Introduce egress metrics to count invalid packets and bytes (#331)

* Introduce egress metrics to count invalid packets and bytes

Signed-off-by: terashima <tomoya-terashima@cybozu.co.jp>

* register metrics at initialization

Signed-off-by: Hiroki Hanada <hiroki-hanada@cybozu.co.jp>

* Add documents for added metrics

Signed-off-by: terashima <tomoya-terashima@cybozu.co.jp>
---------

Signed-off-by: terashima <tomoya-terashima@cybozu.co.jp>
Signed-off-by: Hiroki Hanada <hiroki-hanada@cybozu.co.jp>

Author: terassyi

docs/cmd-coil-egress.md

@@ -95,3 +95,26 @@ This value is from the result of `iptables -t nat -L POSTROUTING -vn`.
 | `namespace` | The egress resource namespace |
 | `egress`    | The egress resource name      |
 | `pod`       | The pod name                  |
+
+### `coil_egress_nftables_invalid_packets_total`
+
+This is the total number of packets dropped as invalid packets by iptables in a egress NAT pod.
+This value is from the result of `iptables -t filter -L -vn`.
+
+| Label       | Description                   |
+| ----------- | ----------------------------- |
+| `namespace` | The egress resource namespace |
+| `egress`    | The egress resource name      |
+| `pod`       | The pod name                  |
+
+### `coil_egress_nftables_invalid_bytes_total`
+
+This is the total bytes of packets dropped as invalid packets by iptables in a egress NAT pod.
+This value is from the result of `iptables -t filter -L -vn`.
+
+| Label       | Description                   |
+| ----------- | ----------------------------- |
+| `namespace` | The egress resource namespace |
+| `egress`    | The egress resource name      |
+| `pod`       | The pod name                  |
+

v2/cmd/coil-egress/sub/run.go

@@ -41,6 +41,8 @@ func init() {
 	metrics.Registry.MustRegister(egressMetrics.NfConnctackLimit)
 	metrics.Registry.MustRegister(egressMetrics.NfTableMasqueradeBytes)
 	metrics.Registry.MustRegister(egressMetrics.NfTableMasqueradePackets)
+	metrics.Registry.MustRegister(egressMetrics.NfTableInvalidBytes)
+	metrics.Registry.MustRegister(egressMetrics.NfTableInvalidPackets)
 }
 
 func subMain() error {

v2/pkg/metrics/collector.go

@@ -9,7 +9,7 @@ import (
 )
 
 type Collector interface {
-	Update() error
+	Update(ctx context.Context) error
 	Name() string
 }
 
@@ -44,7 +44,7 @@ func (r *Runner) collect(ctx context.Context) {
 	wg.Add(len(r.collectors))
 	for _, c := range r.collectors {
 		go func(c Collector) {
-			if err := c.Update(); err != nil {
+			if err := c.Update(ctx); err != nil {
 				logger.Error(err, "failed to collect metrics", "name", c.Name())
 			}
 			wg.Done()

v2/pkg/metrics/egress.go

@@ -1,6 +1,7 @@
 package metrics
 
 import (
+	"context"
 	"errors"
 	"os"
 	"strconv"
@@ -45,41 +46,61 @@ var (
 		Name:      "nftables_masqueraded_bytes_total",
 		Help:      "the number of bytes that are masqueraded by nftables",
 	}, []string{"namespace", "pod", "egress"})
+
+	NfTableInvalidPackets = prometheus.NewGaugeVec(prometheus.GaugeOpts{
+		Namespace: constants.MetricsNS,
+		Subsystem: "egress",
+		Name:      "nftables_invalid_packets_total",
+		Help:      "the number of packets that are dropped as invalid packets by nftables",
+	}, []string{"namespace", "pod", "egress"})
+
+	NfTableInvalidBytes = prometheus.NewGaugeVec(prometheus.GaugeOpts{
+		Namespace: constants.MetricsNS,
+		Subsystem: "egress",
+		Name:      "nftables_invalid_bytes_total",
+		Help:      "the number of bytes that are dropped as invalid packets by nftables",
+	}, []string{"namespace", "pod", "egress"})
 )
 
 type egressCollector struct {
-	conn             *nftables.Conn
-	nfConnctackCount prometheus.Gauge
-	nfConnctackLimit prometheus.Gauge
-	nfTablesPackets  prometheus.Gauge
-	nfTablesBytes    prometheus.Gauge
+	conn                   *nftables.Conn
+	nfConnctackCount       prometheus.Gauge
+	nfConnctackLimit       prometheus.Gauge
+	nfTablesNATPackets     prometheus.Gauge
+	nfTablesNATBytes       prometheus.Gauge
+	nfTablesInvalidPackets prometheus.Gauge
+	nfTablesInvalidBytes   prometheus.Gauge
 }
 
 func NewEgressCollector(ns, pod, egress string) (Collector, error) {
 	NfConnctackCount.Reset()
 	NfConnctackLimit.Reset()
 	NfTableMasqueradeBytes.Reset()
 	NfTableMasqueradePackets.Reset()
+	NfTableInvalidPackets.Reset()
+	NfTableInvalidBytes.Reset()
 
 	c, err := nftables.New()
 	if err != nil {
 		return nil, err
 	}
 
 	return &egressCollector{
-		conn:             c,
-		nfConnctackCount: NfConnctackCount.WithLabelValues(ns, pod, egress),
-		nfConnctackLimit: NfConnctackLimit.WithLabelValues(ns, pod, egress),
-		nfTablesPackets:  NfTableMasqueradePackets.WithLabelValues(ns, pod, egress),
-		nfTablesBytes:    NfTableMasqueradeBytes.WithLabelValues(ns, pod, egress),
+		conn:                   c,
+		nfConnctackCount:       NfConnctackCount.WithLabelValues(ns, pod, egress),
+		nfConnctackLimit:       NfConnctackLimit.WithLabelValues(ns, pod, egress),
+		nfTablesNATPackets:     NfTableMasqueradePackets.WithLabelValues(ns, pod, egress),
+		nfTablesNATBytes:       NfTableMasqueradeBytes.WithLabelValues(ns, pod, egress),
+		nfTablesInvalidPackets: NfTableInvalidPackets.WithLabelValues(ns, pod, egress),
+		nfTablesInvalidBytes:   NfTableInvalidBytes.WithLabelValues(ns, pod, egress),
 	}, nil
 }
 
 func (c *egressCollector) Name() string {
 	return "egress-collector"
 }
 
-func (c *egressCollector) Update() error {
+func (c *egressCollector) Update(ctx context.Context) error {
 
 	val, err := readUintFromFile(NF_CONNTRACK_COUNT_PATH)
 	if err != nil {
@@ -93,17 +114,24 @@ func (c *egressCollector) Update() error {
 	}
 	c.nfConnctackLimit.Set(float64(val))
 
-	packets, bytes, err := c.getNfTablesCounter()
+	natPackets, natBytes, err := c.getNfTablesNATCounter()
 	if err != nil {
-		return nil
+		return err
 	}
-	c.nfTablesPackets.Set(float64(packets))
-	c.nfTablesBytes.Set(float64(bytes))
+	c.nfTablesNATPackets.Set(float64(natPackets))
+	c.nfTablesNATBytes.Set(float64(natBytes))
+
+	invalidPackets, invalidBytes, err := c.getNfTablesInvalidCounter()
+	if err != nil {
+		return err
+	}
+	c.nfTablesInvalidPackets.Set(float64(invalidPackets))
+	c.nfTablesInvalidBytes.Set(float64(invalidBytes))
 
 	return nil
 }
 
-func (c *egressCollector) getNfTablesCounter() (uint64, uint64, error) {
+func (c *egressCollector) getNfTablesNATCounter() (uint64, uint64, error) {
 	table := &nftables.Table{Family: nftables.TableFamilyIPv4, Name: "nat"}
 	rules, err := c.conn.GetRules(table, &nftables.Chain{
 		Name:    "POSTROUTING",
@@ -125,6 +153,28 @@ func (c *egressCollector) getNfTablesCounter() (uint64, uint64, error) {
 	return 0, 0, errors.New("a masquerade rule is not found")
 }
 
+func (c *egressCollector) getNfTablesInvalidCounter() (uint64, uint64, error) {
+	table := &nftables.Table{Family: nftables.TableFamilyIPv4, Name: "filter"}
+	rules, err := c.conn.GetRules(table, &nftables.Chain{
+		Name:    "FORWARD",
+		Type:    nftables.ChainTypeFilter,
+		Table:   table,
+		Hooknum: nftables.ChainHookForward,
+	})
+	if err != nil {
+		return 0, 0, err
+	}
+	for _, rule := range rules {
+		for _, e := range rule.Exprs {
+			if counter, ok := e.(*expr.Counter); ok {
+				// A rule in the egress pod must be only one, so we can return by finding a first one.
+				return counter.Packets, counter.Bytes, nil
+			}
+		}
+	}
+	return 0, 0, errors.New("a rule for invalid packets is not found")
+}
+
 func readUintFromFile(path string) (uint64, error) {
 	data, err := os.ReadFile(path)
 	if err != nil {