Fix L7NP enable logging wrong packet

Current logs by Suricata when enableLogging is set, logs the wrong packet of RST instead of the original TCP packet. This solution modifies the Suricata tagging configuration to track packets for host instead of for session, so that the original TCP packet is also logged. Fixes #6636. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
antrea-io · Sep 4, 2024 · 92fc79c · 92fc79c
1 parent b9f67f4
commit 92fc79c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 28 deletions.
diff --git a/docs/antrea-l7-network-policy.md b/docs/antrea-l7-network-policy.md
@@ -329,24 +329,24 @@ Allow ingress from client (10.10.1.9) to web (10.10.1.10/public/*).
 }
 ```
 
-Deny ingress from client (10.10.1.9) to web (10.10.1.10/admin/*)
+Deny ingress from client (10.10.1.4) to web (10.10.1.3/admin/*).
 
 ```json
 {
-  "timestamp": "2024-08-26T22:38:26.019956+0000",
-  "flow_id": 642636870504569,
+  "timestamp": "2024-09-04T21:00:09.613227+0000",
+  "flow_id": 1179717331488573,
   "in_iface": "antrea-l7-tap0",
   "event_type": "alert",
   "vlan": [
-    2
+    1
   ],
-  "src_ip": "10.10.1.9",
-  "src_port": 37892,
-  "dest_ip": "10.10.1.10",
+  "src_ip": "10.10.1.4",
+  "src_port": 35396,
+  "dest_ip": "10.10.1.3",
   "dest_port": 80,
   "proto": "TCP",
-  "pkt_src": "wire/pcap",
-  "tenant_id": 2,
+  "pkt_src": "stream (flow timeout)",
+  "tenant_id": 1,
   "alert": {
     "action": "blocked",
     "gid": 1,
@@ -355,43 +355,44 @@ Deny ingress from client (10.10.1.9) to web (10.10.1.10/admin/*)
     "signature": "Reject by AntreaNetworkPolicy:default/allow-privileged-url-to-admin-role",
     "category": "",
     "severity": 3,
-    "tenant_id": 2
+    "tenant_id": 1
   },
   "app_proto": "http",
   "direction": "to_server",
   "flow": {
     "pkts_toserver": 3,
-    "pkts_toclient": 1,
-    "bytes_toserver": 308,
-    "bytes_toclient": 78,
-    "start": "2024-08-26T22:38:26.018553+0000",
-    "src_ip": "10.10.1.9",
-    "dest_ip": "10.10.1.10",
-    "src_port": 37892,
+    "pkts_toclient": 2,
+    "bytes_toserver": 307,
+    "bytes_toclient": 136,
+    "start": "2024-09-04T20:59:08.864498+0000",
+    "src_ip": "10.10.1.4",
+    "dest_ip": "10.10.1.3",
+    "src_port": 35396,
     "dest_port": 80
   }
 }
 ```
 
-Additional packet log when `enableLogging` is set
+Additional packet logs are available when `enableLogging` is set, including the
+original packet that triggered the alert.
 
 ```json
 {
-  "timestamp": "2024-08-26T22:38:26.025742+0000",
-  "flow_id": 642636870504569,
+  "timestamp": "2024-09-04T20:59:32.353696+0000",
+  "flow_id": 1232822280696552,
   "in_iface": "antrea-l7-tap0",
   "event_type": "packet",
   "vlan": [
-    2
+    1
   ],
-  "src_ip": "10.10.1.10",
-  "src_port": 80,
-  "dest_ip": "10.10.1.9",
-  "dest_port": 37892,
+  "src_ip": "10.10.1.4",
+  "src_port": 35154,
+  "dest_ip": "10.10.1.3",
+  "dest_port": 80,
   "proto": "TCP",
   "pkt_src": "wire/pcap",
-  "tenant_id": 2,
-  "packet": "/hYGSsKknh8fnhcggQAAAggARQAAKN7MAABABoXdCgoBCgoKAQkAUJQE0EfjHLfFVXZQFAH7QroAAA==",
+  "tenant_id": 1,
+  "packet": "dtwWezuaHlOhfWpNgQAAAQgARQAAjbT0QABABm9cCgoBBAoKAQOJUgBQa2w1WZlax6yAGAH7nAIAAAEBCAorcsv8RSTwQkdFVCAvYWRtaW4vaW5kZXguaHRtbCBIVFRQLzEuMQ0KSG9zdDogMTAuMTAuMS4zDQpVc2VyLUFnZW50OiBjdXJsLzcuNzQuMA0KQWNjZXB0OiAqLyoNCg0K",
   "packet_info": {
     "linktype": 1
   }

diff --git a/pkg/agent/controller/networkpolicy/l7engine/reconciler.go b/pkg/agent/controller/networkpolicy/l7engine/reconciler.go
@@ -178,7 +178,7 @@ func generateTenantRulesData(policyName string, protoKeywords map[string]sets.Se
 	// Refer to Suricata detect engine in codebase for detailed tag keyword configuration.
 	var tagKeyword string
 	if enableLogging {
-		tagKeyword = " tag: session, 30, seconds;"
+		tagKeyword = " tag:host;"
 	}
 
 	// Generate default reject rule.