fix raw packet support check

pkg/security/ebpf/probes/rawpacket/pcap.go

@@ -163,8 +163,8 @@ func filtersToProgs(filters []Filter, opts ProgOpts, headerInsts, senderInsts as
 	return progInsts, mErr
 }
 
-// TCFiltersToProgramSpecs returns list of program spec from raw packet filters definitions
-func TCFiltersToProgramSpecs(rawPacketEventMapFd, clsRouterMapFd int, filters []Filter, opts ProgOpts) ([]*ebpf.ProgramSpec, error) {
+// FiltersToProgramSpecs returns list of program spec from raw packet filters definitions
+func FiltersToProgramSpecs(rawPacketEventMapFd, clsRouterMapFd int, filters []Filter, opts ProgOpts) ([]*ebpf.ProgramSpec, error) {
 	var mErr *multierror.Error
 
 	const (

pkg/security/ebpf/probes/rawpacket/pcap_unsupported.go

@@ -33,7 +33,7 @@ func BPFFilterToInsts(_ int, _ string, _ ProgOpts) (asm.Instructions, error) {
 	return asm.Instructions{}, errors.New("not supported")
 }
 
-// TCFiltersToProgramSpecs returns list of program spec from raw packet filters definitions
-func TCFiltersToProgramSpecs(_, _ int, _ []Filter, _ ProgOpts) ([]*ebpf.ProgramSpec, error) {
+// FiltersToProgramSpecs returns list of program spec from raw packet filters definitions
+func FiltersToProgramSpecs(_, _ int, _ []Filter, _ ProgOpts) ([]*ebpf.ProgramSpec, error) {
 	return nil, errors.New("not supported")
 }

pkg/security/ebpf/tests/raw_packet_test.go

@@ -32,7 +32,7 @@ func testRawPacketFilter(t *testing.T, filters []rawpacket.Filter, expectedRetCo
 		t.Fatal("map not found")
 	}
 
-	progSpecs, err := rawpacket.TCFiltersToProgramSpecs(rawPacketEventMap.FD(), routerMap.FD(), filters, opts)
+	progSpecs, err := rawpacket.FiltersToProgramSpecs(rawPacketEventMap.FD(), routerMap.FD(), filters, opts)
 	if err != nil {
 		t.Fatal(err)
 	}

pkg/security/probe/model_ebpf.go

@@ -33,7 +33,7 @@ func NewEBPFModel(probe *EBPFProbe) *model.Model {
 					return fmt.Errorf("%s is not available on this kernel version", field)
 				}
 			case "packet.filter":
-				if probe.isNetworkNotSupported() {
+				if probe.isRawPacketNotSupported() {
 					return fmt.Errorf("%s is not available on this kernel version", field)
 				}
 				if _, err := rawpacket.BPFFilterToInsts(0, value.Value.(string), rawpacket.DefaultProgOpts); err != nil {

pkg/security/probe/probe_ebpf.go

@@ -200,7 +200,11 @@ func (p *EBPFProbe) selectFentryMode() {
 }
 
 func (p *EBPFProbe) isNetworkNotSupported() bool {
-	return p.kernelVersion.IsRH7Kernel() || (p.kernelVersion.IsAmazonLinuxKernel() && p.kernelVersion.Code < kernel.Kernel4_15)
+	return p.kernelVersion.IsRH7Kernel()
+}
+
+func (p *EBPFProbe) isRawPacketNotSupported() bool {
+	return p.isNetworkNotSupported() || (p.kernelVersion.IsAmazonLinuxKernel() && p.kernelVersion.Code < kernel.Kernel4_15)
 }
 
 func (p *EBPFProbe) sanityChecks() error {
@@ -397,7 +401,7 @@ func (p *EBPFProbe) setupRawPacketProgs(rs *rules.RuleSet) error {
 	seclog.Debugf("generate rawpacker filter programs with a limit of %d max instructions", opts.MaxProgSize)
 
 	// compile the filters
-	progSpecs, err := rawpacket.TCFiltersToProgramSpecs(rawPacketEventMap.FD(), routerMap.FD(), rawPacketFilters, opts)
+	progSpecs, err := rawpacket.FiltersToProgramSpecs(rawPacketEventMap.FD(), routerMap.FD(), rawPacketFilters, opts)
 	if err != nil {
 		return err
 	}
@@ -2048,9 +2052,11 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts, telemetry tele
 		p.managerOptions.ExcludedFunctions = probes.AllBPFProbeWriteUserProgramFunctions()
 	}
 
-	if !config.Probe.NetworkEnabled {
-		// prevent all TC classifiers from loading
+	// prevent some TC classifiers from loading
+	if p.config.Probe.NetworkEnabled && p.isNetworkNotSupported() {
 		p.managerOptions.ExcludedFunctions = append(p.managerOptions.ExcludedFunctions, probes.GetAllTCProgramFunctions()...)
+	} else if p.config.Probe.NetworkRawPacketEnabled && p.isRawPacketNotSupported() {
+		p.managerOptions.ExcludedFunctions = append(p.managerOptions.ExcludedFunctions, probes.GetRawPacketTCProgramFunctions()...)
 	}
 
 	if p.useFentry {