adding drop bytes metric

aws · Oct 2, 2024 · 0d45ed5 · 0d45ed5
1 parent 01b330b
commit 0d45ed5
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 2 deletions.
diff --git a/pkg/ebpf/c/tc.v4egress.bpf.c b/pkg/ebpf/c/tc.v4egress.bpf.c
@@ -163,7 +163,8 @@ int handle_egress(struct __sk_buff *skb)
 		evt.dest_ip = flow_key.dest_ip;
 		evt.dest_port = flow_key.dest_port;
 		evt.protocol = flow_key.protocol;
-
+		evt.is_egress = 1;
+		evt.packet_sz = skb->len; 
 
 		//Check if it's an existing flow
 		flow_val = bpf_map_lookup_elem(&aws_conntrack_map, &flow_key);

diff --git a/pkg/ebpf/c/tc.v4ingress.bpf.c b/pkg/ebpf/c/tc.v4ingress.bpf.c
@@ -170,6 +170,8 @@ int handle_ingress(struct __sk_buff *skb)
 		evt.dest_ip = flow_key.dest_ip;
 		evt.dest_port = flow_key.dest_port;
 		evt.protocol = flow_key.protocol;
+		evt.packet_sz = skb->len
+		evt.is_egress = 0
 
 		//Check for the reverse flow entry in the conntrack table
 		reverse_flow_key.src_ip = ip->daddr;

diff --git a/pkg/ebpf/c/v4events.bpf.c b/pkg/ebpf/c/v4events.bpf.c
@@ -24,6 +24,8 @@ struct data_t {
     __u32  dest_port;
     __u32  protocol;
     __u32  verdict;
+    __64 packet_sz;
+    __u8 is_egress;
 };
 
 struct conntrack_key {

diff --git a/pkg/ebpf/events/events.go b/pkg/ebpf/events/events.go
@@ -11,6 +11,7 @@ import (
 	"github.com/aws/aws-network-policy-agent/pkg/aws"
 	"github.com/aws/aws-network-policy-agent/pkg/aws/services"
 	"github.com/aws/aws-network-policy-agent/pkg/utils"
+	"github.com/prometheus/client_golang/prometheus"
 
 	goebpfevents "github.com/aws/aws-ebpf-sdk-go/pkg/events"
 	awssdk "github.com/aws/aws-sdk-go/aws"
@@ -31,13 +32,37 @@ var (
 	NON_EKS_CW_PATH     = "/aws/"
 )
 
+var (
+	dropCountTotal = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "network_policy_drop_count_total",
+			Help: "Total number of packets dropped by network policy agent",
+		},
+		[]string{"direction"},
+	)
+
+	dropBytesTotal = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "network_policy_drop_bytes_total",
+			Help: "Total number of bytes dropped by network policy agent",
+		},
+		[]string{"direction"},
+	)
+)
+
+func init() {
+	prometheus.MustRegister(dropBytesTotal, dropCountTotal)
+}
+
 type ringBufferDataV4_t struct {
 	SourceIP   uint32
 	SourcePort uint32
 	DestIP     uint32
 	DestPort   uint32
 	Protocol   uint32
 	Verdict    uint32
+	PacketSz   uint64
+	IsEgress   uint8
 }
 
 type ringBufferDataV6_t struct {
@@ -189,7 +214,14 @@ func capturePolicyEvents(ringbufferdata <-chan []byte, log logr.Logger, enableCl
 				}
 				protocol := utils.GetProtocol(int(rb.Protocol))
 				verdict := getVerdict(int(rb.Verdict))
-
+				if rb.Verdict == uint32(0) {
+					direction := "egress"
+					if rb.IsEgress == 0 {
+						direction = "ingress"
+					}
+					dropCountTotal.WithLabelValues(direction).Add(float64(1))
+					dropBytesTotal.WithLabelValues(direction).Add(float64(rb.PacketSz))
+				}
 				log.Info("Flow Info:  ", "Src IP", utils.ConvByteArrayToIP(rb.SourceIP), "Src Port", rb.SourcePort,
 					"Dest IP", utils.ConvByteArrayToIP(rb.DestIP), "Dest Port", rb.DestPort,
 					"Proto", protocol, "Verdict", verdict)