Skip to content

Commit

Permalink
make container filter checks earlier
Browse files Browse the repository at this point in the history
  • Loading branch information
@kenanfarukcakir
kenanfarukcakir committed May 27, 2024
1 parent 36a6783 commit c347e9a
Show file tree
Hide file tree
Showing 5 changed files with 89 additions and 105 deletions.
Binary file modified ebpf/c/bpf_bpfeb.o
View file
Binary file not shown.
Binary file modified ebpf/c/bpf_bpfel.o
View file
Binary file not shown.
162 changes: 73 additions & 89 deletions ebpf/c/l7.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,16 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha
__u64 timestamp = bpf_ktime_get_ns();
unsigned char func_name[] = "process_enter_of_syscalls_write_sendto";
__u64 id = bpf_get_current_pid_tgid();
__u32 pid = id >> 32;

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
return 0; // not a container process, ignore
}
#endif

__u32 tid = id & 0xFFFFFFFF;
__u32 seq = process_for_dist_trace_write(ctx,fd);

Expand Down Expand Up @@ -250,15 +260,6 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha
e->payload_read_complete = 1;
}

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
Expand Down Expand Up @@ -306,8 +307,18 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha
static __always_inline
int process_enter_of_syscalls_read_recvfrom(void *ctx, struct read_enter_args * params) {
unsigned char func_name[] = "process_enter_of_syscalls_read_recvfrom";
// __u64 id = bpf_get_current_pid_tgid();

__u64 id = bpf_get_current_pid_tgid();
__u32 pid = id >> 32;
#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char func_name[] = "process_enter_of_syscalls_read_recvfrom";
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif
// struct socket_key k = {};
// k.pid = pid;
// k.fd = fd;
Expand Down Expand Up @@ -340,12 +351,21 @@ int process_enter_of_syscalls_read_recvfrom(void *ctx, struct read_enter_args *
return 0;
}


static __always_inline
int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){
__u64 timestamp = bpf_ktime_get_ns();
__u64 id = bpf_get_current_pid_tgid();

__u32 pid = id >> 32;
#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char func_name[] = "process_exit_of_syscalls_write_sendto";
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif
// we only used this func for amqp, others will only be in active_l7_requests
// used active_writes for cases that only depends on writes, like amqp publish
// + postgres statement close, terminate
Expand Down Expand Up @@ -373,6 +393,7 @@ int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){
struct l7_event *e = bpf_map_lookup_elem(&l7_event_heap, &zero);
if (!e) {
bpf_map_delete_elem(&active_writes, &id);
bpf_map_delete_elem(&active_l7_requests, &k);
return 0;
}

Expand Down Expand Up @@ -404,17 +425,6 @@ int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){
e->seq = active_req->seq;
e->tid = active_req->tid;

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char func_name[] = "process_exit_of_syscalls_write_sendto";
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif

bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
}else{
// write failed
Expand All @@ -428,6 +438,17 @@ static __always_inline
int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 ret, __u8 is_tls) {
__u64 timestamp = bpf_ktime_get_ns();
unsigned char func_name[] = "process_exit_of_syscalls_read_recvfrom";
#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
bpf_map_delete_elem(&active_reads, &id);
return 0; // not a container process, ignore
}
#endif

if (ret < 0) { // read failed
// -ERRNO
// __u64 id = bpf_get_current_pid_tgid();
Expand Down Expand Up @@ -459,8 +480,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64
}




// __u64 id = bpf_get_current_pid_tgid();
struct read_args *read_info = bpf_map_lookup_elem(&active_reads, &id);
if (!read_info) {
Expand All @@ -476,6 +495,7 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64
int zero = 0;
struct l7_event *e = bpf_map_lookup_elem(&l7_event_heap, &zero);
if (!e) {
bpf_map_delete_elem(&active_l7_requests, &k);
bpf_map_delete_elem(&active_reads, &id);
return 0;
}
Expand Down Expand Up @@ -507,16 +527,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64

bpf_map_delete_elem(&active_reads, &id);

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif

bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
return 0;
}
Expand Down Expand Up @@ -544,23 +554,12 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64
e->payload_read_complete = 1;
}

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
unsigned char log_msg[] = "failed write to l7_events h2 -- res|fd|psize";
log_to_userspace(ctx, WARN, func_name, log_msg, r, e->fd, e->payload_size);
}
bpf_map_delete_elem(&go_active_reads, &k);
bpf_map_delete_elem(&active_reads, &id);
return 0;
}

Expand Down Expand Up @@ -600,6 +599,7 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64

if (r < 0) {
bpf_map_delete_elem(&active_reads, &id);
bpf_map_delete_elem(&active_l7_requests, &k); // TODO: check this line, should we delete the request here?
return 0;
}

Expand Down Expand Up @@ -635,15 +635,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64
bpf_map_delete_elem(&active_reads, &id);
bpf_map_delete_elem(&active_l7_requests, &k);

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
Expand Down Expand Up @@ -980,6 +971,17 @@ int process_enter_of_go_conn_write(void *ctx, __u32 pid, __u32 fd, char *buf_ptr
__u64 timestamp = bpf_ktime_get_ns();
unsigned char func_name[] = "process_enter_of_go_conn_write";
// parse and write to go_active_l7_req map
#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

struct go_req_key k = {};
k.pid = pid;
k.fd = fd;
Expand Down Expand Up @@ -1032,16 +1034,6 @@ int process_enter_of_go_conn_write(void *ctx, __u32 pid, __u32 fd, char *buf_ptr
e->payload_read_complete = 1;
}

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif
long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
unsigned char log_msg[] = "failed write to l7_events -- res|fd|psize";
Expand Down Expand Up @@ -1165,6 +1157,20 @@ int BPF_UPROBE(go_tls_conn_read_exit) {
unsigned char func_name[] = "go_tls_conn_read_exit";
// can't access to register we've access on read_enter here,
// registers are changed.
__u64 id = bpf_get_current_pid_tgid();
__u32 pid = id >> 32;

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

long int ret = GO_PARAM1(ctx);

struct go_read_key k = {};
Expand Down Expand Up @@ -1206,17 +1212,6 @@ int BPF_UPROBE(go_tls_conn_read_exit) {
e->payload_size = ret;
e->payload_read_complete = 1;
}

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
Expand Down Expand Up @@ -1309,17 +1304,6 @@ int BPF_UPROBE(go_tls_conn_read_exit) {
bpf_map_delete_elem(&go_active_reads, &k);
bpf_map_delete_elem(&go_active_l7_requests, &req_k);

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
unsigned char log_msg[] = "write failed to l7_events -- r|fd|method";
Expand Down
5 changes: 1 addition & 4 deletions ebpf/c/tcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
SEC("tracepoint/sock/inet_sock_set_state")
int inet_sock_set_state(void *ctx)
{
unsigned char func_name[] = "inet_sock_set_state";
// unsigned char func_name[] = "inet_sock_set_state";
__u64 timestamp = bpf_ktime_get_ns();
struct trace_event_raw_inet_sock_set_state args = {};
if (bpf_core_read(&args, sizeof(args), ctx) < 0)
Expand Down Expand Up @@ -130,9 +130,6 @@ int inet_sock_set_state(void *ctx)
__u8 *val = bpf_map_lookup_elem(&container_pids, &e.pid);
if (!val)
{
unsigned char log_msg[] = "tcp connect event for plain second -- pid|fd|psize";
log_to_userspace(ctx, DEBUG, func_name, log_msg, pid, 0, 0);

return 0; // not a container process, ignore
}

Expand Down
27 changes: 15 additions & 12 deletions ebpf/headers/log.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,25 @@ struct {
__uint(max_entries, 1);
} log_heap SEC(".maps");

// use while development
// struct log_message l = {};
// l.level = DEBUG;
// BPF_SNPRINTF(l.payload, sizeof(l.payload),"process_enter_of_syscalls_write_sendto %d %s\n", 1, "cakir");
// log_to_trace_pipe(l.payload, sizeof(l.payload));
static __always_inline
void log_to_trace_pipe(char *msg, __u32 size) {
long res = bpf_trace_printk(msg, size);
if(res < 0){
bpf_printk("bpf_trace_printk failed %d\n", res);
}
}

static __always_inline
void log_to_userspace(void *ctx, __u32 level, unsigned char *func_name, unsigned char * log_msg, __u64 arg1, __u64 arg2, __u64 arg3){
int zero = 0;
struct log_message *l = bpf_map_lookup_elem(&log_heap, &zero);
if (!l) {
bpf_printk("log_to_userspace failed, %s %s\n",func_name, log_msg);
return;
}

Expand All @@ -57,15 +71,4 @@ void log_to_userspace(void *ctx, __u32 level, unsigned char *func_name, unsigned
bpf_perf_event_output(ctx, &log_map, BPF_F_CURRENT_CPU, l, sizeof(*l));
}

// use while development
// struct log_message l = {};
// l.level = DEBUG;
// BPF_SNPRINTF(l.payload, sizeof(l.payload),"process_enter_of_syscalls_write_sendto %d %s\n", 1, "cakir");
// log_to_trace_pipe(l.payload, sizeof(l.payload));
static __always_inline
void log_to_trace_pipe(const char *msg, __u32 size) {
long res = bpf_trace_printk(msg, size);
if(res < 0){
bpf_printk("bpf_trace_printk failed %d\n", res);
}
}

0 comments on commit c347e9a

Please sign in to comment.