aws
diff --git a/‎main.go‎
Lines changed: 1 addition & 1 deletion b/‎main.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/config/controller_config.go‎
Lines changed: 6 additions & 1 deletion b/‎pkg/config/controller_config.go‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎pkg/ebpf/bpf_client.go‎
Lines changed: 56 additions & 9 deletions b/‎pkg/ebpf/bpf_client.go‎
Lines changed: 56 additions & 9 deletions
diff --git a/‎pkg/ebpf/c/tc.v4egress.bpf.c‎
Lines changed: 21 additions & 8 deletions b/‎pkg/ebpf/c/tc.v4egress.bpf.c‎
Lines changed: 21 additions & 8 deletions
diff --git a/‎pkg/ebpf/c/tc.v4ingress.bpf.c‎
Lines changed: 23 additions & 10 deletions b/‎pkg/ebpf/c/tc.v4ingress.bpf.c‎
Lines changed: 23 additions & 10 deletions
@@ -114,7 +114,7 @@ func main() {
 
 		npMode, isMultiNICEnabled := lo.Must2(getNetworkPolicyConfigsFromIpamd(log))
 
-		ebpfClient := lo.Must1(ebpf.NewBpfClient(nodeIP, ctrlConfig.EnablePolicyEventLogs, ctrlConfig.EnableCloudWatchLogs,
+		ebpfClient := lo.Must1(ebpf.NewBpfClient(nodeIP, ctrlConfig.EnablePolicyEventLogs, ctrlConfig.PolicyEventLogsScope, ctrlConfig.EnableCloudWatchLogs,
 			ctrlConfig.EnableIPv6, ctrlConfig.ConntrackCacheCleanupPeriod, ctrlConfig.ConntrackCacheTableSize, npMode, isMultiNICEnabled))
 		ebpfClient.ReAttachEbpfProbes()
 
 
@@ -21,7 +21,9 @@ const (
 	defaultMaxConcurrentReconciles     = 3
 	defaultConntrackCacheCleanupPeriod = 300
 	defaultConntrackCacheTableSize     = 512 * 1024
+	defaultPolicyEventLogsScope        = "ACCEPT"
 	flagEnablePolicyEventLogs          = "enable-policy-event-logs"
+	flagPolicyEventLogsScope           = "policy-event-logs-scope"
 	flagEnableCloudWatchLogs           = "enable-cloudwatch-logs"
 	flagEnableIPv6                     = "enable-ipv6"
 	flagEnableNetworkPolicy            = "enable-network-policy"
@@ -58,6 +60,8 @@ type ControllerConfig struct {
 	RuntimeConfig RuntimeConfig
 	// Configuration for enabling profiling
 	EnableProfiling bool
+	// Policy event logs scope
+	PolicyEventLogsScope string
 }
 
 func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
@@ -80,7 +84,8 @@ func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
 		"Cleanup interval for network policy agent conntrack cache")
 	fs.IntVar(&cfg.ConntrackCacheTableSize, flagConntrackCacheTableSize, defaultConntrackCacheTableSize, ""+
 		"Table size for network policy agent conntrack cache")
-
+	fs.StringVar(&cfg.PolicyEventLogsScope, flagPolicyEventLogsScope, defaultPolicyEventLogsScope, ""+
+		"Set the policy event logs scope, if set to ACCEPT both ACCEPT and DENY events are generated, if set to DENY only DENY events are generated - ACCEPT, DENY")
 	cfg.RuntimeConfig.BindFlags(fs)
 }
 
 
@@ -44,19 +44,22 @@ var (
 	TC_EGRESS_POD_STATE_MAP                    = "egress_pod_state_map"
 	AWS_CONNTRACK_MAP                          = "aws_conntrack_map"
 	AWS_EVENTS_MAP                             = "policy_events"
+	AWS_EVENTS_SCOPE_MAP                       = "policy_events_scope"
 	EKS_CLI_BINARY                             = "aws-eks-na-cli"
 	EKS_V6_CLI_BINARY                          = "aws-eks-na-cli-v6"
 	hostBinaryPath                             = "/host/opt/cni/bin/"
 	IPv4_HOST_MASK                             = "/32"
 	IPv6_HOST_MASK                             = "/128"
 	CONNTRACK_MAP_PIN_PATH                     = "/sys/fs/bpf/globals/aws/maps/global_aws_conntrack_map"
 	POLICY_EVENTS_MAP_PIN_PATH                 = "/sys/fs/bpf/globals/aws/maps/global_policy_events"
+	POLICY_EVENTS_SCOPE_MAP_PIN_PATH           = "/sys/fs/bpf/globals/aws/maps/global_policy_events_scope"
 	CATCH_ALL_PROTOCOL         corev1.Protocol = "ANY_IP_PROTOCOL"
 	POD_VETH_PREFIX                            = "eni"
 	POLICIES_APPLIED                           = 0
 	DEFAULT_ALLOW                              = 1
 	DEFAULT_DENY                               = 2
 	POD_STATE_MAP_KEY                          = 0
+	POLICY_EVENTS_SCOPE_MAP_KEY                = 0
 	BRANCH_ENI_VETH_PREFIX                     = "vlan"
 	INTERFACE_COUNT_UNKNOWN                    = -1 // Used when caller doesn't know interface count
 	INTERFACE_COUNT_DEFAULT                    = 1  // Default single interface
@@ -90,6 +93,10 @@ type pod_state struct {
 	state uint8
 }
 
+type policy_scope struct {
+	scope uint8
+}
+
 func msSince(start time.Time) float64 {
 	return float64(time.Since(start) / time.Millisecond)
 }
@@ -118,9 +125,10 @@ type BPFContext struct {
 	conntrackMapInfo goebpfmaps.BpfMap
 }
 
-func NewBpfClient(nodeIP string, enablePolicyEventLogs, enableCloudWatchLogs bool,
+func NewBpfClient(nodeIP string, enablePolicyEventLogs bool, policyEventsLogsScope string, enableCloudWatchLogs bool,
 	enableIPv6 bool, conntrackTTL int, conntrackTableSize int, networkPolicyMode string, isMultiNICEnabled bool) (*bpfClient, error) {
 	var conntrackMap goebpfmaps.BpfMap
+	var policyEventsScopeMap goebpfmaps.BpfMap
 
 	ebpfClient := &bpfClient{
 		// Maps PolicyEndpoint resource to it's eBPF context
@@ -147,7 +155,7 @@ func NewBpfClient(nodeIP string, enablePolicyEventLogs, enableCloudWatchLogs boo
 		ebpfClient.hostMask = ingressBinary, egressBinary, hostMask
 
 	bpfBinaries := []string{eventsBinary, ingressBinary, egressBinary, cliBinary}
-	isConntrackMapPresent, isPolicyEventsMapPresent := false, false
+	isConntrackMapPresent, isPolicyEventsMapPresent, isPolicyEventsScopeMapPresent := false, false, false
 	var err error
 
 	ebpfClient.bpfSDKClient = goelf.New()
@@ -182,7 +190,7 @@ func NewBpfClient(nodeIP string, enablePolicyEventLogs, enableCloudWatchLogs boo
 	var interfaceNametoIngressPinPath map[string]string
 	var interfaceNametoEgressPinPath map[string]string
 	eventBufferFD := 0
-	isConntrackMapPresent, isPolicyEventsMapPresent, eventBufferFD, interfaceNametoIngressPinPath, interfaceNametoEgressPinPath, err = ebpfClient.recoverBPFState(ebpfClient.bpfTCClient, ebpfClient.bpfSDKClient, ebpfClient.policyEndpointeBPFContext,
+	isConntrackMapPresent, isPolicyEventsMapPresent, isPolicyEventsScopeMapPresent, eventBufferFD, interfaceNametoIngressPinPath, interfaceNametoEgressPinPath, err = ebpfClient.recoverBPFState(ebpfClient.bpfTCClient, ebpfClient.bpfSDKClient, ebpfClient.policyEndpointeBPFContext,
 		ebpfClient.globalMaps, ingressUpdateRequired, egressUpdateRequired, eventsUpdateRequired)
 	if err != nil {
 		//Log the error and move on
@@ -197,7 +205,7 @@ func NewBpfClient(nodeIP string, enablePolicyEventLogs, enableCloudWatchLogs boo
 	// - Current events binary packaged with network policy agent is different than the one installed
 	//   during the previous installation (or)
 	// - Either Conntrack Map (or) Events Map is currently missing on the node
-	if eventsUpdateRequired || (!isConntrackMapPresent || !isPolicyEventsMapPresent) {
+	if eventsUpdateRequired || (!isConntrackMapPresent || !isPolicyEventsMapPresent || !isPolicyEventsScopeMapPresent) {
 		log().Info("Install the default global maps")
 		eventsProbe := EVENTS_BINARY
 		if enableIPv6 {
@@ -227,6 +235,10 @@ func NewBpfClient(nodeIP string, enablePolicyEventLogs, enableCloudWatchLogs boo
 			if mapName == AWS_EVENTS_MAP {
 				eventBufferFD = int(mapInfo.MapFD)
 			}
+			if mapName == AWS_EVENTS_SCOPE_MAP {
+				policyEventsScopeMap = mapInfo
+				isPolicyEventsScopeMapPresent = true
+			}
 		}
 	}
 
@@ -245,6 +257,36 @@ func NewBpfClient(nodeIP string, enablePolicyEventLogs, enableCloudWatchLogs boo
 	ebpfClient.conntrackClient = conntrack.NewConntrackClient(conntrackMap, enableIPv6)
 	log().Info("Initialized Conntrack client")
 
+	//if present update the PolicyEventsScope Map
+	if isPolicyEventsScopeMapPresent {
+		recoveredPolicyEventsScopeMap, ok := ebpfClient.globalMaps.Load(POLICY_EVENTS_SCOPE_MAP_PIN_PATH)
+		if ok {
+			policyEventsScopeMap = recoveredPolicyEventsScopeMap.(goebpfmaps.BpfMap)
+			log().Info("Derived existing policyEventsScopeMap identifier")
+		} else {
+			log().Errorf("Unable to get policyEventsScopeMap post recovery..error: %v", err)
+			sdkAPIErr.WithLabelValues("RecoveryFailed").Inc()
+			return nil, err
+		}
+
+		key := uint32(POLICY_EVENTS_SCOPE_MAP_KEY)
+		scope := uint8(utils.ACCEPT.Index())
+
+		if policyEventsLogsScope == "DENY" {
+			scope = uint8(utils.DENY.Index())
+		}
+		
+		value := policy_scope{scope: scope}
+		log().Infof("Will update Policy Events Scope Map: key=%d value=%v", key, value)
+		err := policyEventsScopeMap.CreateUpdateMapEntry(uintptr(unsafe.Pointer(&key)), uintptr(unsafe.Pointer(&value)), 0)
+
+		if err != nil {
+			log().Errorf("Policy Events Scope Map update failed: %v", err)
+			sdkAPIErr.WithLabelValues("updateEbpfMap-policy-events-scope").Inc()
+		}
+		log().Infof("Updated Policy Events Scope Map: key=%d value=%v", key, value)
+	}
+
 	if enablePolicyEventLogs {
 		err = events.ConfigurePolicyEventsLogging(enableCloudWatchLogs, eventBufferFD, enableIPv6)
 		if err != nil {
@@ -376,8 +418,8 @@ func checkAndUpdateBPFBinaries(bpfTCClient tc.BpfTc, bpfBinaries []string, hostB
 }
 
 func (l *bpfClient) recoverBPFState(bpfTCClient tc.BpfTc, eBPFSDKClient goelf.BpfSDKClient, policyEndpointeBPFContext *sync.Map, globalMaps *sync.Map, updateIngressProbe,
-	updateEgressProbe, updateEventsProbe bool) (bool, bool, int, map[string]string, map[string]string, error) {
-	isConntrackMapPresent, isPolicyEventsMapPresent := false, false
+	updateEgressProbe, updateEventsProbe bool) (bool, bool, bool, int, map[string]string, map[string]string, error) {
+	isConntrackMapPresent, isPolicyEventsMapPresent, isPolicyEventsScopeMapPresent := false, false, false
 	eventsMapFD := 0
 	var interfaceNametoIngressPinPath = make(map[string]string)
 	var interfaceNametoEgressPinPath = make(map[string]string)
@@ -389,7 +431,7 @@ func (l *bpfClient) recoverBPFState(bpfTCClient tc.BpfTc, eBPFSDKClient goelf.Bp
 		if err != nil {
 			log().Errorf("failed to recover global maps %v", err)
 			sdkAPIErr.WithLabelValues("RecoverGlobalMaps").Inc()
-			return isConntrackMapPresent, isPolicyEventsMapPresent, eventsMapFD, interfaceNametoIngressPinPath, interfaceNametoEgressPinPath, nil
+			return isConntrackMapPresent, isPolicyEventsMapPresent, isPolicyEventsScopeMapPresent, eventsMapFD, interfaceNametoIngressPinPath, interfaceNametoEgressPinPath, nil
 		}
 		log().Infof("Total no of  global maps recovered count: %d", len(recoveredGlobalMaps))
 		for globalMapName, globalMap := range recoveredGlobalMaps {
@@ -404,6 +446,11 @@ func (l *bpfClient) recoverBPFState(bpfTCClient tc.BpfTc, eBPFSDKClient goelf.Bp
 				eventsMapFD = int(globalMap.MapFD)
 				log().Infof("Policy event Map is already present on the node Recovered FD: %d", eventsMapFD)
 			}
+			if globalMapName == POLICY_EVENTS_SCOPE_MAP_PIN_PATH {
+				log().Info("Policy event scope Map is already present on the node")
+				isPolicyEventsScopeMapPresent = true
+				globalMaps.Store(globalMapName, globalMap)
+			}
 		}
 	}
 
@@ -472,7 +519,7 @@ func (l *bpfClient) recoverBPFState(bpfTCClient tc.BpfTc, eBPFSDKClient goelf.Bp
 		if err != nil {
 			log().Errorf("GetAllBpfProgramsAndMaps failed %v", err)
 			sdkAPIErr.WithLabelValues("GetAllBpfProgramsAndMaps").Inc()
-			return isConntrackMapPresent, isPolicyEventsMapPresent, eventsMapFD, interfaceNametoIngressPinPath, interfaceNametoEgressPinPath, err
+			return isConntrackMapPresent, isPolicyEventsMapPresent, isPolicyEventsScopeMapPresent, eventsMapFD, interfaceNametoIngressPinPath, interfaceNametoEgressPinPath, err
 		}
 		log().Infof("GetAllBpfProgramsAndMaps returned %d", len(bpfState))
 		progIdToPinPath := make(map[int]string)
@@ -510,7 +557,7 @@ func (l *bpfClient) recoverBPFState(bpfTCClient tc.BpfTc, eBPFSDKClient goelf.Bp
 		log().Info("Collected all data for reattaching probes")
 	}
 
-	return isConntrackMapPresent, isPolicyEventsMapPresent, eventsMapFD, interfaceNametoIngressPinPath, interfaceNametoEgressPinPath, nil
+	return isConntrackMapPresent, isPolicyEventsMapPresent, isPolicyEventsScopeMapPresent, eventsMapFD, interfaceNametoIngressPinPath, interfaceNametoEgressPinPath, nil
 }
 
 func (l *bpfClient) ReAttachEbpfProbes() error {
 
@@ -83,6 +83,10 @@ struct pod_state {
     __u8 state; // 0 => POLICIES_APPLIED, 1 => DEFAULT_ALLOW, 2 => DEFAULT_DENY
 };
 
+struct policy_scope {
+   __u8 scope;
+};
+
 struct bpf_map_def_pvt SEC("maps") egress_pod_state_map = {
     .type        = BPF_MAP_TYPE_HASH,
     .key_size    = sizeof(__u32), // default key = 0. We are storing a single state per pod identifier
@@ -94,20 +98,29 @@ struct bpf_map_def_pvt SEC("maps") egress_pod_state_map = {
 
 struct bpf_map_def_pvt aws_conntrack_map;
 struct bpf_map_def_pvt policy_events;
+struct bpf_map_def_pvt policy_events_scope;
+
+static void publishPolicyEvent(struct data_t evt) {	
+	__u32 plsc_key = 0;
+	struct policy_scope *plsc = bpf_map_lookup_elem(&policy_events_scope, &plsc_key);
+	if (plsc == NULL || plsc->scope >= evt.verdict) {
+		bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+	}
+}
 
 static __always_inline int evaluateByLookUp(struct keystruct trie_key, struct conntrack_key flow_key, struct pod_state *pst, struct data_t evt) {	
 	//Check if it's in the allowed list
 	struct lpm_trie_val *trie_val = bpf_map_lookup_elem(&egress_map, &trie_key);
 	if (trie_val == NULL) {
 		evt.verdict = 0;
-		bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+		publishPolicyEvent(evt);
 		return BPF_DROP;
 	}
 
 	for (int i = 0; i < MAX_PORT_PROTOCOL; i++, trie_val++){
 		if (trie_val->protocol == RESERVED_IP_PROTOCOL) {
 			evt.verdict = 0;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_DROP;
 		}
 
@@ -137,12 +150,12 @@ static __always_inline int evaluateByLookUp(struct keystruct trie_key, struct co
 			}
 			bpf_map_update_elem(&aws_conntrack_map, &flow_key, &new_flow_val, 0); // 0 - BPF_ANY
 			evt.verdict = 1;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_OK;
 		}
 	}
 	evt.verdict = 0;
-	bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+	publishPolicyEvent(evt);
 	return BPF_DROP;
 }
 
@@ -164,7 +177,6 @@ int handle_egress(struct __sk_buff *skb)
 	__builtin_memset(&src_ip, 0, sizeof(src_ip));
 	__builtin_memset(&reverse_flow_key, 0, sizeof(reverse_flow_key));
 
-
 	struct ethhdr *ether = data;
 	if (data + sizeof(*ether) > data_end) {
 		return BPF_OK;
@@ -240,13 +252,13 @@ int handle_egress(struct __sk_buff *skb)
 		// There should always be an entry in pod_state_map. pst returned in above line should never be null.
 		if (pst == NULL) {
 			evt.verdict = 0;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_DROP;
 		}
 
 		if (pst->state == DEFAULT_DENY) {
 			evt.verdict = 0;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_DROP;
 		}
 
@@ -288,6 +300,7 @@ int handle_egress(struct __sk_buff *skb)
 		reverse_flow_val = bpf_map_lookup_elem(&aws_conntrack_map, &reverse_flow_key);
 
 		if (reverse_flow_val != NULL) { 
+			publishPolicyEvent(evt);
 			return BPF_OK;
 		}
 
@@ -296,7 +309,7 @@ int handle_egress(struct __sk_buff *skb)
 			new_flow_val.val = CT_VAL_DEFAULT_ALLOW;
 			bpf_map_update_elem(&aws_conntrack_map, &flow_key, &new_flow_val, 0); // 0 - BPF_ANY
 			evt.verdict = 1;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_OK;
 		}
 
 
@@ -83,6 +83,10 @@ struct pod_state {
     __u8 state; // 0 => POLICIES_APPLIED, 1 => DEFAULT_ALLOW, 2 => DEFAULT_DENY
 };
 
+struct policy_scope {
+   __u8 scope;
+};
+
 struct bpf_map_def_pvt SEC("maps") ingress_pod_state_map = {
     .type        = BPF_MAP_TYPE_HASH,
     .key_size    = sizeof(__u32), // default key = 0. We are storing a single state per pod identifier
@@ -94,20 +98,29 @@ struct bpf_map_def_pvt SEC("maps") ingress_pod_state_map = {
 
 struct bpf_map_def_pvt aws_conntrack_map;
 struct bpf_map_def_pvt policy_events;
+struct bpf_map_def_pvt policy_events_scope;
+
+static void publishPolicyEvent(struct data_t evt) {	
+	__u32 plsc_key = 0;
+	struct policy_scope *plsc = bpf_map_lookup_elem(&policy_events_scope, &plsc_key);
+	if (plsc == NULL || plsc->scope >= evt.verdict) {
+		bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+	}
+}
 
 static __always_inline int evaluateByLookUp(struct keystruct trie_key, struct conntrack_key flow_key, struct pod_state *pst, struct data_t evt) {	
 	//Check if it's in the allowed list
 	struct lpm_trie_val *trie_val = bpf_map_lookup_elem(&ingress_map, &trie_key);
 	if (trie_val == NULL) {
-		evt.verdict = 0;		    
-		bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+		evt.verdict = 0;
+		publishPolicyEvent(evt);
 		return BPF_DROP;
 	}
 
 	for (int i = 0; i < MAX_PORT_PROTOCOL; i++, trie_val++){
 		if (trie_val->protocol == RESERVED_IP_PROTOCOL) {
-			evt.verdict = 0;	
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			evt.verdict = 0;
+			publishPolicyEvent(evt);
 			return BPF_DROP;
 		}
 
@@ -136,12 +149,12 @@ static __always_inline int evaluateByLookUp(struct keystruct trie_key, struct co
 			}
 			bpf_map_update_elem(&aws_conntrack_map, &flow_key, &new_flow_val, 0); // 0 - BPF_ANY
 			evt.verdict = 1;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_OK;
 		}
 	}
-	evt.verdict = 0;		    
-	bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+	evt.verdict = 0;
+	publishPolicyEvent(evt);
 	return BPF_DROP;
 }
 
@@ -239,13 +252,13 @@ int handle_ingress(struct __sk_buff *skb)
 		// There should always be an entry in pod_state_map. pst returned in above line should never be null.
 		if (pst == NULL) {
 			evt.verdict = 0;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_DROP;
 		}
 
 		if (pst->state == DEFAULT_DENY) {
 			evt.verdict = 0;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_DROP;
 		}
 
@@ -295,7 +308,7 @@ int handle_ingress(struct __sk_buff *skb)
 			new_flow_val.val = CT_VAL_DEFAULT_ALLOW;
 			bpf_map_update_elem(&aws_conntrack_map, &flow_key, &new_flow_val, 0); // 0 - BPF_ANY
 			evt.verdict = 1;
-			bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
+			publishPolicyEvent(evt);
 			return BPF_OK;
 		}