Feat/improve bpf logging

[Aaravanand00]

Summary

Improved BPF logging clarity and consistency across multiple eBPF programs.

Changes

• Normalized log levels:

  • INFO for key state transitions (policy match, DNAT, routing decisions)
  • DEBUG for detailed tracing
  • ERR for failure cases

• Standardized log format:

  • src=[%s:%u], dst=[%s:%u]
  • Replaced inconsistent keys (e.g., dest= → dst=)

• Reduced log noise:

  • Removed logging from XDP hot path (should_shutdown)
  • Kept logs only at decision points

• Improved logging safety:

  • Adjusted per-CPU buffer usage to support multiple IP-to-string conversions in a single log statement

• Fixed issues:

  • Corrected pointer dereferences (info.iph.version → info->iph->version)
  • Removed redundant debug logs

Notes

• No functional/datapath changes
• Logging changes are limited to observability improvements
• bpf_map_delete_elem logic (Q2) was intentionally not modified

[kmesh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hzxuzhonghu for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the observability of eBPF programs by refining their logging mechanisms. The changes focus on improving clarity, consistency, and safety of log messages, making it easier to diagnose and understand the flow of network traffic and policy enforcement. By standardizing log formats, normalizing log levels, and reducing noise in critical paths, the update provides more actionable insights without altering any functional or datapath behavior.

Highlights

• Normalized Log Levels: Log levels have been standardized across eBPF programs: INFO for key state transitions (e.g., policy matches, DNAT, routing decisions), DEBUG for detailed tracing, and ERR for failure cases.
• Standardized Log Format: A consistent log format, src=[%s:%u], dst=[%s:%u], has been adopted, replacing inconsistent keys and improving readability.
• Reduced Log Noise: Verbose logging has been removed from performance-critical paths, such as the XDP hot path (should_shutdown), to minimize unnecessary log output and retain logs only at decision points.
• Improved Logging Safety: The per-CPU buffer usage has been adjusted to support multiple IP-to-string conversions within a single log statement, preventing potential data corruption when logging both source and destination IPs.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

In eBPF's realm, where packets fly, Logs now shine clear, beneath the sky. No longer vague, but sharp and bright, Guiding the way, through day and night.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves BPF logging by standardizing formats, normalizing log levels, and enhancing context in log messages. The changes to support multiple IP-to-string conversions in a single log statement are well-implemented. I have one suggestion to further improve observability by including the policy action in the policy match log message, which is crucial for debugging now that logs have been removed from the should_shutdown hot path.

[Copilot]

Pull request overview

This PR focuses on improving observability across the workload eBPF programs by standardizing log levels and formats, reducing hot-path log noise, and enhancing IP-to-string logging safety.

Changes:

• Normalize log levels (INFO/DEBUG/ERR) and standardize src=[%s:%u], dst=[%s:%u] formatting across programs.
• Reduce XDP hot-path logging noise and keep logs at key decision points.
• Extend the per-CPU temp buffer approach (ip2str_idx) to support multiple IP conversions within a single log statement.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
bpf/kmesh/workload/xdp.c	Removes hot-path auth-deny logs; improves frontend lookup/update failure logging.
bpf/kmesh/workload/sockops.c	Adds richer error logs with src/dst tuple context.
bpf/kmesh/workload/sendmsg.c	Adds dst context to encoding debug logs.
bpf/kmesh/workload/include/service.h	Promotes key service decision logs to INFO and adds dst context.
bpf/kmesh/workload/include/frontend.h	Promotes waypoint decision logs to INFO and standardizes dst formatting.
bpf/kmesh/workload/include/backend.h	Standardizes dst formatting and promotes key routing/DNAT logs to INFO.
bpf/kmesh/workload/include/authz.h	Adds src/dst context to policy/port matching logs; promotes “policy matched” to INFO.
bpf/kmesh/workload/cgroup_sock.c	Adds dst context to cgroup connect/TC logs and error cases.
bpf/include/common.h	Adds ip2str_idx() and increases tmp per-CPU buffers to allow multiple conversions per log statement.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This log always reads skops->local_ip4/remote_ip4, even when skops->family == AF_INET6. Besides producing incorrect addresses for IPv6, this unconditional field access can also be rejected by the verifier on some kernels. Prefer selecting local_ip4/remote_ip4 vs local_ip6/remote_ip6 based on skops->family (or build a bpf_sock_tuple via extract_skops_to_tuple and log from that).

[Copilot]

This error log prints src=[%s:%u] using tuple_key.ipv4.sport regardless of IP version. For IPv6 tuples, ipv4.sport does not alias ipv6.sport, so the port logged will be incorrect. Use info.iph->version to select ipv4 vs ipv6 fields (and consider using ip2str_idx with separate buffers if you ever log both src/dst in the same statement).

[Copilot]

In this INFO log, src/dst ports are taken from tuple_key.ipv4.{sport,dport} even when processing IPv6 packets; those fields don’t overlap the IPv6 port offsets, so ports will be wrong. Also, for IPv6 dst, using &tuple_key.ipv4.daddr does not point at tuple_key.ipv6.daddr, so the destination address string will be wrong. Please branch on info.iph->version and use tuple_key.ipv6.{saddr,daddr,sport,dport} for IPv6.

[Copilot]

This delete-failure log prints src=[%s:%u] using tuple_key.ipv4.sport regardless of IP version. For IPv6 packets, ipv4.sport does not alias ipv6.sport, so the logged port will be incorrect. Use info.iph->version to choose the correct port/address fields before logging.

[Copilot]

This map update failure log prints src=[%s:%u] using tuple_key.ipv4.sport regardless of IP version. For IPv6 packets, ipv4.sport does not alias ipv6.sport, so the logged port will be incorrect. Use info.iph->version to select ipv4 vs ipv6 fields (ports and addresses) for accurate logging.