From 6d34f7fe07846457af66d4e86b9fdf19f845d408 Mon Sep 17 00:00:00 2001 From: Paul Chaignon Date: Fri, 13 Oct 2023 21:27:35 +0200 Subject: [PATCH] cmd: Display decryption interfaces in encrypt status [ upstream commit 651705074e83fa0f234fb45d2dbb87a0e14d1d19 ] This commit adds a new line to cilium encrypt status, with the list of interfaces on which decryption can happen: $ ks exec ds/cilium -c cilium-agent -- cilium encrypt status Encryption: IPsec Decryption interface(s): eth0, eth1, eth2 Keys in use: 1 Max Seq. Number: 0x6e/0xffffffff Errors: 0 This can be useful to check that Cilium is attached to all the interfaces it should be attached to (all those that can receive remote pod traffic). Signed-off-by: Paul Chaignon Signed-off-by: Tobias Klauser --- .../gettingstarted/encryption-ipsec.rst | 5 ++- cilium/cmd/encrypt_status.go | 38 +++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/Documentation/gettingstarted/encryption-ipsec.rst b/Documentation/gettingstarted/encryption-ipsec.rst index 39b940ee82978..36625baceac9f 100644 --- a/Documentation/gettingstarted/encryption-ipsec.rst +++ b/Documentation/gettingstarted/encryption-ipsec.rst @@ -205,6 +205,7 @@ Troubleshooting $ cilium encrypt status Encryption: IPsec + Decryption interface(s): eth0, eth1, eth2 Keys in use: 1 Max Seq. Number: 0x1e3/0xffffffff Errors: 0 @@ -212,7 +213,9 @@ Troubleshooting If the error counter is non-zero, additional information will be displayed with the specific errors the kernel encountered. If the sequence number reaches its maximum value, it will also result in errors. The number of - keys in use should be 2 during a key rotation and always 1 otherwise. + keys in use should be 2 during a key rotation and always 1 otherwise. The + list of decryption interfaces should have all native devices that may + receive pod traffic (for example, ENI interfaces). * All XFRM errors correspond to a packet drop in the kernel. Except for ``XfrmFwdHdrError`` and ``XfrmInError``, all XFRM errors indicate a bug in diff --git a/cilium/cmd/encrypt_status.go b/cilium/cmd/encrypt_status.go index 10688eaa80d6c..68eaf1c657306 100644 --- a/cilium/cmd/encrypt_status.go +++ b/cilium/cmd/encrypt_status.go @@ -123,6 +123,42 @@ func getEncryptionMode() { } } +func isDecryptionInterface(link netlink.Link) (bool, error) { + filters, err := netlink.FilterList(link, tcFilterParentIngress) + if err != nil { + return false, err + } + for _, f := range filters { + if bpfFilter, ok := f.(*netlink.BpfFilter); ok { + // We consider the interface a decryption interface if it has the + // BPF program we use to mark ESP packets for decryption, that is + // the cil_from_network BPF program. + if strings.Contains(bpfFilter.Name, "cil_from_network") { + return true, nil + } + } + } + return false, nil +} + +func getDecryptionInterfaces() []string { + decryptionIfaces := []string{} + links, err := netlink.LinkList() + if err != nil { + Fatalf("Failed to list interfaces: %s", err) + } + for _, link := range links { + itIs, err := isDecryptionInterface(link) + if err != nil { + Fatalf("Failed to list BPF programs for %s: %s", link.Attrs().Name, err) + } + if itIs { + decryptionIfaces = append(decryptionIfaces, link.Attrs().Name) + } + } + return decryptionIfaces +} + func dumpIPsecStatus() { xfrmStates, err := netlink.XfrmStateList(netlink.FAMILY_ALL) if err != nil { @@ -130,6 +166,8 @@ func dumpIPsecStatus() { } keys := ipsec.CountUniqueIPsecKeys(xfrmStates) oseq := maxSequenceNumber() + interfaces := getDecryptionInterfaces() + fmt.Printf("Decryption interface(s): %s\n", strings.Join(interfaces, ", ")) fmt.Printf("Keys in use: %-26d\n", keys) fmt.Printf("Max Seq. Number: %s\n", oseq) errCount, errMap := getXfrmStats("")