Add send/recv and RFC 1918 handling to in/out macro.

[shane-lawrence]

What type of PR is this?

/kind cleanup

/kind rule-update

Any specific area of the project related to this PR?

/area rules

What this PR does / why we need it:
Updates the combined inbound/outbound rule to reflect changes that were made to the separate inbound or outbound rules from 6ce17d6 and #470

Which issue(s) this PR fixes:
Fixes #820

Special notes for your reviewer:

Does this PR introduce a user-facing change?:
Yes.

combined inbound_outbound now behaves like separate in/out macros

[poiana]

Welcome @shane-lawrence! It looks like this is your first PR to falcosecurity/falco 🎉

[shane-lawrence]

/assign @Kaizhe

[leodido]

Thanks for your first contribution! It's amazing :)

BTW there is a compilation error for the macro you kindly contributed.

3:14:56 DEBUG| [stderr] Wed Sep 11 03:14:56 2019: Falco initialized with configuration file /source/falco/test/../falco.yaml
03:14:56 DEBUG| [stderr] Wed Sep 11 03:14:56 2019: Loading rules from file /source/falco/test/../rules/falco_rules.yaml:
03:14:56 DEBUG| [stderr] Wed Sep 11 03:14:56 2019: Runtime error: Compilation error when compiling "(((evt.type in (accept,listen,connect) and evt.dir=<) or
03:14:56 DEBUG| [stderr]   (evt.type in (recvfrom,recvmsg,sendto,sendmsg) and evt.dir=< and
03:14:56 DEBUG| [stderr]    fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
03:14:56 DEBUG| [stderr]  (fd.typechar = 4 or fd.typechar = 6) and
03:14:56 DEBUG| [stderr]  (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and (not fd.snet in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")) and
03:14:56 DEBUG| [stderr]  (evt.rawres >= 0 or evt.res = EINPROGRESS))
03:14:56 DEBUG| [stderr] ": 411: syntax error, unexpected 'EOF', expecting ')', 'or', 'and'
03:14:56 DEBUG| [stderr] ---
03:14:56 DEBUG| [stderr] - macro: inbound_outbound
03:14:56 DEBUG| [stderr]   condition: >
03:14:56 DEBUG| [stderr]     (((evt.type in (accept,listen,connect) and evt.dir=<) or
03:14:56 DEBUG| [stderr]       (evt.type in (recvfrom,recvmsg,sendto,sendmsg) and evt.dir=< and
03:14:56 DEBUG| [stderr]        fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
03:14:56 DEBUG| [stderr]      (fd.typechar = 4 or fd.typechar = 6) and
03:14:56 DEBUG| [stderr]      (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and (not fd.snet in (rfc_1918_addresses)) and
03:14:56 DEBUG| [stderr]      (evt.rawres >= 0 or evt.res = EINPROGRESS))
03:14:56 DEBUG| [stderr] ---. Exiting.

[poiana]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: kaizhe

If they are not already assigned, you can assign the PR to them by writing /assign @kaizhe in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• rules/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[shane-lawrence]

Thanks, I corrected my syntax error but some tests are failing now. The change has suppressed some alerts from network rules. This might be expected if test events used private IP ranges to trigger rules that rely on inbound_outbound.

[Kaizhe]

Shouldn't the part that deals with outbound network traffic include recvfrom or recvmsg?

[shane-lawrence]

I think the outbound traffic should have sendto and sendmsg, and the inbound traffic should have recvfrom and recvmsg.

[leodido]

/cc fntlnz

[shane-lawrence]

I overlooked that traffic with fd.snet in (rfc_1918_addresses) should still trigger the inbound portion. I'll fix it!

[shane-lawrence]

I was hoping it would work if the remote IP was filtered instead of server IP, but it didn't. I can't run the regression tests locally (looks like the same symptoms as #798) so I pushed a commit with the changes to let CI run. I'll edit this to have the same logic as inbound or outbound and make sure the tests pass, and then look at making it more efficient.

[shane-lawrence]

@Kaizhe the tests are still failing. I think inbound_outbound should be equivalent to inbound or outbound, but modified to improve efficiency. Could you please confirm that I haven't misunderstood that before I troubleshoot?

[Kaizhe]

I think this might related to our test, we may just test outbound with rfc 1918 addresses. Will confirm that.

[Kaizhe]

need @mstemm 's input here, the inbound_outbound test we ran, we test as an internal env right? Not real outbound I mean

[fntlnz]

What's the state of this @shane-lawrence @Kaizhe ?
Needs a review or are we waiting on some other work to unblock this?

[Kaizhe]

I think this might related to the tests.

[shane-lawrence]

I wasn't able to run the tests in my environment due to an unrelated issue, so instead of sending blind changes to Travis CI to see what happens, I was waiting for @Kaizhe or @mstemm to confirm the expected behaviour of the tests. I'll give it another try this week.

[fntlnz]

Ok thanks @shane-lawrence - I’m not very familiar with that part either but if this goes far I’ll happily dig with you into this.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.