update

Signed-off-by: Hang Yan <yhang@vmware.com>

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -39,14 +39,6 @@ rules:
       - pods/status
     verbs:
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - antrea-packetcapture-fileserver-auth
-    verbs:
-      - get
   - apiGroups:
       - ""
     resources:
@@ -263,6 +255,7 @@ rules:
       - secrets
     resourceNames:
       - antrea-bgp-passwords
+      - antrea-packetcapture-fileserver-auth
     verbs:
       - get
       - list

build/yamls/antrea-aks.yml

@@ -4554,14 +4554,6 @@ rules:
       - pods/status
     verbs:
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - antrea-packetcapture-fileserver-auth
-    verbs:
-      - get
   - apiGroups:
       - ""
     resources:
@@ -4778,6 +4770,7 @@ rules:
       - secrets
     resourceNames:
       - antrea-bgp-passwords
+      - antrea-packetcapture-fileserver-auth
     verbs:
       - get
       - list

build/yamls/antrea-eks.yml

@@ -4554,14 +4554,6 @@ rules:
       - pods/status
     verbs:
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - antrea-packetcapture-fileserver-auth
-    verbs:
-      - get
   - apiGroups:
       - ""
     resources:
@@ -4778,6 +4770,7 @@ rules:
       - secrets
     resourceNames:
       - antrea-bgp-passwords
+      - antrea-packetcapture-fileserver-auth
     verbs:
       - get
       - list

build/yamls/antrea-gke.yml

@@ -4554,14 +4554,6 @@ rules:
       - pods/status
     verbs:
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - antrea-packetcapture-fileserver-auth
-    verbs:
-      - get
   - apiGroups:
       - ""
     resources:
@@ -4778,6 +4770,7 @@ rules:
       - secrets
     resourceNames:
       - antrea-bgp-passwords
+      - antrea-packetcapture-fileserver-auth
     verbs:
       - get
       - list

build/yamls/antrea-ipsec.yml

@@ -4567,14 +4567,6 @@ rules:
       - pods/status
     verbs:
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - antrea-packetcapture-fileserver-auth
-    verbs:
-      - get
   - apiGroups:
       - ""
     resources:
@@ -4791,6 +4783,7 @@ rules:
       - secrets
     resourceNames:
       - antrea-bgp-passwords
+      - antrea-packetcapture-fileserver-auth
     verbs:
       - get
       - list

build/yamls/antrea.yml

@@ -4554,14 +4554,6 @@ rules:
       - pods/status
     verbs:
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - antrea-packetcapture-fileserver-auth
-    verbs:
-      - get
   - apiGroups:
       - ""
     resources:
@@ -4778,6 +4770,7 @@ rules:
       - secrets
     resourceNames:
       - antrea-bgp-passwords
+      - antrea-packetcapture-fileserver-auth
     verbs:
       - get
       - list

cmd/antrea-agent/agent.go

@@ -654,12 +654,15 @@ func run(o *Options) error {
 
 	var packetCaptureController *packetcapture.Controller
 	if features.DefaultFeatureGate.Enabled(features.PacketCapture) {
-		packetCaptureController = packetcapture.NewPacketCaptureController(
+		packetCaptureController, err = packetcapture.NewPacketCaptureController(
 			k8sClient,
 			crdClient,
 			packetCaptureInformer,
 			ifaceStore,
 		)
+		if err != nil {
+			return fmt.Errorf("error when creating PacketCapture controller: %v", err)
+		}
 	}
 
 	if err := antreaClientProvider.RunOnce(); err != nil {

docs/packetcapture-guide.md

@@ -33,17 +33,19 @@ the target traffic flow:
 * Transport protocol (TCP/UDP/ICMP)
 * Transport ports
 
-You can start a new packet capture by creating a `PacketCapture` CR. An optional `fileServer` field can be specified to
-store the generated packets file. Before that, a Secret named `antrea-packetcapture-fileserver-auth`
-located in the same Namespace where Antrea is deployed must exist and carry the authentication information for the target file server.
+You can start a new packet capture by creating a `PacketCapture` CR. An optional `fileServer`
+field can be specified to store the generated packets file. Before that,
+a Secret named `antrea-packetcapture-fileserver-auth` located in the same Namespace where
+Antrea is deployed must exist and carry the authentication information for the target file server.
 You can also create the Secret using the following `kubectl` command:
 
 ```bash
 kubectl create secret generic antrea-packetcapture-fileserver-auth -n kube-system --from-literal=username='<username>' --from-literal=password='<password>'
 ```
 
-If no `fileServer` field is present in the CR, the captured packets file will be saved in the antrea-agent Pod (the one on the same Node with the source or destination Pod in the CR).
-The default file path will be `/tmp/antrea/packetcapture/packets/<PacketCapture_CR_Name>.pcapng`.
+If no `fileServer` field is present in the CR, the captured packets file will be saved in the
+antrea-agent Pod (the one on the same Node with the source or destination Pod in the CR). The result
+path information will be available in `.status.FilePath`.
 
 And here is an example of `PacketCapture` CR:
 
@@ -70,7 +72,7 @@ spec:
       name: backend
   packet:
     ipFamily: IPv4
-    protocol: TCP # Numerical format is also supported. eg. TCP (6), UDP (17), ICMP (1).
+    protocol: TCP # support arbitrary number values and string values in [TCP,UDP,ICMP]
     transportHeader:
       tcp:
         dstPort: 8080 # Destination port needs to be set when the protocol is TCP/UDP.
@@ -79,7 +81,7 @@ spec:
 The CR above starts a new packet capture of TCP flows from a Pod named `frontend`
 to the port 8080 of a Pod named `backend` using TCP protocol. It will capture the first 5 packets
 that meet this criterion and upload them to the specified sftp server. Users can download the
-packet file from the sftp server (or from the local antrea-agent Pod) and analyze its content with network diagnose tools
-like Wireshark or tcpdump.
+packet file from the sftp server (or from the local antrea-agent Pod) and analyze its content
+with network diagnose tools like Wireshark or tcpdump.
 
 Note: This feature is not supported on Windows for now.

go.mod

@@ -23,9 +23,6 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/fatih/color v1.18.0
 	github.com/fsnotify/fsnotify v1.8.0
-	github.com/emanic/gaia v14.272.0+incompatible
-	github.com/fatih/color v1.17.0
-	github.com/fsnotify/fsnotify v1.7.0
 	github.com/gammazero/deque v0.1.2
 	github.com/go-logr/logr v1.4.2
 	github.com/gogo/protobuf v1.3.2

go.sum

@@ -195,8 +195,6 @@ github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDa
 github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emanic/gaia v14.272.0+incompatible h1:6oM0EepHreMxFjehI8RSarQYY4WrcqauEQ41HWgsgwY=
-github.com/emanic/gaia v14.272.0+incompatible/go.mod h1:iuig1GYCoYsLY4EVa1X0V2FgKVsRbcEM0kJYWHBxlB0=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=

pkg/agent/packetcapture/bpf/parser.go → pkg/agent/packetcapture/capture/bpf.go

@@ -12,24 +12,69 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package bpf
+package capture
 
 import (
 	"encoding/binary"
 	"net"
-	"strings"
 
-	"github.com/emanic/gaia/protocols"
 	"golang.org/x/net/bpf"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1"
 )
 
-// CompilePacketFilter compile the CRD spec to bpf instructions. For now, we only focus on
+const (
+	lengthByte    int    = 1
+	lengthHalf    int    = 2
+	lengthWord    int    = 4
+	bitsPerWord   int    = 32
+	etherTypeIPv4 uint32 = 0x0800
+
+	jumpMask           uint32 = 0x1fff
+	ip4SourcePort      uint32 = 14
+	ip4DestinationPort uint32 = 16
+	ip4HeaderSize      uint32 = 14
+	ip4HeaderFlags     uint32 = 20
+)
+
+var (
+	returnDrop                 = bpf.RetConstant{Val: 0}
+	returnKeep                 = bpf.RetConstant{Val: 0x40000}
+	loadIPv4SourcePort         = bpf.LoadIndirect{Off: ip4SourcePort, Size: lengthHalf}
+	loadIPv4DestinationPort    = bpf.LoadIndirect{Off: ip4DestinationPort, Size: lengthHalf}
+	loadEtherKind              = bpf.LoadAbsolute{Off: 12, Size: lengthHalf}
+	loadIPv4SourceAddress      = bpf.LoadAbsolute{Off: 26, Size: lengthWord}
+	loadIPv4DestinationAddress = bpf.LoadAbsolute{Off: 30, Size: lengthWord}
+	loadIPv4Protocol           = bpf.LoadAbsolute{Off: 23, Size: lengthByte}
+)
+
+var ProtocolMap = map[string]uint32{
+	"UDP":  17,
+	"TCP":  6,
+	"ICMP": 1,
+}
+
+func loadIPv4HeaderOffset(skipTrue uint8) []bpf.Instruction {
+	return []bpf.Instruction{
+		bpf.LoadAbsolute{Off: ip4HeaderFlags, Size: lengthHalf},              // flags+fragment offset, since we need to calc where the src/dst port is
+		bpf.JumpIf{Cond: bpf.JumpBitsSet, Val: jumpMask, SkipTrue: skipTrue}, // check if there is a L4 header
+		bpf.LoadMemShift{Off: ip4HeaderSize},                                 // calculate the size of IP header
+	}
+}
+
+func compareProtocolIP4(skipTrue, skipFalse uint8) bpf.Instruction {
+	return bpf.JumpIf{Cond: bpf.JumpEqual, Val: etherTypeIPv4, SkipTrue: skipTrue, SkipFalse: skipFalse}
+}
+
+func compareProtocol(protocol uint32, skipTrue, skipFalse uint8) bpf.Instruction {
+	return bpf.JumpIf{Cond: bpf.JumpEqual, Val: protocol, SkipTrue: skipTrue, SkipFalse: skipFalse}
+}
+
+// compilePacketFilter compile the CRD spec to bpf instructions. For now, we only focus on
 // ipv4 traffic. Compare to the raw BPF filter supported by libpcap, we only need to support
 // limited user cases, so an expression parser is not needed.
-func CompilePacketFilter(packetSpec *crdv1alpha1.Packet, srcIP, dstIP net.IP) []bpf.Instruction {
+func compilePacketFilter(packetSpec *crdv1alpha1.Packet, srcIP, dstIP net.IP) []bpf.Instruction {
 	size := uint8(calInstructionsSize(packetSpec))
 
 	// ipv4 check
@@ -47,8 +92,9 @@ func CompilePacketFilter(packetSpec *crdv1alpha1.Packet, srcIP, dstIP net.IP) []
 			if packetSpec.Protocol.Type == intstr.Int {
 				proto = uint32(packetSpec.Protocol.IntVal)
 			} else {
-				proto = uint32(protocols.L4ProtocolNumberFromName(strings.ToUpper(packetSpec.Protocol.StrVal)))
+				proto = ProtocolMap[packetSpec.Protocol.StrVal]
 			}
+
 			inst = append(inst, loadIPv4Protocol)
 			inst = append(inst, compareProtocol(proto, 0, size-5))
 		}

pkg/agent/packetcapture/bpf/parser_test.go → pkg/agent/packetcapture/capture/bpf_test.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package bpf
+package capture
 
 import (
 	"net"
@@ -26,9 +26,8 @@ import (
 )
 
 var (
-	testTCPProtocol       = intstr.FromInt(6)
-	testUDPProtocol       = intstr.FromInt(17)
-	testUDPProtoStr       = intstr.FromString("UDP")
+	testTCPProtocol       = intstr.FromString("TCP")
+	testUDPProtocol       = intstr.FromString("UDP")
 	testSrcPort     int32 = 80
 	testDstPort     int32 = 80
 )
@@ -146,7 +145,7 @@ func TestPacketCaptureCompileBPF(t *testing.T) {
 			dstIP: net.ParseIP("127.0.0.2"),
 			spec: &crdv1alpha1.PacketCaptureSpec{
 				Packet: &crdv1alpha1.Packet{
-					Protocol: &testUDPProtoStr,
+					Protocol: &testUDPProtocol,
 					TransportHeader: crdv1alpha1.TransportHeader{
 						UDP: &crdv1alpha1.UDPHeader{
 							SrcPort: &testSrcPort,
@@ -178,7 +177,7 @@ func TestPacketCaptureCompileBPF(t *testing.T) {
 
 	for _, item := range tt {
 		t.Run(item.name, func(t *testing.T) {
-			result := CompilePacketFilter(item.spec.Packet, item.srcIP, item.dstIP)
+			result := compilePacketFilter(item.spec.Packet, item.srcIP, item.dstIP)
 			assert.Equal(t, item.inst, result)
 		})
 	}