Packetparser metrics missing when Cilium uses TCX (TC/TCX attachment conflict)

[aanchal22]

Describe the bug

Retina's packetparser plugin is unable to collect metrics (e.g., networkobservability_adv_forward_bytes) on clusters where Cilium has TCX enabled. The packetparser plugin relies on traditional TC (Traffic Control) with clsact qdiscs for BPF program attachment, which conflicts with Cilium's TCX-based attachment on the same network interfaces.

Retina was working correctly before TCX was enabled on the cluster. No explicit errors appear in the logs - the failure is silent.

To Reproduce

Steps to reproduce the behavior:

1. Deploy a Kubernetes cluster with kernel >= 6.6 (e.g., 6.8.0-1039-aws on Ubuntu 22.04)
2. Install Cilium 1.16.x (which uses TCX by default on supported kernels)
3. Install Retina 0.0.36 with packetparser plugin enabled
4. Query for packetparser metrics (e.g., networkobservability_adv_forward_bytes)
5. Observe that the metrics are not being collected/scraped

Expected behavior

Retina should successfully collect packetparser metrics (networkobservability_adv_forward_bytes, etc.) regardless of whether Cilium is using TC or TCX for its BPF programs.

Screenshots

N/A - No visual errors. The issue manifests as missing metrics in Prometheus/Grafana.

Platform (please complete the following information):

• OS: Ubuntu 22.04.5 LTS
• Kernel: 6.8.0-1039-aws
• Kubernetes Version: 1.32
• Host: AWS EKS
• Retina Version: 0.0.36
• Cilium Version: 1.16.10

Additional context

Root Cause Analysis:

• Cilium 1.16.x uses TCX (TC eXpress) by default for BPF program attachment on kernels >= 6.6
• Retina's packetparser currently only supports traditional TC with clsact qdiscs (pkg/plugin/packetparser/packetparser_linux.go)
• When Cilium attaches its BPF programs via TCX to network interfaces, Retina's TC-based attachment either fails silently or doesn't receive packet events due to some conflicts.
• Retina does not currently have TCX support to coexist with Cilium's TCX programs

Relevant Code:
The packetparser attaches BPF programs using TC clsact qdiscs at pkg/plugin/packetparser/packetparser_linux.go. It creates a clsact qdisc and attaches ingress/egress BPF filters, which may not work correctly when Cilium is using TCX on the same interfaces.

Suggested Fix:
Add TCX support to the packetparser plugin so it can properly coexist with Cilium's TCX-based BPF programs. This would involve:

• Detecting TCX support on the system
• Using link.AttachTCX() from cilium/ebpf library for BPF program attachment
• Proper handling of multi-program attachment and priority ordering

[anubhabMajumdar]

Packetparser doesn't bypass other TC programs, so it can run safely before Cilium TC programs.
One way to mitigate this issue could be to set --bpf-filter-priority=2 or higher while installing Cilium.
Ref: https://github.com/cilium/cilium/blob/8c9513595ef86420ccacb507327d68f057eab25c/pkg/option/config.go#L922

This would allow Packetparser to go before Cilium TC program, and you should see metrics.

[bugie]

At this time we have a fork with a working implementation of TCX support in the Packetparser plugin. With TCX support and a MetricsConfiguration CR, we are seeing metrics via /metrics in the agent and via Prometheus. We will continue our testing and will look for feedback on the implementation.