From c314595f844b60ade2b6c72723c1b2340cbea84e Mon Sep 17 00:00:00 2001
From: Paul Chaignon <paul.chaignon@gmail.com>
Date: Wed, 6 Dec 2023 15:14:49 +0100
Subject: [PATCH] connectivity: Add flag --expected-drop-reasons

This new flag can be used to customize the set of expected reasons for
packet drops, for the new test that ensure we don't have any unexpected
packet drops.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
---
 connectivity/check/check.go      |  7 +++++--
 connectivity/suite.go            |  2 +-
 connectivity/tests/errors.go     | 19 +++++++++++++++----
 defaults/defaults.go             |  6 ++++++
 internal/cli/cmd/connectivity.go |  3 +++
 5 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/connectivity/check/check.go b/connectivity/check/check.go
index 25bdefc66c..a05347bd26 100644
--- a/connectivity/check/check.go
+++ b/connectivity/check/check.go
@@ -74,8 +74,11 @@ type Parameters struct {
 	ConnDisruptTestRestartsPath   string
 	ConnDisruptTestXfrmErrorsPath string
 	ConnDisruptDispatchInterval   time.Duration
-	FlushCT                       bool
-	SecondaryNetworkIface         string
+
+	ExpectedDropReasons []string
+
+	FlushCT               bool
+	SecondaryNetworkIface string
 
 	K8sVersion           string
 	HelmChartDirectory   string
diff --git a/connectivity/suite.go b/connectivity/suite.go
index 49234627e8..e32d7bfa23 100644
--- a/connectivity/suite.go
+++ b/connectivity/suite.go
@@ -261,7 +261,7 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 		}
 	}
 
-	ct.NewTest("no-unexpected-packet-drops").WithScenarios(tests.NoUnexpectedPacketDrops())
+	ct.NewTest("no-unexpected-packet-drops").WithScenarios(tests.NoUnexpectedPacketDrops(ct.Params().ExpectedDropReasons))
 
 	// Run all tests without any policies in place.
 	noPoliciesScenarios := []check.Scenario{
diff --git a/connectivity/tests/errors.go b/connectivity/tests/errors.go
index 2933298fd1..ca5497e526 100644
--- a/connectivity/tests/errors.go
+++ b/connectivity/tests/errors.go
@@ -5,6 +5,7 @@ package tests
 
 import (
 	"context"
+	"fmt"
 	"strings"
 	"time"
 
@@ -76,11 +77,13 @@ func (n *noErrorsInLogs) Run(ctx context.Context, t *check.Test) {
 
 // NoUnexpectedPacketDrops checks whether there were no drops due to expected
 // packet drops.
-func NoUnexpectedPacketDrops() check.Scenario {
-	return &noUnexpectedPacketDrops{}
+func NoUnexpectedPacketDrops(expectedDrops []string) check.Scenario {
+	return &noUnexpectedPacketDrops{expectedDrops}
 }
 
-type noUnexpectedPacketDrops struct{}
+type noUnexpectedPacketDrops struct{
+	expectedDrops []string
+}
 
 func (n *noUnexpectedPacketDrops) Name() string {
 	return "no-unexpected-packet-drops"
@@ -88,9 +91,17 @@ func (n *noUnexpectedPacketDrops) Name() string {
 
 func (n *noUnexpectedPacketDrops) Run(ctx context.Context, t *check.Test) {
 	ct := t.Context()
+
+	filter := ""
+	if len(n.expectedDrops) > 0 {
+		filter = fmt.Sprintf("%q", n.expectedDrops[0])
+		for _, reason := range n.expectedDrops[1:] {
+			filter = fmt.Sprintf("%s, %q", filter, reason)
+		}
+	}
 	cmd := []string{
 		"/bin/sh", "-c",
-		"cilium metrics list -o json | jq '.[] | select((.name == \"cilium_drop_count_total\") and (.labels.reason | IN(\"Policy denied\", \"Policy denied by denylist\", \"Unsupported L3 protocol\") | not))'",
+		fmt.Sprintf("cilium metrics list -o json | jq '.[] | select((.name == \"cilium_drop_count_total\") and (.labels.reason | IN(%s) | not))'", filter),
 	}
 
 	for _, pod := range ct.CiliumPods() {
diff --git a/defaults/defaults.go b/defaults/defaults.go
index 10cde1bcb6..75748181eb 100644
--- a/defaults/defaults.go
+++ b/defaults/defaults.go
@@ -190,4 +190,10 @@ var (
 		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator=NotIn",
 		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]=true",
 	}
+
+	ExpectedDropReasons = []string{
+		"Policy denied",
+		"Policy denied by denylist",
+		"Unsupported L3 protocol",
+	}
 )
diff --git a/internal/cli/cmd/connectivity.go b/internal/cli/cmd/connectivity.go
index da5cea6a0a..53de3ce8d4 100644
--- a/internal/cli/cmd/connectivity.go
+++ b/internal/cli/cmd/connectivity.go
@@ -190,6 +190,9 @@ func newCmdConnectivityTest(hooks Hooks) *cobra.Command {
 	cmd.Flags().StringVar(&params.ConnDisruptTestRestartsPath, "conn-disrupt-test-restarts-path", "/tmp/cilium-conn-disrupt-restarts", "Conn disrupt test temporary result file (used internally)")
 	cmd.Flags().StringVar(&params.ConnDisruptTestXfrmErrorsPath, "conn-disrupt-test-xfrm-errors-path", "/tmp/cilium-conn-disrupt-xfrm-errors", "Conn disrupt test temporary result file (used internally)")
 	cmd.Flags().DurationVar(&params.ConnDisruptDispatchInterval, "conn-disrupt-dispatch-interval", 10*time.Millisecond, "TCP packet dispatch interval")
+
+	cmd.Flags().StringSliceVar(&params.ExpectedDropReasons, "expected-drop-reasons", defaults.ExpectedDropReasons, fmt.Sprintf("List of expected drop reasons"))
+
 	cmd.Flags().BoolVar(&params.FlushCT, "flush-ct", false, "Flush conntrack of Cilium on each node")
 	cmd.Flags().MarkHidden("flush-ct")
 	cmd.Flags().StringVar(&params.SecondaryNetworkIface, "secondary-network-iface", "", "Secondary network iface name (e.g., to test NodePort BPF on multiple networks)")