Skip to content

Commit f1ce8aa

Browse files
committed
filter localhost traffic
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
1 parent 101a48d commit f1ce8aa

2 files changed

Lines changed: 66 additions & 22 deletions

File tree

checks/net_pod_correlation.go

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,11 @@ func (pi *podCorrelationInfo) exportOTELMetrics(conn *network.ConnectionStats, m
289289
// 5. ExternalIP -> Pod (INCOMING)
290290
srcPodInfo, dstPodInfo := pi.observer.ResolvePodsByIPs(conn.ConnectionTuple.Source, conn.ConnectionTuple.Dest, conn.Duration)
291291

292+
// if we arrive here the connection is in a pod network ns so if we are not able to resolve the src ip it means it is not in a pod. This is true for both INCOMING and OUTGOING connections
293+
if srcPodInfo == nil {
294+
return
295+
}
296+
292297
if conn.Direction == network.OUTGOING {
293298
// We try the resolution
294299
if dstPodInfo == nil && conn.IPTranslation != nil && conn.IPTranslation.ReplSrcIP.IsValid() {
@@ -299,13 +304,8 @@ func (pi *podCorrelationInfo) exportOTELMetrics(conn *network.ConnectionStats, m
299304
}
300305
}
301306

302-
// we can do nothing
303-
if srcPodInfo == nil && dstPodInfo == nil {
304-
return
305-
}
306-
307307
// if one of the 2 is nil we need to check if we want to export partial correlation
308-
if (dstPodInfo == nil || srcPodInfo == nil) && !pi.exportPartialCorrelation {
308+
if dstPodInfo == nil && !pi.exportPartialCorrelation {
309309
return
310310
}
311311

checks/net_pod_correlation_test.go

Lines changed: 60 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,10 @@ func TestPodCorrelation(t *testing.T) {
7070
postgresClientSentBytes = int64(222)
7171

7272
// pod in hostNetwork will have this IP
73-
hostIP = util.AddressFromString("192.168.1.7")
73+
hostIP = util.AddressFromString("192.168.1.7")
74+
localhostIP = util.AddressFromString("127.0.0.1")
75+
randomLocalHostPort = uint16(46734)
76+
7477
hostNs = uint32(1)
7578
)
7679

@@ -269,23 +272,64 @@ func TestPodCorrelation(t *testing.T) {
269272
// before: postgres-client -> postgres-server
270273
// after: postgres-client -> hostIP
271274
conn := updateLocalIP(defaultPostgresIncomingConnection, hostIP)
275+
// this is now an incoming connection on the host network so we should also change the netns to 0.
276+
// since the connection is in the root netns we will filter it out
277+
conn.NetNS = 0
272278
pi.processConnections([]network.ConnectionStats{conn}, nil)
273279
require.NoError(t, pi.metrics.Reader.Collect(t.Context(), &rm))
274-
require.Len(t, rm.ScopeMetrics, 1)
275-
require.Len(t, rm.ScopeMetrics[0].Metrics, 2)
276-
metrics := rm.ScopeMetrics[0].Metrics
277-
sortOTELMetricsByName(metrics)
278-
279-
attrs := pi.getMetricAttributes(&conn, nil, &postgresClientPodInfo)
280-
assertInt64Metric(t, metrics[0], telemetry.ReceivedMetricName, metricdata.DataPoint[int64]{
281-
// The connection is incoming so they recv/sent are inverted.
282-
Value: 222,
283-
Attributes: attribute.NewSet(attrs...),
284-
})
285-
assertInt64Metric(t, metrics[1], telemetry.SentMetricName, metricdata.DataPoint[int64]{
286-
Value: 111,
287-
Attributes: attribute.NewSet(attrs...),
288-
})
280+
require.Len(t, rm.ScopeMetrics, 0)
281+
require.Len(t, pi.storedConnections, 0)
282+
},
283+
},
284+
{
285+
name: "localhost outgoing",
286+
exportProtocolMetrics: false,
287+
exportPartialCorrelation: true,
288+
testBody: func(t *testing.T, pi *podCorrelationInfo) {
289+
// this is an outgoing connection inside the pod (localhost -> localhost)
290+
conn := network.ConnectionStats{
291+
ConnectionTuple: network.ConnectionTuple{
292+
Type: network.TCP,
293+
Direction: network.OUTGOING,
294+
// Outgoing connection so fields are not inverted
295+
Source: localhostIP,
296+
SPort: randomLocalHostPort,
297+
Dest: localhostIP,
298+
DPort: randomLocalHostPort,
299+
// we suppose this is in the server pod netns
300+
NetNS: postgresServerNs,
301+
},
302+
Duration: 10 * time.Second,
303+
}
304+
pi.processConnections([]network.ConnectionStats{conn}, nil)
305+
require.NoError(t, pi.metrics.Reader.Collect(t.Context(), &rm))
306+
require.Len(t, rm.ScopeMetrics, 0)
307+
require.Len(t, pi.storedConnections, 0)
308+
},
309+
},
310+
{
311+
name: "localhost incoming",
312+
exportProtocolMetrics: false,
313+
exportPartialCorrelation: true,
314+
testBody: func(t *testing.T, pi *podCorrelationInfo) {
315+
// this is an incoming connection inside the pod (localhost -> localhost)
316+
conn := network.ConnectionStats{
317+
ConnectionTuple: network.ConnectionTuple{
318+
Type: network.TCP,
319+
Direction: network.INCOMING,
320+
Source: localhostIP,
321+
SPort: randomLocalHostPort,
322+
Dest: localhostIP,
323+
DPort: randomLocalHostPort,
324+
// we suppose this is in the server pod netns
325+
NetNS: postgresServerNs,
326+
},
327+
Duration: 10 * time.Second,
328+
}
329+
pi.processConnections([]network.ConnectionStats{conn}, nil)
330+
require.NoError(t, pi.metrics.Reader.Collect(t.Context(), &rm))
331+
require.Len(t, rm.ScopeMetrics, 0)
332+
require.Len(t, pi.storedConnections, 0)
289333
},
290334
},
291335
}

0 commit comments

Comments
 (0)