From 40b7b3e6dad008f8d195f7e8198e48366bf1c43f Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Tue, 10 Dec 2024 14:09:01 -0800 Subject: [PATCH 1/6] [BPF] counters to detect source port collisions --- felix/bpf-gpl/conntrack.h | 2 ++ felix/bpf-gpl/counters.h | 4 ++-- felix/bpf-gpl/reasons.h | 3 +++ felix/bpf-gpl/tc.c | 3 ++- felix/bpf/counters/counters.go | 17 ++++++++++++++++- felix/bpf/counters/map.go | 2 +- felix/cmd/calico-bpf/commands/conntrack.go | 4 ++-- 7 files changed, 28 insertions(+), 7 deletions(-) diff --git a/felix/bpf-gpl/conntrack.h b/felix/bpf-gpl/conntrack.h index b00c5dac943..b80b9626f2e 100644 --- a/felix/bpf-gpl/conntrack.h +++ b/felix/bpf-gpl/conntrack.h @@ -233,6 +233,7 @@ static CALI_BPF_INLINE int calico_ct_v4_create_tracking(struct cali_tc_ctx *ctx, int i; CALI_DEBUG("Source collision for " IP_FMT ":%d", debug_ip(ct_ctx->src), sport); + counter_inc(ctx, CALI_REASON_SOURCE_COLLISION); ct_value.orig_sport = sport; @@ -258,6 +259,7 @@ static CALI_BPF_INLINE int calico_ct_v4_create_tracking(struct cali_tc_ctx *ctx, CALI_INFO("Source collision unresolved " IP_FMT ":%d", debug_ip(ct_ctx->src), ct_value.orig_sport); err = -17; /* EEXIST */ + counter_inc(ctx, CALI_REASON_SOURCE_COLLISION_FAILED); } } diff --git a/felix/bpf-gpl/counters.h b/felix/bpf-gpl/counters.h index 484ed45fe30..6f2132feb86 100644 --- a/felix/bpf-gpl/counters.h +++ b/felix/bpf-gpl/counters.h @@ -7,7 +7,7 @@ #include "bpf.h" -#define MAX_COUNTERS_SIZE 14 +#define MAX_COUNTERS_SIZE 17 typedef __u64 counters_t[MAX_COUNTERS_SIZE]; @@ -20,7 +20,7 @@ struct counters_key { #define COUNTERS_TC_EGRESS 1 #define COUNTERS_XDP 2 -CALI_MAP(cali_counters, 2, +CALI_MAP(cali_counters, 3, BPF_MAP_TYPE_PERCPU_HASH, struct counters_key, counters_t, 20000, 0) diff --git a/felix/bpf-gpl/reasons.h b/felix/bpf-gpl/reasons.h index bd6dc2201c3..b66578a8515 100644 --- a/felix/bpf-gpl/reasons.h +++ b/felix/bpf-gpl/reasons.h @@ -23,6 +23,9 @@ enum calico_reason { CALI_REASON_UNAUTH_SOURCE, CALI_REASON_RT_UNKNOWN, CALI_REASON_BLACK_HOLE, + CALI_REASON_SOURCE_COLLISION, + CALI_REASON_SOURCE_COLLISION_FAILED, + CALI_REASON_CT_CREATE_FAILED, CALI_REASON_ACCEPTED_BY_XDP, // Not used by counters map CALI_REASON_WEP_NOT_READY, CALI_REASON_NATIFACE, diff --git a/felix/bpf-gpl/tc.c b/felix/bpf-gpl/tc.c index 734577ace03..2043ad053f3 100644 --- a/felix/bpf-gpl/tc.c +++ b/felix/bpf-gpl/tc.c @@ -806,6 +806,7 @@ static CALI_BPF_INLINE enum do_nat_res do_nat(struct cali_tc_ctx *ctx, int err; if ((err = conntrack_create(ctx, ct_ctx_nat))) { CALI_DEBUG("Creating NAT conntrack failed with %d", err); + deny_reason(ctx, CALI_REASON_CT_CREATE_FAILED); goto deny; } STATE->ct_result.nat_sip = ct_ctx_nat->src; @@ -1399,7 +1400,7 @@ int calico_tc_skb_new_flow_entrypoint(struct __sk_buff *skb) CALI_DEBUG("Allowing local host traffic without CT"); goto allow; } - + deny_reason(ctx, CALI_REASON_CT_CREATE_FAILED); goto deny; } goto allow; diff --git a/felix/bpf/counters/counters.go b/felix/bpf/counters/counters.go index 1247e8de4f3..7d3248caac5 100644 --- a/felix/bpf/counters/counters.go +++ b/felix/bpf/counters/counters.go @@ -27,7 +27,7 @@ import ( ) const ( - MaxCounterNumber int = 14 + MaxCounterNumber int = 17 counterMapKeySize int = 8 counterMapValueSize int = 8 ) @@ -73,6 +73,9 @@ const ( DroppedUnauthSource DroppedUnknownRoute DroppedBlackholeRoute + SourceCollision + SourceCollisionFailed + ConntrackCreateFailed ) type Description struct { @@ -155,6 +158,18 @@ var descriptions DescList = DescList{ Counter: DroppedBlackholeRoute, Category: "Dropped", Caption: "packets hitting blackhole route", }, + { + Counter: SourceCollision, + Category: "Other", Caption: "packets hitting NAT source collision", + }, + { + Counter: ConntrackCreateFailed, + Category: "Dropped", Caption: "failed to create conntrack", + }, + { + Counter: SourceCollisionFailed, + Category: "Dropped", Caption: "packets hitting NAT source collision failed", + }, } func Descriptions() DescList { diff --git a/felix/bpf/counters/map.go b/felix/bpf/counters/map.go index 07d68b50e7d..77113308463 100644 --- a/felix/bpf/counters/map.go +++ b/felix/bpf/counters/map.go @@ -29,7 +29,7 @@ var MapParameters = maps.MapParameters{ ValueSize: counterMapValueSize * MaxCounterNumber, MaxEntries: 20000, Name: "cali_counters", - Version: 2, + Version: 3, } func Map() maps.Map { diff --git a/felix/cmd/calico-bpf/commands/conntrack.go b/felix/cmd/calico-bpf/commands/conntrack.go index 9b6eb901f37..01c4c26c976 100644 --- a/felix/cmd/calico-bpf/commands/conntrack.go +++ b/felix/cmd/calico-bpf/commands/conntrack.go @@ -216,8 +216,8 @@ func (cmd *conntrackDumpCmd) prettyDump(k conntrack.KeyInterface, v conntrack.Va } now := bpf.KTimeNanos() - cmd.Printf(" Age: %s Active ago %s", - time.Duration(now-v.Created()), time.Duration(now-v.LastSeen())) + cmd.Printf(" Age: %s Active ago %s Duration %s", + time.Duration(now-v.Created()), time.Duration(now-v.LastSeen()), time.Duration(v.LastSeen()-v.Created())) if k.Proto() == 6 { if (v.IsForwardDSR() && d.FINsSeenDSR()) || d.FINsSeen() || d.RSTSeen() { From 856827b0abcfda8bcf480a43113700e000780f5c Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Wed, 11 Dec 2024 16:00:48 -0800 Subject: [PATCH 2/6] [BPF] add conntrack stats command to calico-bpf Prints some stats without the need to use grep or other tools onthe dump output. Total connections: 36 Total entries: 48 NAT connections: 12 TCP : 32 UDP : 4 Others : 0 TCP Established: 16 TCP Closed: 16 TCP Reset: 0 TCP Syn-sent: 0 --- felix/cmd/calico-bpf/commands/conntrack.go | 112 ++++++++++++++++++++- node/Makefile | 4 +- 2 files changed, 112 insertions(+), 4 deletions(-) diff --git a/felix/cmd/calico-bpf/commands/conntrack.go b/felix/cmd/calico-bpf/commands/conntrack.go index 01c4c26c976..c62b9fb9e8b 100644 --- a/felix/cmd/calico-bpf/commands/conntrack.go +++ b/felix/cmd/calico-bpf/commands/conntrack.go @@ -46,6 +46,7 @@ func init() { conntrackCmd.AddCommand(newConntrackWriteCmd()) conntrackCmd.AddCommand(newConntrackFillCmd()) conntrackCmd.AddCommand(newConntrackCreateCmd()) + conntrackCmd.AddCommand(newConntrackStatsCmd()) rootCmd.AddCommand(conntrackCmd) } @@ -220,8 +221,10 @@ func (cmd *conntrackDumpCmd) prettyDump(k conntrack.KeyInterface, v conntrack.Va time.Duration(now-v.Created()), time.Duration(now-v.LastSeen()), time.Duration(v.LastSeen()-v.Created())) if k.Proto() == 6 { - if (v.IsForwardDSR() && d.FINsSeenDSR()) || d.FINsSeen() || d.RSTSeen() { + if (v.IsForwardDSR() && d.FINsSeenDSR()) || d.FINsSeen() { cmd.Printf(" CLOSED") + } else if d.RSTSeen() { + cmd.Printf(" RESET") } else if d.Established() { cmd.Printf(" ESTABLISHED") } else { @@ -248,11 +251,16 @@ func dumpExtrav2(k v2.Key, v v2.Value) { data := v.Data() - if (v.IsForwardDSR() && data.FINsSeenDSR()) || data.FINsSeen() || data.RSTSeen() { + if (v.IsForwardDSR() && data.FINsSeenDSR()) || data.FINsSeen() { fmt.Printf(" CLOSED") return } + if data.RSTSeen() { + fmt.Printf(" RESET") + return + } + if data.Established() { fmt.Printf(" ESTABLISHED") return @@ -282,6 +290,11 @@ func dumpExtra(k conntrack.KeyInterface, v conntrack.ValueInterface) { return } + if data.RSTSeen() { + fmt.Printf(" RESET") + return + } + if data.Established() { fmt.Printf(" ESTABLISHED") return @@ -611,3 +624,98 @@ func (cmd *conntrackFillCmd) Run(c *cobra.Command, _ []string) { } } } + +type conntrackStatsCmd struct { + *cobra.Command + ipv6 bool + + established int + reset int + closed int + synSent int + total int + nat int + + protos map[int]int +} + +func newConntrackStatsCmd() *cobra.Command { + cmd := &conntrackStatsCmd{ + Command: &cobra.Command{ + Use: "stats", + Short: "Print conntrack statistics", + }, + protos: make(map[int]int), + } + cmd.Command.Run = cmd.Run + + return cmd.Command +} + +func (cmd *conntrackStatsCmd) Run(c *cobra.Command, _ []string) { + var ctMap maps.Map + + cmd.ipv6 = ipv6 != nil && *ipv6 + + if cmd.ipv6 { + ctMap = conntrack.MapV6() + } else { + ctMap = conntrack.Map() + } + + if err := ctMap.Open(); err != nil { + log.WithError(err).Fatal("Failed to access ConntrackMap") + } + + keyFromBytes := conntrack.KeyFromBytes + valFromBytes := conntrack.ValueFromBytes + if cmd.ipv6 { + keyFromBytes = conntrack.KeyV6FromBytes + valFromBytes = conntrack.ValueV6FromBytes + } + + err := ctMap.Iter(func(k, v []byte) maps.IteratorAction { + ctKey := keyFromBytes(k) + ctVal := valFromBytes(v) + d := ctVal.Data() + + if ctVal.Type() == conntrack.TypeNATForward { + cmd.nat++ + return maps.IterNone + } + + if ctKey.Proto() == 6 { + if (ctVal.IsForwardDSR() && d.FINsSeenDSR()) || d.FINsSeen() { + cmd.closed++ + } else if d.RSTSeen() { + cmd.reset++ + } else if d.Established() { + cmd.established++ + } else { + cmd.synSent++ + } + } + + cmd.total++ + cmd.protos[int(ctKey.Proto())]++ + + return maps.IterNone + }) + + cmd.Printf("Total connections: %d\n", cmd.total) + cmd.Printf("Total entries: %d\n", cmd.total+cmd.nat) + cmd.Printf("NAT connections: %d\n\n", cmd.nat) + + cmd.Printf("TCP : %d\n", cmd.protos[6]) + cmd.Printf("UDP : %d\n", cmd.protos[17]) + cmd.Printf("Others : %d\n\n", cmd.total-cmd.protos[6]-cmd.protos[17]) + + cmd.Printf("TCP Established: %d\n", cmd.established) + cmd.Printf("TCP Closed: %d\n", cmd.closed) + cmd.Printf("TCP Reset: %d\n", cmd.reset) + cmd.Printf("TCP Syn-sent: %d\n", cmd.synSent) + + if err != nil { + log.WithError(err).Fatal("Failed to iterate over conntrack entries") + } +} diff --git a/node/Makefile b/node/Makefile index ea9bf587022..9d53e861c80 100644 --- a/node/Makefile +++ b/node/Makefile @@ -265,12 +265,12 @@ sub-image-fips-%: image $(NODE_IMAGE): register $(NODE_CONTAINER_MARKER) $(NODE_CONTAINER_CREATED): $(REMOTE_DEPS) ./Dockerfile.$(ARCH) $(NODE_CONTAINER_BINARY) $(INCLUDED_SOURCE) $(NODE_CONTAINER_FILES) $(TOOLS_MOUNTNS_BINARY) - $(DOCKER_BUILD) --build-arg BIN_DIR=$(NODE_CONTAINER_BIN_DIR) --build-arg BIRD_IMAGE=$(BIRD_IMAGE) --build-arg GIT_VERSION=$(GIT_VERSION) -t $(NODE_IMAGE):latest-$(ARCH) -f ./Dockerfile.$(ARCH) . + $(DOCKER_BUILD) --network=host --build-arg BIN_DIR=$(NODE_CONTAINER_BIN_DIR) --build-arg BIRD_IMAGE=$(BIRD_IMAGE) --build-arg GIT_VERSION=$(GIT_VERSION) -t $(NODE_IMAGE):latest-$(ARCH) -f ./Dockerfile.$(ARCH) . $(MAKE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest touch $@ $(NODE_CONTAINER_FIPS_CREATED): $(REMOTE_DEPS) ./Dockerfile.$(ARCH) $(NODE_CONTAINER_BINARY) $(INCLUDED_SOURCE) $(NODE_CONTAINER_FILES) $(TOOLS_MOUNTNS_BINARY) - $(DOCKER_BUILD) --build-arg BIN_DIR=$(NODE_CONTAINER_BIN_DIR) --build-arg BIRD_IMAGE=$(BIRD_IMAGE) --build-arg GIT_VERSION=$(GIT_VERSION) -t $(NODE_IMAGE):latest-fips-$(ARCH) -f ./Dockerfile.$(ARCH) . + $(DOCKER_BUILD) --network=host --build-arg BIN_DIR=$(NODE_CONTAINER_BIN_DIR) --build-arg BIRD_IMAGE=$(BIRD_IMAGE) --build-arg GIT_VERSION=$(GIT_VERSION) -t $(NODE_IMAGE):latest-fips-$(ARCH) -f ./Dockerfile.$(ARCH) . $(MAKE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest-fips LATEST_IMAGE_TAG=latest-fips touch $@ From 24967a98e9b70149ac637b10546f777b90a03293 Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Thu, 12 Dec 2024 14:10:47 -0800 Subject: [PATCH 3/6] [BPF] add source collision counters UT and improve naming --- felix/bpf/conntrack/timeouts.go | 2 +- felix/bpf/counters/counters.go | 10 +++++----- felix/bpf/counters/counters_test.go | 3 --- felix/bpf/ut/nat_test.go | 11 +++++++++++ 4 files changed, 17 insertions(+), 9 deletions(-) diff --git a/felix/bpf/conntrack/timeouts.go b/felix/bpf/conntrack/timeouts.go index e440bcc44af..11eeb24d8b7 100644 --- a/felix/bpf/conntrack/timeouts.go +++ b/felix/bpf/conntrack/timeouts.go @@ -92,7 +92,7 @@ func DefaultTimeouts() Timeouts { CreationGracePeriod: 10 * time.Second, TCPPreEstablished: 20 * time.Second, TCPEstablished: time.Hour, - TCPFinsSeen: 30 * time.Second, + TCPFinsSeen: 90 * time.Second, TCPResetSeen: 40 * time.Second, UDPLastSeen: 60 * time.Second, GenericIPLastSeen: 600 * time.Second, diff --git a/felix/bpf/counters/counters.go b/felix/bpf/counters/counters.go index 7d3248caac5..0aa82b4dafe 100644 --- a/felix/bpf/counters/counters.go +++ b/felix/bpf/counters/counters.go @@ -73,8 +73,8 @@ const ( DroppedUnauthSource DroppedUnknownRoute DroppedBlackholeRoute - SourceCollision - SourceCollisionFailed + SourceCollisionHit + SourceCollisionResolutionFailed ConntrackCreateFailed ) @@ -159,7 +159,7 @@ var descriptions DescList = DescList{ Category: "Dropped", Caption: "packets hitting blackhole route", }, { - Counter: SourceCollision, + Counter: SourceCollisionHit, Category: "Other", Caption: "packets hitting NAT source collision", }, { @@ -167,8 +167,8 @@ var descriptions DescList = DescList{ Category: "Dropped", Caption: "failed to create conntrack", }, { - Counter: SourceCollisionFailed, - Category: "Dropped", Caption: "packets hitting NAT source collision failed", + Counter: SourceCollisionResolutionFailed, + Category: "Dropped", Caption: "NAT source collision resolution failed", }, } diff --git a/felix/bpf/counters/counters_test.go b/felix/bpf/counters/counters_test.go index 44df4a406b4..730d6bbbc6d 100644 --- a/felix/bpf/counters/counters_test.go +++ b/felix/bpf/counters/counters_test.go @@ -23,9 +23,6 @@ import ( func TestCounterMapSize(t *testing.T) { RegisterTestingT(t) - // Entries in the counter map should be aligned - Expect(MaxCounterNumber%2 == 0).To(BeTrue()) - noOfDescriptions := len(Descriptions()) Expect(MaxCounterNumber).Should(Equal(noOfDescriptions + noOfDescriptions%2)) } diff --git a/felix/bpf/ut/nat_test.go b/felix/bpf/ut/nat_test.go index 21837e89976..cdbd6adc49a 100644 --- a/felix/bpf/ut/nat_test.go +++ b/felix/bpf/ut/nat_test.go @@ -27,6 +27,7 @@ import ( "github.com/projectcalico/calico/felix/bpf/conntrack" conntrack3 "github.com/projectcalico/calico/felix/bpf/conntrack/v3" v3 "github.com/projectcalico/calico/felix/bpf/conntrack/v3" + "github.com/projectcalico/calico/felix/bpf/counters" "github.com/projectcalico/calico/felix/bpf/nat" "github.com/projectcalico/calico/felix/bpf/polprog" "github.com/projectcalico/calico/felix/bpf/routes" @@ -2388,6 +2389,7 @@ func TestNATSourceCollision(t *testing.T) { bpfIfaceName = "SPRT" defer func() { bpfIfaceName = "" }() resetCTMap(ctMap) + resetCTMap(countersMap) // Setup node2 with backend pod such that conntrack has an active TCP // connection with which we will collide the next SYN. @@ -2605,6 +2607,11 @@ func TestNATSourceCollision(t *testing.T) { tcp := tcpL.(*layers.TCP) Expect(uint16(tcp.SrcPort)).To(Equal(newSPort)) + bpfCounters, err := counters.Read(countersMap, 1, 0) + Expect(err).NotTo(HaveOccurred()) + Expect(int(bpfCounters[counters.SourceCollisionHit])).To(Equal(1)) + Expect(int(bpfCounters[counters.SourceCollisionResolutionFailed])).To(Equal(0)) + recvPkt = res.dataOut }) expectMark(tcdefs.MarkSeen) @@ -2651,6 +2658,10 @@ func TestNATSourceCollision(t *testing.T) { res, err := bpfrun(pktBytes) Expect(err).NotTo(HaveOccurred()) Expect(res.Retval).To(Equal(resTC_ACT_SHOT)) + bpfCounters, err := counters.Read(countersMap, 1, 0) + Expect(err).NotTo(HaveOccurred()) + Expect(int(bpfCounters[counters.SourceCollisionHit])).To(Equal(2)) + Expect(int(bpfCounters[counters.SourceCollisionResolutionFailed])).To(Equal(1)) }, withPSNATPorts(22222, 22222)) // It should eventually succeed if we keep retransmitting and it is possible to pick From 940b00f8f3536eb5d7d894e0aeb90f241089147c Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Fri, 13 Dec 2024 13:10:24 -0800 Subject: [PATCH 4/6] [BPF] remove counters ut --- felix/Makefile | 2 +- felix/bpf/counters/counters_test.go | 28 ---------------------------- 2 files changed, 1 insertion(+), 29 deletions(-) delete mode 100644 felix/bpf/counters/counters_test.go diff --git a/felix/Makefile b/felix/Makefile index a5460d76ab4..7a8784c1ada 100644 --- a/felix/Makefile +++ b/felix/Makefile @@ -278,7 +278,7 @@ $(FELIX_CONTAINER_CREATED): register \ docker-image/felix.cfg \ docker-image/Dockerfile \ $(shell test "$(FELIX_IMAGE_ID)" || echo force-rebuild) - $(DOCKER_BUILD) -t $(FELIX_IMAGE_WITH_TAG) -f ./docker-image/Dockerfile docker-image + $(DOCKER_BUILD) --network=host -t $(FELIX_IMAGE_WITH_TAG) -f ./docker-image/Dockerfile docker-image $(MAKE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest touch $(FELIX_CONTAINER_CREATED) diff --git a/felix/bpf/counters/counters_test.go b/felix/bpf/counters/counters_test.go deleted file mode 100644 index 730d6bbbc6d..00000000000 --- a/felix/bpf/counters/counters_test.go +++ /dev/null @@ -1,28 +0,0 @@ -// Copyright (c) 2022 Tigera, Inc. All rights reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package counters - -import ( - "testing" - - . "github.com/onsi/gomega" -) - -func TestCounterMapSize(t *testing.T) { - RegisterTestingT(t) - - noOfDescriptions := len(Descriptions()) - Expect(MaxCounterNumber).Should(Equal(noOfDescriptions + noOfDescriptions%2)) -} From 564367b7e5519e9e7c9efa1a6d9eba3a75550f46 Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Fri, 13 Dec 2024 13:17:57 -0800 Subject: [PATCH 5/6] FIX --- felix/bpf/conntrack/timeouts.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/felix/bpf/conntrack/timeouts.go b/felix/bpf/conntrack/timeouts.go index 11eeb24d8b7..e440bcc44af 100644 --- a/felix/bpf/conntrack/timeouts.go +++ b/felix/bpf/conntrack/timeouts.go @@ -92,7 +92,7 @@ func DefaultTimeouts() Timeouts { CreationGracePeriod: 10 * time.Second, TCPPreEstablished: 20 * time.Second, TCPEstablished: time.Hour, - TCPFinsSeen: 90 * time.Second, + TCPFinsSeen: 30 * time.Second, TCPResetSeen: 40 * time.Second, UDPLastSeen: 60 * time.Second, GenericIPLastSeen: 600 * time.Second, From 7f98481d989a0b5bc29280e78f705df91971e739 Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Wed, 18 Dec 2024 12:00:47 -0800 Subject: [PATCH 6/6] fix bpf counters fv test --- felix/fv/bpf_counters_test.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/felix/fv/bpf_counters_test.go b/felix/fv/bpf_counters_test.go index c2c54cae538..be1890e6a08 100644 --- a/felix/fv/bpf_counters_test.go +++ b/felix/fv/bpf_counters_test.go @@ -265,16 +265,21 @@ func checkDroppedByPolicyCounters(g Gomega, felix *infrastructure.Felix, ifName xCounter string ) + dropped := false + for _, line := range strOut { fields := strings.FieldsFunc(line, f) if len(fields) < 5 { continue } + if strings.TrimSpace(strings.ToLower(fields[0])) == "dropped" { + dropped = true + } + // "Dropped by policy" is the description of DroppedByPolicy counter // defined in felix/bpf/counters/counters.go. - if strings.TrimSpace(strings.ToLower(fields[0])) == "dropped" && - strings.TrimSpace(strings.ToLower(fields[1])) == "by policy" { + if dropped && strings.TrimSpace(strings.ToLower(fields[1])) == "by policy" { iCounter, _ = strconv.Atoi(strings.TrimSpace(strings.ToLower(fields[2]))) eCounter, _ = strconv.Atoi(strings.TrimSpace(strings.ToLower(fields[3]))) xCounter = strings.TrimSpace(strings.ToLower(fields[4]))