OCPBUGS-76699: ebpf: consolidate packet event logs into single line

[rameshsahoo11]

Previously, firewall packet events were logged as three separate syslog messages (rule info, IP addresses, protocol details), making log parsing and analysis more difficult. This change consolidates all packet event information into a single log line for better observability.

Changes:

• Merge three separate eventsLogger.Info() calls into one
• Use pipe separators (|) to delimit log sections visually
• Change independent if statements to if-else if chains to ensure only one IP layer and one protocol layer is logged per packet
• Simplify log format: "src addr"/"dst addr" -> "src"/"dst"

Example output format:
Before (3 lines):

  2026-02-06 09:04:59 +0000 UTC worker1.example.com ruleId 10 action Drop len 74 if br1
  2026-02-06 09:04:59 +0000 UTC worker1.example.com     ipv4 src addr 192.XX.XX.149 dst addr 192.XX.XX.56
  2026-02-06 09:04:59 +0000 UTC worker1.example.com     tcp srcPort 56354 dstPort 22

After (1 line):
2026-02-06 09:04:59 +0000 UTC ruleId 10 action Drop len 74 if br1 | ipv4 src 192.xx.xx.149 dst 192.xx.xx.56 | tcp srcPort 56354 dstPort 22

This improves log grep-ability, parsing, and integration with log aggregation tools where single-line entries are preferred.

Test result from ovnkind cluster after appling the fix

$ kubectl logs -c events ingress-node-firewall-daemon-w756x
2026-04-02 08:58:19 +0000 UTC ovn-worker ruleId 10 action Drop len 74 if breth0 | ipv4 src 10.xx.0.1 dst 10.xx.0.16 | tcp srcPort 54600 dstPort 5000
2026-04-02 09:03:45 +0000 UTC ovn-worker ruleId 10 action Drop len 74 if breth0 | ipv4 src 10.xx.0.1 dst 10.xx.0.16 | tcp srcPort 37006 dstPort 5000

Summary by CodeRabbit

• Bug Fixes
  • Consolidated ingress firewall event logging so each packet event is emitted as a single, unified log message containing rule ID, action, packet length, interface, and protocol/transport details.
  • Improved error handling so failures for the consolidated log write are captured once with the full message.
  • Updated event parsing to match the new single-line, pipe-delimited log format for transport and ICMP events.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 022d8618-1683-44dc-ba72-bf6e997cc8fe

📥 Commits

Reviewing files that changed from the base of the PR and between afa2cce and 89ac802.

📒 Files selected for processing (2)

• pkg/ebpf/ingress_node_firewall_events.go
• test/e2e/events/events.go

✅ Files skipped from review due to trivial changes (1)

• test/e2e/events/events.go

---

Walkthrough

Consolidated ingress node firewall event logging: multiple per-field syslog calls replaced by constructing a single composite log message (ruleId, action, pktLen, interface, and one mutually-exclusive protocol detail branch for IPv4/IPv6 + transport/ICMP) and emitting it once.

Changes

Cohort / File(s)	Summary
Event Logging Consolidation pkg/ebpf/ingress_node_firewall_events.go	Replaced multiple sequential eventsLogger.Info calls and per-call error handling with a single strings.Builder-constructed logMsg; selects IPv4 vs IPv6 then a single transport/ICMP branch via if/else if, and emits one eventsLogger.Info(logMsg.String()).
Event Tests (regex updates) test/e2e/events/events.go	Updated transport and ICMP parsing regular expressions to expect a single-line, pipe-delimited log format that includes an inf token followed by `

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: consolidating packet event logs into a single line format.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this pull request. The PR only modifies pkg/ebpf/ingress_node_firewall_events.go and test/e2e/events/events.go, neither containing any Ginkgo test declarations.
Test Structure And Quality	✅ Passed	The modified file is a utility module containing event parsing helper functions with regex pattern updates, not Ginkgo test code with test blocks, lifecycle hooks, timeouts, or assertions.
Microshift Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests; only updates regex patterns in helper utility function to support new consolidated log format.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR updates helper functions and regex patterns in event-parsing utility file to match new single-line log format; no new Ginkgo e2e tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only event logging consolidation and test regex patterns with no scheduling constraints or deployment manifest changes affecting topology assumptions.
Ote Binary Stdout Contract	✅ Passed	No process-level code (main, init, TestMain, BeforeSuite, etc.) found in modified files; logging uses structured logger not direct stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies test/e2e/events/events.go, a helper utility module that provides event parsing functions for existing tests, not a test file itself. No new Ginkgo e2e tests are added. The regex patterns already support both IPv4 and IPv6 address families with no hardcoded IPv4-only assumptions or external connectivity requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @rameshsahoo111. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rameshsahoo11]

Internal Jira - https://redhat.atlassian.net/browse/OCPBUGS-76699

[meinali566]

/cc

[rameshsahoo11]

@Meina-rh thank you for your review. With the current code (using else if):  From a networking perspective, a single packet can ONLY be either IPv4 OR IPv6, never both. This is fundamental to how IP works:
  - An IPv4 packet has an IPv4 header
  - An IPv6 packet has an IPv6 header
  - A packet cannot have both IPv4 AND IPv6 headers simultaneously

  So the current code with else if correctly handles both:
  - If packet is IPv4 → logs IPv4, skips IPv6 check (because it's impossible to also be IPv6)
  - If packet is IPv6 → logs IPv6

  In a dual-stack cluster:
  - Some packets are IPv4 (logged as IPv4)
  - Some packets are IPv6 (logged as IPv6)
  - Each individual packet is one or the other

I confirmed that IPV6 logging is also correctly logged;

2026-04-02 10:56:22 +0000 UTC ovn-worker ruleId 10 action Drop len 94 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | tcp srcPort 46692 dstPort 5000
2026-04-02 10:59:57 +0000 UTC ovn-worker ruleId 10 action Drop len 74 if breth0 | ipv4 src 10.89.0.1 dst 10.89.0.16 | tcp srcPort 33192 dstPort 5000
2026-04-02 11:00:10 +0000 UTC ovn-worker ruleId 10 action Drop len 94 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | tcp srcPort 42782 dstPort 5000
2026-04-02 11:00:11 +0000 UTC ovn-worker ruleId 10 action Drop len 94 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | tcp srcPort 42782 dstPort 5000

Requesting you to further review and my original change and update.

[meinali566]

@rameshsahoo111 thanks for your explaining, I forgot it's from packet.
LGTM

[meinali566]

/ok-to-test

[rameshsahoo11]

Unit test is failing because ./testbin/setup-envtest.sh is failing to download kubebuilder-tools. Requesting someone to fix CI failure.

# wget https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.19.2-linux-amd64.tar.gz
HTTP ERROR response 403  [https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.19.2-linux-amd64.tar.gz]
kubebuilder-tools-1. 100% [================================================================================================================================================================>]     298     --.-KB/s
                          [Files: 0  Bytes: 298  [414 B/s] Redirects: 0  Todo: 0  Errors: 1

[meinali566]

/retest-required

[rameshsahoo11]

Verified with all test cases and the below are the result. Requesting someone to fix the CI failure.

IngressNodeFirewall Rules

apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: IngressNodeFirewall
metadata:
  name: ingressnodefirewall
spec:
  interfaces:
  - breth0
  nodeSelector:
    matchLabels:
      kubernetes.io/hostname: ovn-worker
  ingress:
  - sourceCIDRs:
      - 0.0.0.0/0
      - ::/0
    rules:
    - order: 10
      protocolConfig:
        protocol: TCP
        tcp:
          ports: "5000-5001"
      action: Deny
    - order: 11
      protocolConfig:
        protocol: UDP
        udp:
          ports: "5000-5001"
      action: Deny
    - order: 12
      protocolConfig:
        protocol: ICMP
        icmp:
          icmpType: 8 #ICMP Echo request
      action: Deny
    - order: 13
      protocolConfig:
        protocol: ICMPv6
        icmpv6:
          icmpType: 128 #ICMPV6 Echo request
      action: Deny
    - order: 14
      protocolConfig:
        protocol: SCTP
        sctp:
          ports: "6000-6001"
      action: Deny

Test Result

[SCTP TEST]

Server Listen;
 socat -v SCTP6-LISTEN:6000,fork,ipv6only=0 -

SCTP Client connect;
echo "Hello Ramesh"|socat - SCTP:10.89.0.16:6000
echo "Hello Ramesh"|socat - SCTP:[fc00:f853:ccd:e793::10]:6000

[TCP/UDP TEST]
nc -l 5000
curl --retry 0 --fail --max-time 1 -v telnet://10.89.0.16:5000 --connect-timeout 1
curl --retry 0 --fail --max-time 1 -v telnet://[fc00:f853:ccd:e793::10]:5000 --connect-timeout 1

nc -lu 5000 
nc -zu 10.89.0.16 5000
nc -6 -zu fc00:f853:ccd:e793::10 5000

[ICMP Test]
ping -c1 10.89.0.16
ping6 -c1 fc00:f853:ccd:e793::10

# oc logs -c events ingress-node-firewall-daemon-h44gk 
[TCP]
2026-04-03 10:53:58 +0000 UTC ovn-worker ruleId 10 action Drop len 74 if breth0 | ipv4 src 10.89.0.1 dst 10.89.0.16 | tcp srcPort 58444 dstPort 5000
2026-04-03 10:55:17 +0000 UTC ovn-worker ruleId 10 action Drop len 94 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | tcp srcPort 40772 dstPort 5000

[UDP]
2026-04-03 10:56:18 +0000 UTC ovn-worker ruleId 11 action Drop len 43 if breth0 | ipv4 src 10.89.0.1 dst 10.89.0.16 | udp srcPort 52237 dstPort 5000
2026-04-03 10:56:44 +0000 UTC ovn-worker ruleId 11 action Drop len 63 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | udp srcPort 50747 dstPort 5000

[SCTP]
2026-04-03 10:59:27 +0000 UTC ovn-worker ruleId 14 action Drop len 98 if breth0 | ipv4 src 10.89.0.1 dst 10.89.0.16 | sctp srcPort 58063 dstPort 6000
2026-04-03 10:59:30 +0000 UTC ovn-worker ruleId 14 action Drop len 98 if breth0 | ipv4 src 10.89.0.1 dst 10.89.0.16 | sctp srcPort 58063 dstPort 6000
2026-04-03 10:59:36 +0000 UTC ovn-worker ruleId 14 action Drop len 98 if breth0 | ipv4 src 10.89.0.1 dst 10.89.0.16 | sctp srcPort 58063 dstPort 6000
2026-04-03 11:00:20 +0000 UTC ovn-worker ruleId 14 action Drop len 102 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | sctp srcPort 36912 dstPort 6000
2026-04-03 11:00:23 +0000 UTC ovn-worker ruleId 14 action Drop len 102 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | sctp srcPort 36912 dstPort 6000
2026-04-03 11:00:30 +0000 UTC ovn-worker ruleId 14 action Drop len 102 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | sctp srcPort 36912 dstPort 6000

[ICMP]
2026-04-03 11:00:58 +0000 UTC ovn-worker ruleId 12 action Drop len 98 if breth0 | ipv4 src 10.89.0.1 dst 10.89.0.16 | icmpv4 type 8 code 0
2026-04-03 11:01:20 +0000 UTC ovn-worker ruleId 13 action Drop len 118 if breth0 | ipv6 src fc00:f853:ccd:e793::1 dst fc00:f853:ccd:e793::10 | icmpv6 type 128 code 0

[openshift-ci-robot]

@rameshsahoo111: This pull request references Jira Issue OCPBUGS-76699, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Previously, firewall packet events were logged as three separate syslog messages (rule info, IP addresses, protocol details), making log parsing and analysis more difficult. This change consolidates all packet event information into a single log line for better observability.

Changes:

• Merge three separate eventsLogger.Info() calls into one
• Use pipe separators (|) to delimit log sections visually
• Change independent if statements to if-else if chains to ensure only one IP layer and one protocol layer is logged per packet
• Simplify log format: "src addr"/"dst addr" -> "src"/"dst"

Example output format:
Before (3 lines):

 2026-02-06 09:04:59 +0000 UTC worker1.example.com ruleId 10 action Drop len 74 if br1
 2026-02-06 09:04:59 +0000 UTC worker1.example.com     ipv4 src addr 192.XX.XX.149 dst addr 192.XX.XX.56
 2026-02-06 09:04:59 +0000 UTC worker1.example.com     tcp srcPort 56354 dstPort 22

After (1 line):
2026-02-06 09:04:59 +0000 UTC ruleId 10 action Drop len 74 if br1 | ipv4 src 192.xx.xx.149 dst 192.xx.xx.56 | tcp srcPort 56354 dstPort 22

This improves log grep-ability, parsing, and integration with log aggregation tools where single-line entries are preferred.

Test result from ovnkind cluster after appling the fix

$ kubectl logs -c events ingress-node-firewall-daemon-w756x
2026-04-02 08:58:19 +0000 UTC ovn-worker ruleId 10 action Drop len 74 if breth0 | ipv4 src 10.xx.0.1 dst 10.xx.0.16 | tcp srcPort 54600 dstPort 5000
2026-04-02 09:03:45 +0000 UTC ovn-worker ruleId 10 action Drop len 74 if breth0 | ipv4 src 10.xx.0.1 dst 10.xx.0.16 | tcp srcPort 37006 dstPort 5000

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rameshsahoo11]

/jira-refresh

[rameshsahoo11]

/jira refresh

[openshift-ci-robot]

@rameshsahoo111: This pull request references Jira Issue OCPBUGS-76699, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rameshsahoo11]

/retest-required

[meinali566]

/testwith openshift/ingress-node-firewall/master/unit-test #705

[meinali566]

/testwith openshift/ingress-node-firewall/master/ingress-node-firewall-e2e-metal-ipi #705

[meinali566]

@rameshsahoo11 we need to wait #705 PR merged which will resolve unit-test CI failures.
And according to e2e CI job failures, you should update e2e logs check. Here are the two regex changes needed in test/e2e/events/events.go:

1. Transport regex (line 65):

  Before:                                                                                                                                                                                                              
  ruleId\\s([0-9]+)\\saction\\s(?P<action>\\w+).*if\\s(?P<inf>\\w+)\n.*\\ssrc\\saddr\\s(?P<srcaddr>[0-9.:a-z]+)\\sdst\\saddr\\s(?P<dstaddr>[0-9.:a-z]+)\n.*(?P<proto>tcp|udp|sctp)\\ssrcPort\\s\\d+\\sdstPort\\s(?P<
  dstport>\\d+)                                                                                                                                                                                                     
                                                                                                                                                                                                                    
  After:                  
  ruleId\\s([0-9]+)\\saction\\s(?P<action>\\w+).*if\\s(?P<inf>\\w+)\\s*\\|\\s*(?:ipv4|ipv6)\\ssrc\\s(?P<srcaddr>[0-9.:a-z]+)\\sdst\\s(?P<dstaddr>[0-9.:a-z]+)\\s*\\|\\s*(?P<proto>tcp|udp|sctp)\\ssrcPort\\s\\d+\\sd
  stPort\\s(?P<dstport>\\d+)              

2. ICMP regex (line 97):

  Before:                                                            
  ruleId\\s([0-9]+)\\saction\\s(?P<action>\\w+).*if\\s(?P<inf>\\w+)\\n.*\\s(ipv4|ipv6)\\ssrc\\saddr\\s(?P<srcaddr>[0-9.:a-z]+)\\sdst\\saddr\\s(?P<dstaddr>[0-9.:a-z]+)\\n.*(?P<proto>icmpv4|icmpv6)\\stype\\s(?P<typ
  e>\\d+)\\scode\\s(?P<code>\\d+)                                                                                                                                                                                   
                                                                                                                                                                                                                    
  After:                                                                                                                                                                                                              
  ruleId\\s([0-9]+)\\saction\\s(?P<action>\\w+).*if\\s(?P<inf>\\w+)\\s*\\|\\s*(?:ipv4|ipv6)\\ssrc\\s(?P<srcaddr>[0-9.:a-z]+)\\sdst\\s(?P<dstaddr>[0-9.:a-z]+)\\s*\\|\\s*(?P<proto>icmpv4|icmpv6)\\stype\\s(?P<type>\
  \d+)\\scode\\s(?P<code>\\d+)  

[rameshsahoo11]

@Meina-rh thanks , I will fix e2e

[openshift-ci-robot]

@rameshsahoo11: This pull request references Jira Issue OCPBUGS-76699, which is invalid:

• expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.22" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Previously, firewall packet events were logged as three separate syslog messages (rule info, IP addresses, protocol details), making log parsing and analysis more difficult. This change consolidates all packet event information into a single log line for better observability.

Changes:

• Merge three separate eventsLogger.Info() calls into one
• Use pipe separators (|) to delimit log sections visually
• Change independent if statements to if-else if chains to ensure only one IP layer and one protocol layer is logged per packet
• Simplify log format: "src addr"/"dst addr" -> "src"/"dst"

Example output format:
Before (3 lines):

 2026-02-06 09:04:59 +0000 UTC worker1.example.com ruleId 10 action Drop len 74 if br1
 2026-02-06 09:04:59 +0000 UTC worker1.example.com     ipv4 src addr 192.XX.XX.149 dst addr 192.XX.XX.56
 2026-02-06 09:04:59 +0000 UTC worker1.example.com     tcp srcPort 56354 dstPort 22

After (1 line):
2026-02-06 09:04:59 +0000 UTC ruleId 10 action Drop len 74 if br1 | ipv4 src 192.xx.xx.149 dst 192.xx.xx.56 | tcp srcPort 56354 dstPort 22

This improves log grep-ability, parsing, and integration with log aggregation tools where single-line entries are preferred.

Test result from ovnkind cluster after appling the fix

$ kubectl logs -c events ingress-node-firewall-daemon-w756x
2026-04-02 08:58:19 +0000 UTC ovn-worker ruleId 10 action Drop len 74 if breth0 | ipv4 src 10.xx.0.1 dst 10.xx.0.16 | tcp srcPort 54600 dstPort 5000
2026-04-02 09:03:45 +0000 UTC ovn-worker ruleId 10 action Drop len 74 if breth0 | ipv4 src 10.xx.0.1 dst 10.xx.0.16 | tcp srcPort 37006 dstPort 5000

Summary by CodeRabbit

• Bug Fixes
• Restructured ingress firewall event logging to consolidate multiple log entries into single composite messages per event, containing rule ID, action, packet length, interface, and protocol details in a unified format.
• Updated event parsing patterns to match the new consolidated log format.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e/events/events.go (1)

62-97: Optional: switch to raw string literals for readability.

The double-escaped patterns (\\s, \\|, \\w, \\d) are hard to eyeball against the producer format. Go raw string literals remove one level of escaping and make the pipe delimiters explicit.

♻️ Proposed refactor

-	transportEventRE := "ruleId\\s([0-9]+)\\saction\\s(?P<action>\\w+).*if\\s(?P<inf>\\w+)\\s\\|\\s(?:ipv4|ipv6)\\ssrc\\s(?P<srcaddr>[0-9.:a-z]+)\\sdst\\s(?P<dstaddr>[0-9.:a-z]+)\\s\\|\\s(?P<proto>tcp|udp|sctp)\\ssrcPort\\s\\d+\\sdstPort\\s(?P<dstport>\\d+)"
+	transportEventRE := `ruleId\s([0-9]+)\saction\s(?P<action>\w+).*if\s(?P<inf>\w+)\s\|\s(?:ipv4|ipv6)\ssrc\s(?P<srcaddr>[0-9.:a-z]+)\sdst\s(?P<dstaddr>[0-9.:a-z]+)\s\|\s(?P<proto>tcp|udp|sctp)\ssrcPort\s\d+\sdstPort\s(?P<dstport>\d+)`
...
-	icmpEventRE := "ruleId\\s([0-9]+)\\saction\\s(?P<action>\\w+).*if\\s(?P<inf>\\w+)\\s\\|\\s(?:ipv4|ipv6)\\ssrc\\s(?P<srcaddr>[0-9.:a-z]+)\\sdst\\s(?P<dstaddr>[0-9.:a-z]+)\\s\\|\\s(?P<proto>icmpv4|icmpv6)\\stype\\s(?P<type>\\d+)\\scode\\s(?P<code>\\d+)"
+	icmpEventRE := `ruleId\s([0-9]+)\saction\s(?P<action>\w+).*if\s(?P<inf>\w+)\s\|\s(?:ipv4|ipv6)\ssrc\s(?P<srcaddr>[0-9.:a-z]+)\sdst\s(?P<dstaddr>[0-9.:a-z]+)\s\|\s(?P<proto>icmpv4|icmpv6)\stype\s(?P<type>\d+)\scode\s(?P<code>\d+)`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/events/events.go` around lines 62 - 97, The transportEventRE and
icmpEventRE string literals are hard to read due to double-escaping; update both
(the variables transportEventRE and icmpEventRE) to use Go raw string literals
(back-quoted) so `\s`, `\|`, `\w`, `\d` appear as single-escaped sequences and
the pipe delimiters are explicit, then ensure regexp.MustCompile calls
(transportEventPattern) still compile the same patterns and run tests to confirm
behavior is unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/e2e/events/events.go`:
- Around line 62-97: The transportEventRE and icmpEventRE string literals are
hard to read due to double-escaping; update both (the variables transportEventRE
and icmpEventRE) to use Go raw string literals (back-quoted) so `\s`, `\|`,
`\w`, `\d` appear as single-escaped sequences and the pipe delimiters are
explicit, then ensure regexp.MustCompile calls (transportEventPattern) still
compile the same patterns and run tests to confirm behavior is unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 90ba4621-725a-4dad-9f46-b20bf996eee7

📥 Commits

Reviewing files that changed from the base of the PR and between 0900e10 and 83b1597.

📒 Files selected for processing (1)

• test/e2e/events/events.go

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rameshsahoo11
Once this PR has been reviewed and has the lgtm label, please assign martinkennelly for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rameshsahoo11]

/jira-refresh

[danwinship]

Basically looks good, but let's wait for the unit tests to get fixed. (Someone is going to redo #705.)

Do we know whether the change in logging format is going to affect any other components?

[danwinship]

use strings.Builder and fmt.Fprintf

[danwinship]

These ought to use backtick strings so you don't need double backslashes...

[rameshsahoo11]

Thank you for the feedback. I’ve incorporated your suggestions into the latest commit. Please let me know if you have any further thoughts.

[rameshsahoo11]

Thank you for the feedback. I’ve incorporated your suggestions into the latest commit. Please let me know if you have any further thoughts.

[danwinship]

please squash the fixes in with the original commits. Put the strings.Builder fix in the first commit and the backticks fix in the second commit

[rameshsahoo11]

@danwinship thank you for your helpful suggestions. I’ve incorporated them into the latest commit. Please take a look and let me know your feedback.

[openshift-ci]

@rameshsahoo11: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit-test	89ac802	link	true	/test unit-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.