Proposal: introduce --filter-trace-tunnel-type and --filter-trace-tunnel-pcap

Question

Proposal: introduce --filter-trace-tunnel-type and --filter-trace-tunnel-pcap

Opened this issue 2 months ago · 5 comments

As for VxLAN env, it'll be really convenient to trace skb with filtering inner-VxLAN packet info with pcap-filter, as pcap-filter does not support filtering inner-VxLAN packet info directly.

To achieve it, let me introduce --filter-trace-tunnel-type and --filter-trace-tunnel-pcap options to accept a pcap-filter expr to filter inner-VxLAN packet info.

$ sudo pwru --filter-trace-tunnel-type vxlan --filter-trace-tunnel-pcap 'host 1.1.1.1 and icmp' host 1.1.1.1 and icmp

Then, pwru is able to trace skb before decapsulating VxLAN and after encapsulating VxLAN.

And --filter-track-skb does not work well before decapsulating VxLAN.

Furthermore, --filter-trace-tunnel-type should support geneve, ipip and so on.

TODOs:

Introduce --filter-trace-tunnel-type vxlan
Introduce --filter-trace-tunnel-type geneve
Introduce --filter-trace-tunnel-type ipip

Answer 1 · 2024-11-07T08:27:41.000Z

I like this, thank you!

Just to be clear, --filter-trace-tunnel-pcap 'host 1.1.1.1 and icmp' host 1.1.1.1 and icmp in your proposal, will match nothing, right? My understanding is

--filter-trace-tunnel-pcap 'host 1.1.1.1 and icmp' host 1.1.1.1 and icmp
                            ---------------------  ---------------------
                                      ①                      ②

① filters inner packet, from skb->data + sizeof(outer)
② filters outer packet, from skb->data

Since a vxlan can't have an outer icmp, no traffic will be captured.

Answer 2 · 2024-11-07T09:00:00.000Z

Oh, what are we missing here?

It's the bool logic between ① and ②. It should be "① or ②" by default. And use --filter-trace-tunnel-both, or any option, to indicate "① and ②" instead.

Answer 3 · 2024-11-07T09:06:01.000Z

What is the use case of "or"? I think "and" is more useful to catch "out ip 172.1.1.1 and vxlan and inner ip 10.1.1.1"

Answer 4 · 2024-11-07T09:13:46.000Z

"out ip 172.1.1.1 and vxlan and inner ip 10.1.1.1"

This seems better for me.

Why not use "and vxlan", "or vxlan" instead of --filter-trace-tunnel-XXX options? The pcap-filter expr before them filters vxlan outer packet. The one after them filters vxlan inner packet. "and" and "or" in them indicate the bool logic.

Same for geneve and ipip.

Answer 5 · 2024-11-07T12:28:06.000Z

Was thinking about this. I have an ambiguous feeling of cool and dangerous about what we are doing here: extend pcap filter.