Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add --reply flag #1283

Open
michi-covalent opened this issue Nov 3, 2023 · 6 comments
Open

add --reply flag #1283

michi-covalent opened this issue Nov 3, 2023 · 6 comments
Labels
👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble.

Comments

@michi-covalent
Copy link
Collaborator

because why not

@michi-covalent michi-covalent added the 👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble. label Nov 3, 2023
@ttarczynski
Copy link

What would --reply mean for different protocols?

@michi-covalent
Copy link
Collaborator Author

What would --reply mean for different protocols?

yeah that's a really good question. from hubble client's perspective it's just filtering on is_reply field here https://github.com/cilium/cilium/blob/a48bce8448d0f4c01b35a98ac8fbd011f0df42e4/api/v1/flow/flow.proto#L84-L87 but i don't know how exactly the field is set for some protocols. let me write down what i know, and i'll let other folks chime in (maybe @gandro ?)

  • TCP: is_reply = false for packets sent from client to server. is_reply = true for packets sent from server to client. i think there are some exceptions where hubble doesn't know the direction 💭
  • UDP: is_reply = false for packets sent from client to server. is_reply = true for packets sent from server to client. i think there are some exceptions where hubble doesn't know the direction 💭
  • ICMPv4: i don't know how is_reply field is set.
  • ICMPv6: i don't know how is_reply field is set.
  • SCTP: i don't know how is_reply field is set.
  • DNS: dns request => is_reply = false. dns response => is_reply = true.
  • HTTP: http request => is_reply = false. http response => is_reply = true.
  • Kafka: i don't know for sure but given kafka protocol is client/server request/response kind of thing, i'm guessing request => is_reply = false. response => is_reply = true.

@gandro
Copy link
Member

gandro commented Nov 6, 2023

is_reply these days is a tri-state flag: It can be true/false/unknown.

For trace events, we determine the true or false value based on the connection tracking table. Not all trace points access the connection tracking table, so it's "unknown" for trace points such as "from-container" for example.

The condition in the datapath that declares something as a reply packet is here:
https://github.com/cilium/cilium/blob/f26c056dc279279ee80b417c16d315e593601e03/bpf/lib/conntrack.h#L570

The way it seems to work is that it flips the source and destination address/port pair and if it finds a connection in the the reverse direction, then it considers the current packet a reply packet. That means that a UDP "connection" is defined via the usual five-tuple logic.

As for supported protocols, the cases are listed here. It seems that ICMP and SCTP are supported, though ICMP only for echo/reply, and not for things like "destination unreachable"
https://github.com/cilium/cilium/blob/f26c056dc279279ee80b417c16d315e593601e03/bpf/lib/conntrack.h#L709

One question for the flag is: How do we treat unknown values as a filter flag? In particular, if the viper flag is only a boolean that can be set or not set, then one can probably only query for is_reply=true flows, but not is_reply=false flows (as an unset reply flag should return everything).

@michi-covalent
Copy link
Collaborator Author

One question for the flag is: How do we treat unknown values as a filter flag?

hmm yeah so maybe the flag cannot be a boolean 💭

@sadath-12
Copy link

assign me

@sadath-12 sadath-12 removed their assignment Jan 7, 2024
@sadath-12
Copy link

dropping this as there were some priority issues assigned to me at tetragon repo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble.
Projects
Status: No status
Development

No branches or pull requests

4 participants