditionalMetrics{NbObservedIntf: 2,
-			ObservedIntf: [model.MaxObservedInterfaces]ebpf.BpfObservedIntfT{{IfIndex: 1, Direction: 1}, {IfIndex: 99, Direction: 1}},
+			NbObservedIntf:     2,
+			ObservedIntf:       [model.MaxObservedInterfaces]uint32{1, 99},
+			ObservedDirection:  [model.MaxObservedInterfaces]uint8{1, 1},
 		},
 	}
 	flows := map[ebpf.BpfFlowId]model.BpfFlowContent{

diff --git a/pkg/ebpf/bpf_arm64_bpfel.go b/pkg/ebpf/bpf_arm64_bpfel.go
diff --git a/pkg/ebpf/bpf_arm64_bpfel.o b/pkg/ebpf/bpf_arm64_bpfel.o
diff --git a/pkg/ebpf/bpf_powerpc_bpfel.go b/pkg/ebpf/bpf_powerpc_bpfel.go
diff --git a/pkg/ebpf/bpf_powerpc_bpfel.o b/pkg/ebpf/bpf_powerpc_bpfel.o
diff --git a/pkg/ebpf/bpf_s390_bpfeb.go b/pkg/ebpf/bpf_s390_bpfeb.go
diff --git a/pkg/ebpf/bpf_s390_bpfeb.o b/pkg/ebpf/bpf_s390_bpfeb.o