Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add L7 Network Policy Logs for Allowed HTTP #6014

Merged
merged 1 commit into from
Feb 27, 2024
Merged

Add L7 Network Policy Logs for Allowed HTTP #6014

merged 1 commit into from
Feb 27, 2024

Conversation

qiyueyao
Copy link
Contributor

@qiyueyao qiyueyao commented Feb 21, 2024
edited
Loading

For allowed http traffic, log in "eve-YYYY-MM-DD.json" shows event_type: http

{"timestamp":"2024-02-22T21:26:07.074791+0000","flow_id":757085628206447,"in_iface":"antrea-l7-tap0","event_type":"http","vlan":[1],"src_ip":"10.10.1.8","src_port":44132,"dest_ip":"10.10.1.7","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"10.10.1.7","url":"/public/main.html","http_user_agent":"Wget/1.21.1","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":404,"length":153}}

For dropped packets, event_type: alert and event_type: packet are stilled logged as before.

{"timestamp":"2024-02-22T21:26:26.141099+0000","flow_id":647971985302376,"in_iface":"antrea-l7-tap0","event_type":"alert","vlan":[1],"src_ip":"10.10.1.8","src_port":58174,"dest_ip":"10.10.1.7","dest_port":80,"proto":"TCP","alert":{"action":"blocked","gid":1,"signature_id":1,"rev":0,"signature":"Reject by AntreaClusterNetworkPolicy:test-l7-ingress","category":"","severity":3,"tenant_id":1},"http":{"hostname":"10.10.1.7","url":"/private/test.html","http_user_agent":"Wget/1.21.1","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":347,"bytes_toclient":74,"start":"2024-02-22T21:26:26.140136+0000"}}
{"timestamp":"2024-02-22T21:26:26.145548+0000","flow_id":647971985302376,"in_iface":"antrea-l7-tap0","event_type":"packet","vlan":[1],"src_ip":"10.10.1.7","src_port":80,"dest_ip":"10.10.1.8","dest_port":58174,"proto":"TCP","packet":"csSAgSaXRkVL3D/tCABFAAAomhoAAEAGypMKCgEHCgoBCABQ4z5/g/HZ99gCJ1AUAftIxwAA","packet_info":{"linktype":1}}

Fixes #5982

tnqn
tnqn reviewed Feb 22, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add an example of the new log in the PR description?

@qiyueyao
Copy link
Contributor Author

qiyueyao commented Feb 22, 2024
edited
Loading

Could you add an example of the new log in the PR description?

Done, and updated the antrea-l7-network-policy.md doc with http example. Also added the DNS and TLS types, as I noticed that they are supported.
Added fix comment in PR. Is this enough for fixing and closing 5982 issue?

antoninbas
antoninbas reviewed Feb 23, 2024
View reviewed changes
docs/antrea-l7-network-policy.md Outdated Show resolved Hide resolved
docs/antrea-l7-network-policy.md Outdated Show resolved Hide resolved
pkg/agent/controller/networkpolicy/l7engine/reconciler.go
@@ -76,6 +76,12 @@ outputs:
types:
- alert:
tagged-packets: yes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does that determine the generation of packet events for rejected connections when logging is enabled?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it determines event_type: packet log for rejected connections if enableLogging: true.

pkg/agent/controller/networkpolicy/l7engine/reconciler.go Outdated Show resolved Hide resolved
docs/antrea-l7-network-policy.md Outdated Show resolved Hide resolved
tnqn
tnqn reviewed Feb 23, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this enough for fixing and closing 5982 issue?

I think yes.

pkg/agent/controller/networkpolicy/l7engine/reconciler.go Outdated Show resolved Hide resolved
@qiyueyao
Add logs for allowed traffic in L7 NetworkPolicy
b84f589 
The solution adds logs with event type http for allowed
traffic in L7 NetworkPolicy. It also adds log support for
TLS as it was later supported by L7NP.

Fixes antrea-io#5982

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
tnqn
tnqn approved these changes Feb 27, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@antoninbas
Copy link
Contributor

/skip-all

I don't think we have an e2e test to validate logging for L7NP?

@antoninbas antoninbas merged commit b8a51dc into antrea-io:main Feb 27, 2024
52 of 55 checks passed
@qiyueyao
Copy link
Contributor Author

/skip-all

I don't think we have an e2e test to validate logging for L7NP?

No, there hasn't been e2e for L7NP logging. I can try to open another PR for this.

@qiyueyao qiyueyao deleted the l7np-log branch February 27, 2024 21:22
@qiyueyao qiyueyao mentioned this pull request Apr 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tnqn tnqn tnqn approved these changes

@antoninbas antoninbas antoninbas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

L7 Network Policy logs for allowed network policy rules
3 participants
@qiyueyao @antoninbas @tnqn