[v1.16] check-encryption-leak:features: backport 2025-04-04 #38741

smagnani96 · 2025-04-04T08:04:39Z

Manual backport of:

Doing to soften the pain for future fixes/changes to the script.

Once this PR is merged, a GitHub action will update the labels of these PRs:

 38266 38263 38278 38297 38281 38268

smagnani96 · 2025-04-07T15:11:30Z

/test

[ upstream commit fe5329c ] This commit adds to the leakage report the $skb pointer, which has two main advantages: 1. for the bpftrace script itself, now subsequent print reporting the type of the packet (ex. "Detected DNS") will use the same timestamp and $skb pointer of the previous print. This makes much more easy to correlate the output. 2. when using in combination with other packet tracers such as `pwru`, while the timestamp might slightly vary, the $skb pointer will point to the same packet, simplifying the correlation between the two outputs. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

[ upstream commit 022d5e9 ] This commit extends comments in the code to cover all functions/probes and explanations of our assumptions to execute the script. In addition, it refactors the current macros CIDR4 and CIDR6 to use the provided IPv4/6 addresses for CIDR computation. We always assume a /8, but with this improvement the script can be tested even in env where PodCIDRs are different than 10.0.0.0/8 or fd00::/8. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

[ upstream commit 4037d59 ] This commit adds the BEGN probe to the bpftrace script to check arguments number and correctness. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

[ upstream commit d1ffac0 ] This commit extends the set of information dispalyed upon reporting the leak of an ICMP packet. As well as for DNS (and upcoming TCP), we make use of the ICMP header to print additional information concerning the packet, in particular the Type and Code, and the status of fragmentation. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

[ upstream commit eb377e0 ] This commit extends our leak detection script to output also whether a connection being tracked by the proxy has been source masqueraded or not. Prior to this, we just update or insert a new entry in case the proxy is already tracking that specific skb. Let's be more specific then while outputting the leak detected, to also specify whether a connection has been source masqueraded or not. The logic to detect this is as follows. The value in @trace_ip4/@trace_ip6 maps for a given flow traced by the proxy is: 1. first set to 1 in `tcp_connect/udp_sendmsg` 2. then incremented by 1 in `__dev_queue_xmit`. Therefore, when checking the leak in br_forward, we should observe the value == 2. However, when the packet is being source masqueraded, the map entry created in (1) would differ from the entry incremented in (2) due to the different IP address. In that case, the value in br_forward should be == 1. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

[ upstream commit 19417a7 ] This commits adds additional info to the leak report, in particular: 1. the length of the IPv4/IPv6 packet 1. the status of source/destination IPs, whether they're Pods and/or special CiliumInternalIPs Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

[ upstream commit 2a3575c ] This commit splits the TCP-related output from the previous one, similarly as we do for DNS packets. This way, we have more room to report values from TCP header such as sequence and ack numbers. Trace logs are correlated via (1) timestamp and (2) skb pointer value. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

smagnani96 · 2025-04-09T08:12:57Z

Just rebased to see if CI's now happy (hit 🔴 on ci-eks 4 times).

smagnani96 · 2025-04-09T11:00:00Z

/test

maintainer-s-little-helper bot added backport/1.16 This PR represents a backport for Cilium 1.16.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Apr 4, 2025

smagnani96 force-pushed the pr/smagnani96/check-encryption-leak-features-backport-v1.16 branch from 319ef91 to 1824d91 Compare April 7, 2025 14:37

smagnani96 marked this pull request as ready for review April 8, 2025 09:24

smagnani96 requested review from a team as code owners April 8, 2025 09:24

smagnani96 requested a review from brlbil April 8, 2025 09:24

julianwiedmann approved these changes Apr 9, 2025

View reviewed changes

julianwiedmann enabled auto-merge April 9, 2025 06:29

smagnani96 added 7 commits April 9, 2025 10:12

check-encryption-leak:misc: args checking probe

81be8e5

[ upstream commit 4037d59 ] This commit adds the BEGN probe to the bpftrace script to check arguments number and correctness. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

smagnani96 force-pushed the pr/smagnani96/check-encryption-leak-features-backport-v1.16 branch from 1824d91 to d0c3ef0 Compare April 9, 2025 08:12

brlbil approved these changes Apr 9, 2025

View reviewed changes

julianwiedmann added this pull request to the merge queue Apr 9, 2025

Merged via the queue into v1.16 with commit 40526b4 Apr 9, 2025
268 of 271 checks passed

julianwiedmann deleted the pr/smagnani96/check-encryption-leak-features-backport-v1.16 branch April 9, 2025 13:56

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 9, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[v1.16] check-encryption-leak:features: backport 2025-04-04 #38741

[v1.16] check-encryption-leak:features: backport 2025-04-04 #38741

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[v1.16] check-encryption-leak:features: backport 2025-04-04 #38741

[v1.16] check-encryption-leak:features: backport 2025-04-04 #38741

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!