microsoft · princepereira · Aug 17, 2023
diff --git a/scripts/networkhealth/README.md b/scripts/networkhealth/README.md
@@ -35,4 +35,30 @@ If the `-OutputMode` is set to `Event` or `All`, the script will register a new
     Example:
     kubectl logs -l name=networkhealth --all-containers=true >> networkhealth.txt
     Provide the generated networkhealth.txt
+```
+## Command to run startNetworkDiagnostics
+```
+Normal Execution: .\startNetworkDiagnostics.ps1 -TimeIntervalInSeconds 30 -PrintMatchedRules $true -PodNamePrefixes tcp-server,tcp-client
+
+Execution with DNS Packet Capture: .\startNetworkDiagnostics.ps1 -DnsPktCap $true
+
+Execution with DualStack Test: .\startNetworkDiagnostics.ps1 -DualStack $true
+
+Execution with Vfp Rule Counter Dump for Pods : .\startNetworkDiagnostics.ps1 -PodNamePrefixes tcp-client,tcp-server
+
+Execution with printing matched rule counter : .\startNetworkDiagnostics.ps1 -PodNamePrefixes tcp-client,tcp-server -PrintMatchedRules $true
+
+Execution with validate loadbalancer rules for Service IPS : .\startNetworkDiagnostics.ps1 -ServiceIPS "10.0.0.1,10.0.0.2"
+
+```
+
+## Command to run vfpDropCounterMetrics
+```
+.\vfpDropCounterMetrics.ps1 -TimeIntervalInSeconds 30 -PrintMatchedRules $true -PodNamePrefixes tcp-server,tcp-client
+```
+
+## DNS Health Check
+```
+Invoke-WebRequest https://raw.githubusercontent.com/microsoft/wcnscripts/2ea829ebaaf523cf58ef8e64120e54849eb4bd51/scripts/networkhealth/startNetworkDiagnostics.ps1 -OutFile startNetworkDiagnostics.ps1
+.\startNetworkDiagnostics.ps1
 ```
diff --git a/scripts/networkhealth/RuleDump.ps1 b/scripts/networkhealth/RuleDump.ps1
@@ -0,0 +1,158 @@
+
+param (
+    [Parameter(Mandatory=$false, HelpMessage="Rule for Pod")][string]$podIp = "10.224.0.53",
+    [Parameter(Mandatory=$false, HelpMessage="Rule for Pod")][string]$ipFamily = "IPV4",
+    [Parameter(Mandatory=$false, HelpMessage="Rule for Pod")][string]$protoFamily = "TCP",
+    [Parameter(Mandatory=$false, HelpMessage="Rule for Pod")][bool]$PrintMatchedRules = $true
+)
+
+
+$podMac = (Get-HnsEndpoint | Where-Object IPAddress -Eq $podIp).MacAddress
+$podMacShortened = $podMac.Replace("-", "")
+$PodPortId = ((vfpctrl /list-vmswitch-port /format 1 | ConvertFrom-Json).Ports | Where-Object MacAddress -EQ $podMacShortened).Name
+$ExtPortId = ((vfpctrl /list-vmswitch-port /format 1 | ConvertFrom-Json).Ports | Where-Object Id -EQ "ExternalPort").Name
+$HostPortId = ((vfpctrl /list-vmswitch-port /format 1 | ConvertFrom-Json).Ports | Where-Object Id -Like "Container NIC*").Name
+
+$podLayers = ((vfpctrl /port $PodPortId /list-layer /format 1 | ConvertFrom-Json).Layers | Sort-Object -Property Priority).Name
+$extPortLayers = ((vfpctrl /port $ExtPortId /list-layer /format 1 | ConvertFrom-Json).Layers | Sort-Object -Property Priority).Name
+$hostPortLayers = ((vfpctrl /port $HostPortId /list-layer /format 1 | ConvertFrom-Json).Layers | Sort-Object -Property Priority).Name
+
+function RemoveNoise() {
+    param (
+        [Parameter(Mandatory=$true)][System.Object]$Rule
+    )
+    $Rule.PSObject.Properties.Remove('$type')
+    $Rule.PSObject.Properties.Remove('Type')
+    $Rule.PSObject.Properties.Remove('SubType')
+    $Rule.PSObject.Properties.Remove('MssDelta')
+    $Rule.PSObject.Properties.Remove('ReverseMssDelta')
+    $Rule.PSObject.Properties.Remove('RuleFlags')
+    $Rule.PSObject.Properties.Remove('PaRouteRuleFlags')
+    $Rule.PSObject.Properties.Remove('CachePruningThreshold')
+    $Rule.PSObject.Properties.Remove('InformationArray')
+    $Rule.PSObject.Properties.Remove('NumHeaders')
+    $Rule.PSObject.Properties.Remove('PartialRewriteTypes')
+    return $Rule
+}
+
+function LogVfpCounter {
+    param (
+        [parameter(Mandatory=$false)][string] $value = "",
+        [parameter(Mandatory=$false)][bool] $error = $false
+    )
+    # Add-Content -Path $VfpRuleFile -Value $value
+    if ($error -eq $true) {
+        Write-Host $value -ForegroundColor Red
+    }
+    else {
+        Write-Host $value
+    }
+
+}
+
+function NewLine {
+    param (
+        [parameter(Mandatory=$false)][int] $NoOfLines = 1
+    )
+    for ($i = 1; $i -le $NoOfLines; $i++) {
+        LogVfpCounter ""
+    }
+}
+
+function PrintRules {
+    param (
+        [Parameter(Mandatory=$true)][string[]]$Layers,
+        [Parameter(Mandatory=$true)][string]$PortId,
+        [Parameter(Mandatory=$false)][string]$Dir="OUT"
+    )
+
+    $ruleCounterMap = @{}
+
+    foreach($layer in $Layers) {
+        $groups = ((vfpctrl /port $PortId /layer $layer /list-group /format 1 | ConvertFrom-Json).Groups | Sort-Object -Property Priority).Name
+        foreach($group in $groups) {
+            if($group.Contains("_$DIR") -ne $true) {
+                continue
+            }
+            if(($group.Contains("IPV4") -eq $true) -or ($group.Contains("IPV6") -eq $true)) {
+                if($group.Contains($ipFamily) -ne $true) {
+                    continue
+                }
+            }
+            if(($group.Contains("TCP") -eq $true) -or ($group.Contains("UDP") -eq $true) -or ($group.Contains("ICMP") -eq $true)) {
+                if($group.Contains($protoFamily) -ne $true) {
+                    continue
+                }
+            }
+            $rules = (vfpctrl /port $PortId /layer $layer /group $group /get-rule-counter /format 1 | ConvertFrom-Json | Sort-Object -Property Priority).Rules
+            foreach ($rule in $rules) {
+
+                $ruleId = $rule.Name
+                if (($rule.Id).Length -gt 0) {
+                    $ruleId = $rule.Id
+                }
+
+                $ruleKey = "$portId-$layer-$group-$ruleId"
+
+                $informationArray = $rule.InformationArray
+
+                $rule = RemoveNoise -Rule $rule
+
+                if ($informationArray.Count -gt 0) {
+                    $rule | Add-Member -MemberType NoteProperty -Name RuleCounters -Value $informationArray[0].RuleCounters
+                }
+
+                $ruleJson = $rule | ConvertTo-Json -Depth 10
+
+                if ($informationArray.Count -gt 0) {
+
+                    $ruleCounters = $informationArray[0].RuleCounters
+                    $matchedPackets = $ruleCounters.MatchedPackets
+                    $droppedPackets = $ruleCounters.DroppedPackets
+                    $pendingPackets = $ruleCounters.PendingPackets
+                    $droppedFlows = $ruleCounters.DroppedFlows
+
+                    if (($droppedPackets -gt 0) -or ($pendingPackets -gt 0) -or ($droppedFlows -gt 0)) { 
+                        LogVfpCounter "  Dropped Rule : " -error $true
+                        LogVfpCounter "  ================ " -error $true
+                        NewLine 1
+                        LogVfpCounter "  Layer : $layer , Group : $group , Id : $ruleId " -error $true
+                        NewLine 1
+                        LogVfpCounter "  $ruleJson " -error $true                                    
+                        NewLine 2
+                    }
+                    elseif (($PrintMatchedRules -eq $true) -and ($matchedPackets -gt 0)) {   
+                        LogVfpCounter "  Matched Rule : "
+                        LogVfpCounter "  ================ "
+                        NewLine 1
+                        LogVfpCounter "  Layer : $layer , Group : $group , Id : $ruleId "
+                        NewLine 1
+                        LogVfpCounter "  $ruleJson "
+
+                        NewLine 2
+                    }
+
+                    $ruleCounterMap[$ruleKey] = $rule
+                }
+            }
+        }
+    }
+
+    return $ruleCounterMap
+}
+
+Write-Host "#===================== Pod VFP Port Rules in Outbound Direction ================#"
+NewLine 2
+$podPortRulesOutbound = PrintRules -Layers $podLayers -portId $PodPortId -Dir "OUT"
+NewLine 2
+Write-Host "#===================== External VFP Port Rules in Outbound Direction ================#"
+NewLine 2
+$extPortRulesOutbound = PrintRules -Layers $extPortLayers -portId $ExtPortId -Dir "OUT"
+NewLine 2
+Write-Host "#===================== External VFP Port Rules in Inbound Direction ================#"
+NewLine 2
+$extPortRulesIntbound = PrintRules -Layers $extPortLayers -portId $ExtPortId -Dir "IN"
+NewLine 2
+Write-Host "#===================== Pod VFP Port Rules in Inbound Direction ================#"
+NewLine 2
+$podPortRulesIutbound = PrintRules -Layers $podLayers -portId $PodPortId -Dir "IN"
diff --git a/scripts/networkhealth/checkDupLbDsrRules.ps1 b/scripts/networkhealth/checkDupLbDsrRules.ps1
@@ -0,0 +1,152 @@
+$LogDirPrefix = "C:\k\debug\NetworkHealth\Log-"
+$timeNowInUtc = Get-Date -Format u
+$LogDirSuffix = $timeNowInUtc.Replace(" ", "-").Replace(":", "-")
+$LogsDir = $LogDirPrefix + $LogDirSuffix
+$Logfile = "$LogsDir\health.log"
+
+mkdir $LogsDir -ErrorAction Ignore
+
+function LogError {
+    param (
+        [parameter(Mandatory=$true)][string] $message
+    )
+    Write-Host $message -ForegroundColor Red
+    Add-content $Logfile -value "[FAILED] $message"
+}
+
+function LogSuccess {
+    param (
+        [parameter(Mandatory=$true)][string] $message
+    )
+    Write-Host $message -ForegroundColor Green
+    Add-content $Logfile -value "[SUCCESS] $message"
+}
+
+function readVfpPortIdList() {
+    $vfpPortIds = ((vfpctrl /list-vmswitch-port /format 1 | ConvertFrom-Json).Ports).Name
+    return $vfpPortIds
+}
+
+function getDuplicateLbDsrVfpRules() {
+    param (
+        [parameter(Mandatory=$true)][string] $portId,
+        [parameter(Mandatory=$true)][string] $groupId
+    )
+
+    $vfpRules = ((vfpctrl /port $portId /layer LB_DSR /group $groupId /get-rule-counter /format 1 | ConvertFrom-Json).Rules) | Select-Object ID, Name, Conditions
+
+    $vfpRuleMap = @{}
+
+    foreach($rule in $vfpRules) {
+        $conditions = $rule.Conditions
+        $protocolList = ""
+        $ipList = ""
+        $portList = ""
+        foreach($condition in $conditions) {
+            $type = $condition.ConditionType
+            if($type -eq 1) {
+                # Protocol List
+                $protocols = $condition.ProtocolList
+                foreach($protocol in $protocols) {
+                    $protocolList += "$protocol" + "-"
+                }
+            }
+            if($type -eq 11) {
+                # IPV4 Range List
+                $ips = $condition.DestinationIPv4RangeList
+                foreach($ip in $ips) {
+                    if($null -ne $ip) {
+                        if($ip.L -eq $ip.H) {
+                            $ipList += $ip.L + "-"
+                        } else {
+                            $ipList += $ip.L + "-" + $ip.H + "-"
+                        }
+                    }
+                }
+            }
+            if($type -eq 13) {
+                # IPV6 Range List
+                $ips = $condition.DestinationIPv6RangeList
+                foreach($ip in $ips) {
+                    if($null -ne $ip) {
+                        if($ip.L -eq $ip.H) {
+                            $ipList += $ip.L + "-"
+                        } else {
+                            $ipList += $ip.L + "-" + $ip.H + "-"
+                        }
+                    }
+                }
+            }
+            if($type -eq 5) {
+                # Port Range List
+                $ports = $condition.DestinationPortList
+                foreach($port in $ports) {
+                    $portList += "$port" + "-"
+                }
+            }
+        }
+
+        $key = $ipList + $portList + $protocolList
+        if($key.Length -gt 5) {
+            $key = $key.Substring(0, $key.Length-1)
+        }
+
+        $ruleId = $rule.ID
+        if(($null -eq $ruleId) -OR ("" -EQ $ruleId) -or ($ruleId.Length -lt 5)) {
+            $ruleId = $rule.Name
+        }
+
+        $existingList = $vfpRuleMap[$key]
+        if($null -eq $existingList) {
+            $existingList = @($ruleId)
+        } else {
+            $existingList += $ruleId
+        }
+
+        $vfpRuleMap[$key] = $existingList
+    }
+
+    $refinedDuplicateIds = @{}
+
+    foreach($e in $vfpRuleMap.GetEnumerator()) {
+        if(($e.Value).Count -gt 1) {
+            $refinedDuplicateIds["Condition-" + $e.Key] = $e.Value
+        }
+    }
+
+    return $refinedDuplicateIds
+}
+
+function CheckDuplicate_LB_DSR_VfpRules {
+
+    Write-Host "Checking Duplicate LB DSR VFP Rules"
+
+    $vfpPortIds = readVfpPortIdList
+    $duplicateIdAndPorts = @{}
+
+    foreach($portId in $vfpPortIds) {
+
+        $v4DuplicateIds = getDuplicateLbDsrVfpRules -portId $portId -groupId "LB_DSR_IPv4_OUT"
+        $v6DuplicateIds = getDuplicateLbDsrVfpRules -portId $portId -groupId "LB_DSR_IPv6_OUT"
+
+        $duplicateIds = $v4DuplicateIds + $v6DuplicateIds
+
+        if($duplicateIds.Count -gt 0) {
+            $duplicateIdAndPorts["Port-" + $portId] = $duplicateIds
+        }
+
+    }
+
+    if($duplicateIdAndPorts.Count -gt 0){
+        LogError "Duplicate LB DSR VFP Rules Present. "
+        $jsonOutput = $duplicateIdAndPorts | ConvertTo-Json -Depth 10
+        LogError "Info: $jsonOutput "
+        LogError "Mitigation : Restart-Service -f hns ; Restart-Service -f kubeproxy "
+        return $true
+    }
+
+    LogSuccess "There is no Duplicate LB DSR VFP Rules."
+    return $false
+}
+
+CheckDuplicate_LB_DSR_VfpRules