fix: map network event pktType to direction in CEL rules engine

[matthyx]

This PR fixes a bug where event.direction on a network event is always empty, causing rules evaluating event.direction == 'outbound' (such as R1077) to never trigger. It falls back to mapping Inspektor Gadget's pktType (OUTGOING vs others) to direction if e.Direction is empty.

Closes #840

Summary by CodeRabbit

• Bug Fixes

  • Network events now automatically show the correct inbound or outbound direction when no direction is explicitly set.
  • Direction handling is more consistent across event types, including cases where packet type information is used to determine the result.

• Tests

  • Expanded coverage for event direction behavior, including explicit directions and packet-type-based inference.

[coderabbitai]

Warning

Review limit reached

@matthyx, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 51 minutes and 50 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: de129af1-919b-4b99-8e20-4b4ae4785898

📥 Commits

Reviewing files that changed from the base of the PR and between 3d350fc and f1ffac6.

📒 Files selected for processing (4)

• pkg/utils/datasource_event.go
• pkg/utils/events.go
• pkg/utils/events_test.go
• pkg/utils/struct_event.go

📝 Walkthrough

Walkthrough

GetDirection() is updated in both StructEvent and DatasourceEvent to infer consts.Outbound or consts.Inbound from GetPktType() (case-insensitive match to "OUTGOING") when Direction is empty and EventType is NetworkEventType. Tests are replaced with a table-driven suite validating this mapping and explicit-direction precedence.

Network Direction Inference

Layer / File(s)	Summary
GetDirection() inference logic pkg/utils/struct_event.go, pkg/utils/datasource_event.go	Adds strings import to struct_event.go; both StructEvent.GetDirection() and DatasourceEvent.GetDirection() now check GetPktType() case-insensitively for "OUTGOING" and return consts.Outbound or consts.Inbound when Direction is empty and EventType is NetworkEventType. Explicit Direction values are still returned as-is.
Table-driven direction tests pkg/utils/events_test.go	Replaces prior mock helper structs with TestStructEventGetDirection, covering HTTP events with explicit directions, network events relying on pktType-based inference, and a precedence case where an explicit Direction overrides pktType.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 Hop hop, the packets go left and right,
A pktType clue reveals the flight—
OUTGOING signals the outbound way,
HOST means inbound, hip-hooray!
No more empty direction to dismay. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main fix: mapping packet type to direction for network events.
Linked Issues check	✅ Passed	The changes implement the linked bug fix by falling back to pktType for network event direction in both utility types and cover it with tests.
Out of Scope Changes check	✅ Passed	The PR stays focused on direction resolution and test coverage, with no unrelated code changes visible in the summary.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/network-event-direction

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[matthyx]

Reviewed the fix end-to-end. The approach is sound and the chain works: for network events the production type is DatasourceEvent, whose GetPktType() reads the egress field (egress==1 -> OUTGOING, else HOST), so the new fallback yields outbound/inbound, and that value reaches CEL via the cel.go "direction" field getter (x.Raw.GetDirection()). I confirmed consts.Inbound=="inbound" / Outbound=="outbound", matching R1077's direction == 'outbound', and that the prefilter does not drop network events on direction (rule_manager.go only calls SetDirection for HTTP events, and prefilter line 254 short-circuits when e.Dir == DirNone). No hard blockers — but one test-coverage gap is worth fixing before merge, plus two minor nits inline.

Main concern (please address): the regression test does not cover the regressed code path. TestStructEventGetDirection only exercises StructEvent, but the production network path uses DatasourceEvent, and StructEvent.PktType is never populated for network events outside tests. So the identical block in datasource_event.go — the code that actually fixes #840 — and its real wiring through the egress field are untested. Consider a table test on DatasourceEvent.GetDirection() that sets egress in Data and asserts inbound/outbound.

[matthyx]

This is the block that actually fixes #840 in production (network events flow through DatasourceEvent), yet there's no test for it — the new test only covers StructEvent. Worth a DatasourceEvent.GetDirection() test that populates the egress field.

Nit: prefer the existing OutgoingPktType constant (events.go) over the "OUTGOING" string literal.

[matthyx]

Nit: this block is duplicated verbatim in datasource_event.go; a shared helper (e.g. directionFromPktType(pktType)) would keep the two in sync. Also prefer the OutgoingPktType constant over the "OUTGOING" literal.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/utils/events_test.go (1)

27-35: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a mixed/lowercase pktType test case for the EqualFold contract.

Current cases validate mapping but not the case-insensitive requirement that GetDirection() implements. A lowercase (or mixed-case) outgoing case would prevent regressions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/utils/events_test.go` around lines 27 - 35, Add a mixed/lowercase pktType
test to cover the case-insensitive behavior in GetDirection. Extend the existing
NetworkEventType cases in events_test.go by adding a StructEvent with pktType in
lowercase or mixed case (for example, outgoing) and assert it still maps to
consts.Outbound, so the EqualFold contract is explicitly verified and protected
from regressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/utils/events_test.go`:
- Around line 27-35: Add a mixed/lowercase pktType test to cover the
case-insensitive behavior in GetDirection. Extend the existing NetworkEventType
cases in events_test.go by adding a StructEvent with pktType in lowercase or
mixed case (for example, outgoing) and assert it still maps to consts.Outbound,
so the EqualFold contract is explicitly verified and protected from regressions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c9b599d3-bf50-467c-a565-aad303e799a4

📥 Commits

Reviewing files that changed from the base of the PR and between 80d87d1 and 3d350fc.

📒 Files selected for processing (3)

• pkg/utils/datasource_event.go
• pkg/utils/events_test.go
• pkg/utils/struct_event.go

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.000	0.000	N/A
Peak CPU (cores)	0.000	0.000	N/A
Avg Memory (MiB)	0.000	0.000	N/A
Peak Memory (MiB)	0.000	0.000	N/A

Dedup Effectiveness

No data available.

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.235	0.236	+0.7%
Peak CPU (cores)	0.240	0.256	+6.9%
Avg Memory (MiB)	331.904	270.531	-18.5%
Peak Memory (MiB)	335.191	277.684	-17.2%

Dedup Effectiveness

No data available.