Fix NetworkPolicy logging for IPv6 connections (antrea-io#1990)

* Fix NetworkPolicy logging for IPv6 connections The code in charge of parsing the PacketIn messages was only handling IPv4 packets and not filling-in any information for IPv6 packets, leading to logs with empty fields. Fixes antrea-io#1989 * Remove dependency on pkg/apis/ops/v1alpha1 for packetin handling And add support for the IPv6-ICMP protocol
antoninbas · Apr 30, 2021 · 4c20b0c · 4c20b0c
1 parent 908adfd
commit 4c20b0c
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 16 deletions.
diff --git a/pkg/agent/controller/networkpolicy/packetin.go b/pkg/agent/controller/networkpolicy/packetin.go
@@ -27,8 +27,8 @@ import (
 	"k8s.io/klog"
 
 	"github.com/vmware-tanzu/antrea/pkg/agent/openflow"
-	opsv1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/ops/v1alpha1"
 	binding "github.com/vmware-tanzu/antrea/pkg/ovs/openflow"
+	"github.com/vmware-tanzu/antrea/pkg/util/ip"
 )
 
 const (
@@ -154,7 +154,7 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, c *Controller, ob *logInfo) er
 	match = getMatchRegField(matchers, uint32(openflow.DispositionMarkReg))
 	info, err := getInfoInReg(match, openflow.APDispositionMarkRange.ToNXRange())
 	if err != nil {
-		return errors.New(fmt.Sprintf("received error while unloading disposition from reg: %v", err))
+		return fmt.Errorf("received error while unloading disposition from reg: %v", err)
 	}
 	ob.disposition = openflow.DispositionToString[info]
 
@@ -164,7 +164,7 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, c *Controller, ob *logInfo) er
 	// Get Network Policy full name and OF priority of the conjunction
 	info, err = getInfoInReg(match, nil)
 	if err != nil {
-		return errors.New(fmt.Sprintf("received error while unloading conjunction id from reg: %v", err))
+		return fmt.Errorf("received error while unloading conjunction id from reg: %v", err)
 	}
 	ob.npRef, ob.ofPriority = c.ofClient.GetPolicyInfoFromConjunction(info)
 
@@ -173,17 +173,23 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, c *Controller, ob *logInfo) er
 
 // getPacketInfo fills in srcIP, destIP, pktLength, protocol of logInfo ob.
 func getPacketInfo(pktIn *ofctrl.PacketIn, ob *logInfo) error {
-	// TODO: supprt IPv6 packet
-	if pktIn.Data.Ethertype == opsv1alpha1.EtherTypeIPv4 {
-		ipPacket, ok := pktIn.Data.Data.(*protocol.IPv4)
-		if !ok {
-			return errors.New("invalid IPv4 packet")
-		}
-		// Get source destination IP and protocol
-		ob.srcIP = ipPacket.NWSrc.String()
-		ob.destIP = ipPacket.NWDst.String()
-		ob.pktLength = ipPacket.Length
-		ob.protocolStr = opsv1alpha1.ProtocolsToString[int32(ipPacket.Protocol)]
+	var prot uint8
+	switch ipPkt := pktIn.Data.Data.(type) {
+	case *protocol.IPv4:
+		ob.srcIP = ipPkt.NWSrc.String()
+		ob.destIP = ipPkt.NWDst.String()
+		ob.pktLength = ipPkt.Length
+		prot = ipPkt.Protocol
+	case *protocol.IPv6:
+		ob.srcIP = ipPkt.NWSrc.String()
+		ob.destIP = ipPkt.NWDst.String()
+		ob.pktLength = ipPkt.Length
+		prot = ipPkt.NextHeader
+	default:
+		return errors.New("unsupported packet-in: should be a valid IPv4 or IPv6 packet")
 	}
+
+	ob.protocolStr = ip.IPProtocolNumberToString(prot, "UnknownProtocol")
+
 	return nil
 }
diff --git a/pkg/ovs/openflow/ofctrl_action.go b/pkg/ovs/openflow/ofctrl_action.go
@@ -434,13 +434,13 @@ func (a *ofLearnAction) MatchLearnedUDPv6DstPort() LearnAction {
 	return a.MatchTransportDst(ProtocolUDPv6)
 }
 
-// MatchLearnedSTCPDstPort specifies that the sctp_dst field in the learned flow
+// MatchLearnedSCTPDstPort specifies that the sctp_dst field in the learned flow
 // must match the sctp_dst of the packet currently being processed.
 func (a *ofLearnAction) MatchLearnedSCTPDstPort() LearnAction {
 	return a.MatchTransportDst(ProtocolSCTP)
 }
 
-// MatchLearnedSTCPv6DstPort specifies that the sctp_dst field in the learned flow
+// MatchLearnedSCTPv6DstPort specifies that the sctp_dst field in the learned flow
 // must match the sctp_dst of the packet currently being processed.
 func (a *ofLearnAction) MatchLearnedSCTPv6DstPort() LearnAction {
 	return a.MatchTransportDst(ProtocolSCTPv6)

diff --git a/pkg/util/ip/ip.go b/pkg/util/ip/ip.go
@@ -142,3 +142,30 @@ func IPNetToNetIPNet(ipNet *v1beta2.IPNet) *net.IPNet {
 	maskedIP := ip.Mask(mask)
 	return &net.IPNet{IP: maskedIP, Mask: mask}
 }
+
+const (
+	ICMPProtocol   = 1
+	TCPProtocol    = 6
+	UDPProtocol    = 17
+	ICMPv6Protocol = 58
+	SCTPProtocol   = 132
+)
+
+// IPProtocolNumberToString returns the string name of the IP protocol with number protocolNum. If
+// the number does not match a "known" protocol, we return the defaultValue string.
+func IPProtocolNumberToString(protocolNum uint8, defaultValue string) string {
+	switch protocolNum {
+	case ICMPProtocol:
+		return "ICMP"
+	case TCPProtocol:
+		return "TCP"
+	case UDPProtocol:
+		return "UDP"
+	case ICMPv6Protocol:
+		return "IPv6-ICMP"
+	case SCTPProtocol:
+		return "SCTP"
+	default:
+		return defaultValue
+	}
+}
diff --git a/pkg/util/ip/ip_test.go b/pkg/util/ip/ip_test.go
@@ -156,3 +156,9 @@ func TestIPNetToNetIPNet(t *testing.T) {
 		})
 	}
 }
+
+func TestIPProtocolNumberToString(t *testing.T) {
+	const defaultValue = "UnknownProtocol"
+	assert.Equal(t, "IPv6-ICMP", IPProtocolNumberToString(ICMPv6Protocol, defaultValue))
+	assert.Equal(t, defaultValue, IPProtocolNumberToString(44, defaultValue))
+}