-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding an event on unexpected_k8s_nodeport_connection
#199
base: main
Are you sure you want to change the base?
adding an event on unexpected_k8s_nodeport_connection
#199
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: h4l0gen The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cmd := exec.Command("ip", "route", "show", "default") | ||
hostEth0IP, err := cmd.Output() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: are we sure there's no way to obtain this just using Go code (ie. without using an external util, like ip
)?
If yes, it would be preferable.
If not, ok to use ip
(unless @FedeDP has a better idea 😇 )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@leogr I made this change,
I've added a new function getHostEth0IP()
, It
- uses the net package to find the host's eth0 IP address.
- iterates through the network interfaces
- finds the "eth0" interface
- then iterates through its associated IP addresses to find the first non-loopback IPv4 address.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
Just left two comments
func getHostEth0IP() (string, error) { | ||
ifaces, err := net.Interfaces() | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
for _, iface := range ifaces { | ||
if iface.Name == "eth0" { | ||
addrs, err := iface.Addrs() | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
for _, addr := range addrs { | ||
ipnet, ok := addr.(*net.IPNet) | ||
if ok && !ipnet.IP.IsLoopback() { | ||
if ipnet.IP.To4() != nil { | ||
return ipnet.IP.String(), nil | ||
} | ||
} | ||
} | ||
} | ||
} | ||
|
||
return "", errors.New("eth0 interface not found or has no valid IPv4 address") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we move this function to another file (i.e. utils_net.go
)?
This will improve reusability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes @leogr I shifted getHosteth0IP
function to utils_net.go under events/syscall
return err | ||
} | ||
|
||
cmd := exec.Command("nc", hostIP, strconv.Itoa(port), "<", "/dev/null") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we check for nc
existence before using it?
Reason: "netcat utility not found in path", | ||
} | ||
} | ||
cmd := exec.Command(path, hostIP, strconv.Itoa(port), "<", "/dev/null") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd := exec.Command(path, hostIP, strconv.Itoa(port), "<", "/dev/null") | |
cmd := exec.Command(path, hostIP, strconv.Itoa(port), "<", "/dev/null") |
Can the same result be achieved just using go code (without using an external tool)? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure @leogr let me try..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed it to use UDP connection from go/net package instead of netcat. Please take a look.
Signed-off-by: h4l0gen <[email protected]> adding an event on unexpected_k8s_nodeport_connection Signed-off-by: h4l0gen <[email protected]> final Signed-off-by: h4l0gen <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM. @FedeDP wdyt?
15a1ba1
to
0e969b6
Compare
} | ||
|
||
for _, iface := range ifaces { | ||
if iface.Name == "eth0" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to be eth0? Can't we just return first actually connected interface?
Side note: systemd implements predictable network interafce names
since ages and most of the time eth0
won't be present on a system.
See https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes fedeDP, according to article this seems a problem. I will try to implement suggested solution.
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
adding an event on unexpected_k8s_nodeport_connection
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area events
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #166
Special notes for your reviewer: