connectivity: Check for unexpected packet drops #2151
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
fa92dcb
to
c314595
Compare
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
c314595
to
85c4ab6
Compare
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
85c4ab6
to
b3c77c7
Compare
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
b3c77c7
to
6e5aa8b
Compare
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
6e5aa8b
to
82d6282
Compare
pchaigno
requested review from
derailed,
thorn3r,
gentoo-root,
christarazi,
brb and
tklauser
and removed request for
derailed,
thorn3r,
gentoo-root and
christarazi
Convert the check for missed tail call packet drops into a more general check for any unexpected packets drops. Current expected packet drop reasons are Policy denied and Policy denied by denylist only. Others will be added in subsequent commits. Contrary to the Missed tail call check who only ran in the context of the conn-disrupt test, this new check is always run by default. Signed-off-by: Paul Chaignon <[email protected]>
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
82d6282
to
e3a2e1f
Compare
|
Nice! Have you tried running |
No. But we have a flag to set the list of expected reasons, so we can adjust if specific tests need additional reasons. |
From my personal experience, I'd use it as a last resort. It's difficult to keep a mental map in a head of all options which need to be customized in each job X branches. Also, if you don't test it now, then it might become someone else's problem once a new CLI version is released, and cilium/cilium's CLI dependency is bumped. |
Agree. Either it's obvious (SRv6 drop in SRv6 workflow) or I'll update the default list.
I'm planning to update the CLI myself. I need this quickly. |
There was a problem hiding this comment.
I tried running the change myself in cilium/cilium#29718, and most of the red builds are due to this check failing.
If we merge it now (or w/o trying it out), then this change will block other changes (which will be released together) from being used in the cilium/cilium CI.
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
e3a2e1f
to
ef13f45
Compare
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
ef13f45
to
4c9aec4
Compare
This new flag can be used to customize the set of expected reasons for packet drops, for the new test that ensure we don't have any unexpected packet drops. Signed-off-by: Paul Chaignon <[email protected]>
We currently have many packet drops that are more or less expected. Some like "Authentication required" are expected for specific features and others like "Stale or unroutable IP" are known and understood even though we'd prefer to avoid them. Signed-off-by: Paul Chaignon <[email protected]>
pchaigno
force-pushed
the
pr/pchaigno/check-unexpected-packet-drops
branch
from
4c9aec4
to
0bca92f
Compare
I added those drop reasons.
That's FUD given we have a flag to add other drop reason exceptions. |
pchaigno
added
the
ready-to-merge
|
the kind failure is tracked in #2162. merging 🚀🙏 |
This pull requests ensures we fail the connectivity tests if we hit any unexpected packet drops. The first commit transforms the existing missed-tail-call drops check into a new check for unexpected packet drops. The second commit defines a new flag to set the list of expected packet drop reasons. The last commit adds a bunch of packet drop reasons.