Dump policies without the assembly and replace with more condensed ru…

…le counters output (#7954)

felix/cmd/calico-bpf/commands/policy_debug.go

@@ -22,14 +22,14 @@ import (
 	"strconv"
 	"strings"
 
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
 	"github.com/projectcalico/calico/felix/bpf"
 	"github.com/projectcalico/calico/felix/bpf/asm"
 	"github.com/projectcalico/calico/felix/bpf/counters"
 	"github.com/projectcalico/calico/felix/bpf/hook"
 	"github.com/projectcalico/calico/felix/proto"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
 )
 
 // policyCmd represents the counters command
@@ -40,8 +40,8 @@ var policyCmd = &cobra.Command{
 
 func init() {
 	policyCmd.AddCommand(policyDumpCmd)
+	policyDumpCmd.Flags().BoolP("asm", "a", false, "Includes eBPF assembler code of the policy program")
 	rootCmd.AddCommand(policyCmd)
-
 }
 
 var policyDumpCmd = &cobra.Command{
@@ -83,11 +83,13 @@ var policyDumpCmd = &cobra.Command{
 }
 
 func parseArgs(args []string) (string, string, error) {
-	if len(args) != 2 {
-		return "", "", fmt.Errorf("Insufficient arguments")
+	lenArgs := len(args)
+	if lenArgs != 2 {
+		return "", "", fmt.Errorf("Invalid number of arguments: %d", lenArgs)
 	}
-	if hook.StringToHook(args[1]) == hook.Bad && args[1] != "all" {
-		return "", "", fmt.Errorf("Invalid argument")
+	hookArg := args[1]
+	if hook.StringToHook(hookArg) == hook.Bad && hookArg != "all" {
+		return "", "", fmt.Errorf("Invalid argument: '%s'", hookArg)
 	}
 	return args[0], args[1], nil
 }
@@ -115,6 +117,9 @@ func getRuleMatchID(comment string) uint64 {
 }
 
 func dumpPolicyInfo(cmd *cobra.Command, iface string, h hook.Hook, m counters.PolicyMapMem) error {
+	verboseFlag := cmd.Flag("asm").Value.String()
+	verboseFlagSet, _ := strconv.ParseBool(verboseFlag)
+
 	var policyDbg bpf.PolicyDebugInfo
 	filename := bpf.PolicyDebugJSONFileName(iface, h.String(), proto.IPVersion_IPV4)
 	_, err := os.Stat(filename)
@@ -138,19 +143,24 @@ func dumpPolicyInfo(cmd *cobra.Command, iface string, h hook.Hook, m counters.Po
 	cmd.Printf("Hook: %s\n", policyDbg.Hook)
 	cmd.Printf("Error: %s\n", policyDbg.Error)
 	cmd.Println("Policy Info:")
+
 	for _, insn := range policyDbg.PolicyInfo {
 		for _, comment := range insn.Comments {
 			if strings.Contains(comment, "Rule MatchID") {
 				matchId := getRuleMatchID(comment)
 				cmd.Printf("// count = %d\n", m[matchId])
-			} else {
+			} else if verboseFlagSet || strings.Contains(comment, "Start of policy") || strings.Contains(comment, "Start of rule") {
 				cmd.Printf("// %s\n", comment)
 			}
 		}
 		for _, label := range insn.Labels {
-			cmd.Printf("%s:\n", label)
+			if verboseFlagSet {
+				cmd.Printf("%s:\n", label)
+			}
+		}
+		if verboseFlagSet {
+			printInsn(cmd, insn)
 		}
-		printInsn(cmd, insn)
 	}
 	return nil
 }

felix/fv/bpf_counters_test.go

@@ -237,7 +237,7 @@ func dumpRuleCounterMap(felix *infrastructure.Felix) counters.PolicyMapMem {
 }
 
 func checkRuleCounters(felix *infrastructure.Felix, ifName, hook, polName string, count int) {
-	out, err := felix.ExecOutput("calico-bpf", "policy", "dump", ifName, hook)
+	out, err := felix.ExecOutput("calico-bpf", "policy", "dump", ifName, hook, "--asm")
 	Expect(err).NotTo(HaveOccurred())
 	strOut := strings.Split(out, "\n")
 

felix/fv/bpf_policy_dump_test.go

@@ -112,9 +112,9 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ Felix bpf test policy dump"
 		pol = createPolicy(pol)
 		out := ""
 		ifaceStr := fmt.Sprintf("IfaceName: %s", w[0].InterfaceName)
-		// check ingress policy dump
+		// check ingress policy dump with eBPF assembler code
 		Eventually(func() string {
-			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[0].InterfaceName, "ingress")
+			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[0].InterfaceName, "ingress", "-a")
 			Expect(err).NotTo(HaveOccurred())
 			return out
 		}, "5s", "200ms").Should(ContainSubstring("Start of tier default"))
@@ -129,10 +129,10 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ Felix bpf test policy dump"
 		Expect(string(out)).To(ContainSubstring("If source port is not within any of {8055,100-105}, skip to next rule"))
 		Expect(string(out)).To(ContainSubstring("If dest port is not within any of {9055,200-205}, skip to next rule"))
 
-		// check egress policy dump
+		// check egress policy dump with eBPF assembler code
 		out = ""
 		Eventually(func() string {
-			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[0].InterfaceName, "egress")
+			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[0].InterfaceName, "egress", "-a")
 			Expect(err).NotTo(HaveOccurred())
 			return out
 		}, "5s", "200ms").Should(ContainSubstring("Start of tier default"))
@@ -147,10 +147,10 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ Felix bpf test policy dump"
 		Expect(string(out)).To(ContainSubstring("If source port is within any of {8055,100-105}, skip to next rule"))
 		Expect(string(out)).To(ContainSubstring("If dest port is within any of {9055,200-205}, skip to next rule"))
 
-		// Test calico-bpf policy dump all
+		// Test calico-bpf policy dump all with eBPF assembler code
 		out = ""
 		Eventually(func() string {
-			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[0].InterfaceName, "all")
+			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[0].InterfaceName, "all", "-a")
 			Expect(err).NotTo(HaveOccurred())
 			return out
 		}, "5s", "200ms").Should(ContainSubstring("Start of tier default"))
@@ -189,9 +189,9 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ Felix bpf test policy dump"
 		pol = createPolicy(pol)
 		out := ""
 		ifaceStr := fmt.Sprintf("IfaceName: %s", w[1].InterfaceName)
-		// check ingress policy dump
+		// check ingress policy dump with eBPF assembler code
 		Eventually(func() string {
-			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[1].InterfaceName, "ingress")
+			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[1].InterfaceName, "ingress", "-a")
 			Expect(err).NotTo(HaveOccurred())
 			return out
 		}, "5s", "200ms").Should(ContainSubstring("Start of tier default"))
@@ -205,10 +205,10 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ Felix bpf test policy dump"
 		Expect(string(out)).To(ContainSubstring("If source not in {11.0.0.8/32,10.0.0.8/32}, skip to next rule"))
 		Expect(string(out)).To(ContainSubstring("If dest not in {12.0.0.8/32,13.0.0.8/32}, skip to next rule"))
 
-		// check egress policy dump
+		// check egress policy dump with eBPF assembler code
 		out = ""
 		Eventually(func() string {
-			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[1].InterfaceName, "egress")
+			out, err = tc.Felixes[0].ExecOutput("calico-bpf", "policy", "dump", w[1].InterfaceName, "egress", "-a")
 			Expect(err).NotTo(HaveOccurred())
 			return out
 		}, "5s", "200ms").Should(ContainSubstring("Start of tier default"))

felix/fv/bpf_test.go

@@ -4337,7 +4337,7 @@ func bpfCheckIfPolicyProgrammed(felix *infrastructure.Felix, iface, hook, polNam
 }
 
 func bpfDumpPolicy(felix *infrastructure.Felix, iface, hook string) string {
-	out, err := felix.ExecOutput("calico-bpf", "policy", "dump", iface, hook)
+	out, err := felix.ExecOutput("calico-bpf", "policy", "dump", iface, hook, "--asm")
 	Expect(err).NotTo(HaveOccurred())
 	return out
 }

felix/fv/donottrack_test.go

@@ -85,7 +85,7 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ do-not-track policy tests;
 			for _, felix := range tc.Felixes {
 				felix.Exec("iptables-save", "-c")
 				felix.Exec("ip", "r")
-				felix.Exec("calico-bpf", "policy", "dump", "eth0", "all")
+				felix.Exec("calico-bpf", "policy", "dump", "eth0", "all", "--asm")
 			}
 		}
 	})

felix/fv/ipip_test.go

@@ -110,7 +110,7 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ IPIP topology before adding
 				felix.Exec("ip", "r")
 				felix.Exec("ip", "a")
 				if BPFMode() {
-					felix.Exec("calico-bpf", "policy", "dump", "eth0", "all")
+					felix.Exec("calico-bpf", "policy", "dump", "eth0", "all", "--asm")
 				}
 			}
 		}