From 0359eabdeab9515311b636931f2df9b884ab4019 Mon Sep 17 00:00:00 2001
From: Sylvain Afchain <sylvain.afchain@datadoghq.com>
Date: Thu, 21 Nov 2024 12:54:48 +0100
Subject: [PATCH] fix raw packet support check

---
 pkg/security/ebpf/probes/rawpacket/pcap.go         |  4 ++--
 .../ebpf/probes/rawpacket/pcap_unsupported.go      |  4 ++--
 pkg/security/ebpf/tests/raw_packet_test.go         |  2 +-
 pkg/security/probe/model_ebpf.go                   |  2 +-
 pkg/security/probe/probe_ebpf.go                   | 14 ++++++++++----
 5 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/pkg/security/ebpf/probes/rawpacket/pcap.go b/pkg/security/ebpf/probes/rawpacket/pcap.go
index 324ee7b974eda1..c9a43565187212 100644
--- a/pkg/security/ebpf/probes/rawpacket/pcap.go
+++ b/pkg/security/ebpf/probes/rawpacket/pcap.go
@@ -163,8 +163,8 @@ func filtersToProgs(filters []Filter, opts ProgOpts, headerInsts, senderInsts as
 	return progInsts, mErr
 }
 
-// TCFiltersToProgramSpecs returns list of program spec from raw packet filters definitions
-func TCFiltersToProgramSpecs(rawPacketEventMapFd, clsRouterMapFd int, filters []Filter, opts ProgOpts) ([]*ebpf.ProgramSpec, error) {
+// FiltersToProgramSpecs returns list of program spec from raw packet filters definitions
+func FiltersToProgramSpecs(rawPacketEventMapFd, clsRouterMapFd int, filters []Filter, opts ProgOpts) ([]*ebpf.ProgramSpec, error) {
 	var mErr *multierror.Error
 
 	const (
diff --git a/pkg/security/ebpf/probes/rawpacket/pcap_unsupported.go b/pkg/security/ebpf/probes/rawpacket/pcap_unsupported.go
index d109e15a5956d7..f2d8896930dea0 100644
--- a/pkg/security/ebpf/probes/rawpacket/pcap_unsupported.go
+++ b/pkg/security/ebpf/probes/rawpacket/pcap_unsupported.go
@@ -33,7 +33,7 @@ func BPFFilterToInsts(_ int, _ string, _ ProgOpts) (asm.Instructions, error) {
 	return asm.Instructions{}, errors.New("not supported")
 }
 
-// TCFiltersToProgramSpecs returns list of program spec from raw packet filters definitions
-func TCFiltersToProgramSpecs(_, _ int, _ []Filter, _ ProgOpts) ([]*ebpf.ProgramSpec, error) {
+// FiltersToProgramSpecs returns list of program spec from raw packet filters definitions
+func FiltersToProgramSpecs(_, _ int, _ []Filter, _ ProgOpts) ([]*ebpf.ProgramSpec, error) {
 	return nil, errors.New("not supported")
 }
diff --git a/pkg/security/ebpf/tests/raw_packet_test.go b/pkg/security/ebpf/tests/raw_packet_test.go
index 0a52273c3620ff..03db3d4bbdfb8b 100644
--- a/pkg/security/ebpf/tests/raw_packet_test.go
+++ b/pkg/security/ebpf/tests/raw_packet_test.go
@@ -32,7 +32,7 @@ func testRawPacketFilter(t *testing.T, filters []rawpacket.Filter, expectedRetCo
 		t.Fatal("map not found")
 	}
 
-	progSpecs, err := rawpacket.TCFiltersToProgramSpecs(rawPacketEventMap.FD(), routerMap.FD(), filters, opts)
+	progSpecs, err := rawpacket.FiltersToProgramSpecs(rawPacketEventMap.FD(), routerMap.FD(), filters, opts)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/pkg/security/probe/model_ebpf.go b/pkg/security/probe/model_ebpf.go
index c42d2bd569618e..c26e96a0b91f3f 100644
--- a/pkg/security/probe/model_ebpf.go
+++ b/pkg/security/probe/model_ebpf.go
@@ -33,7 +33,7 @@ func NewEBPFModel(probe *EBPFProbe) *model.Model {
 					return fmt.Errorf("%s is not available on this kernel version", field)
 				}
 			case "packet.filter":
-				if probe.isNetworkNotSupported() {
+				if probe.isRawPacketNotSupported() {
 					return fmt.Errorf("%s is not available on this kernel version", field)
 				}
 				if _, err := rawpacket.BPFFilterToInsts(0, value.Value.(string), rawpacket.DefaultProgOpts); err != nil {
diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
index 1052586ed683be..cbf8b45c080bdd 100644
--- a/pkg/security/probe/probe_ebpf.go
+++ b/pkg/security/probe/probe_ebpf.go
@@ -200,7 +200,11 @@ func (p *EBPFProbe) selectFentryMode() {
 }
 
 func (p *EBPFProbe) isNetworkNotSupported() bool {
-	return p.kernelVersion.IsRH7Kernel() || (p.kernelVersion.IsAmazonLinuxKernel() && p.kernelVersion.Code < kernel.Kernel4_15)
+	return p.kernelVersion.IsRH7Kernel()
+}
+
+func (p *EBPFProbe) isRawPacketNotSupported() bool {
+	return p.isNetworkNotSupported() || (p.kernelVersion.IsAmazonLinuxKernel() && p.kernelVersion.Code < kernel.Kernel4_15)
 }
 
 func (p *EBPFProbe) sanityChecks() error {
@@ -397,7 +401,7 @@ func (p *EBPFProbe) setupRawPacketProgs(rs *rules.RuleSet) error {
 	seclog.Debugf("generate rawpacker filter programs with a limit of %d max instructions", opts.MaxProgSize)
 
 	// compile the filters
-	progSpecs, err := rawpacket.TCFiltersToProgramSpecs(rawPacketEventMap.FD(), routerMap.FD(), rawPacketFilters, opts)
+	progSpecs, err := rawpacket.FiltersToProgramSpecs(rawPacketEventMap.FD(), routerMap.FD(), rawPacketFilters, opts)
 	if err != nil {
 		return err
 	}
@@ -2048,9 +2052,11 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts, telemetry tele
 		p.managerOptions.ExcludedFunctions = probes.AllBPFProbeWriteUserProgramFunctions()
 	}
 
-	if !config.Probe.NetworkEnabled {
-		// prevent all TC classifiers from loading
+	// prevent some TC classifiers from loading
+	if p.config.Probe.NetworkEnabled && p.isNetworkNotSupported() {
 		p.managerOptions.ExcludedFunctions = append(p.managerOptions.ExcludedFunctions, probes.GetAllTCProgramFunctions()...)
+	} else if p.config.Probe.NetworkRawPacketEnabled && p.isRawPacketNotSupported() {
+		p.managerOptions.ExcludedFunctions = append(p.managerOptions.ExcludedFunctions, probes.GetRawPacketTCProgramFunctions()...)
 	}
 
 	if p.useFentry {