✨ Add IPv6 support to TCP kprobes #13
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… capture still only works for ipv4 addresses, but these changes enable capturing packets from mysql, because mysql uses an ipv6 socket to accept connections, which are then sent to openssl functions that ultimately write to ipv4 addresses.
mertyildiran
requested changes
Jan 3, 2024
bpf/common.c
Outdated
| if (flags == NULL) { | ||
| return 0; | ||
| if (flags != NULL) { | ||
| chunk->flags |= (*flags & FLAGS_IS_CLIENT_BIT); |
There was a problem hiding this comment.
What happens if flags is NULL?
bpf/common.c
Outdated
| @@ -103,7 +101,7 @@ static __always_inline void output_ssl_chunk(struct pt_regs *ctx, struct ssl_inf | |||
| if (!add_address_to_chunk(ctx, chunk, id, chunk->fd, info)) { | |||
| // Without an address, we drop the chunk because there is not much to do with it in Go | |||
| // | |||
| return; | |||
| //return; | |||
There was a problem hiding this comment.
What the reason of commenting out this return statement?
There was a problem hiding this comment.
Will revert. No longer necessary to comment this out.
bpf/fd_to_address_tracepoints.c
Outdated
| @@ -13,7 +13,7 @@ Copyright (C) Kubeshark | |||
| #define IPV4_ADDR_LEN (16) | |||
|
|
|||
| struct accept_info { | |||
| __u32* addrlen; | |||
| __u32* addrlen; | |||
There was a problem hiding this comment.
Don't change the indentation.
packet_sorter.go
Outdated
| err = writer.WriteFileHeader(uint32(misc.Snaplen), layers.LinkTypeEthernet) | ||
| if err != nil { | ||
| log.Error().Err(err).Msg("While writing the PCAP header:") | ||
| } | ||
| // Do not write PCAP header. This is a named pipe, and a worker | ||
| // might be waiting to read from it already |
| @@ -70,6 +70,7 @@ void sys_enter_read(struct sys_enter_read_write_ctx *ctx) { | |||
|
|
|||
| if (infoPtr != NULL) { | |||
| fd_tracepoints_handle_openssl(ctx, id, infoPtr, &openssl_read_context, ORIGIN_SYS_ENTER_READ_CODE); | |||
| return; | |||
| @@ -87,6 +88,7 @@ void sys_enter_write(struct sys_enter_read_write_ctx *ctx) { | |||
|
|
|||
| if (infoPtr != NULL) { | |||
| fd_tracepoints_handle_openssl(ctx, id, infoPtr, &openssl_write_context, ORIGIN_SYS_ENTER_WRITE_CODE); | |||
| return; | |||
bpf/tcp_kprobes.c
Outdated
Comment on lines
14
to
29
| struct sock_common scommon; | ||
| err=bpf_probe_read(&scommon,sizeof(scommon),&sk->__sk_common); | ||
| if (err!=0) { | ||
| log_error(ctx, LOG_ERROR_READING_SOCKET_INFO, id, err, 0l); | ||
| return -1; | ||
| } | ||
| // Do not capture anything but inet and inet6. Inet4 traffic can | ||
| // also appear as inet6 here. | ||
| if(scommon.skc_family!=AF_INET && scommon.skc_family!=AF_INET6) { | ||
| return -1; | ||
| } | ||
| // ipv4 addresses are populated even if skc_family=AF_INET6 | ||
| // | ||
| // daddr, saddr and dport are in network byte order (big endian) | ||
| // sport is in host byte order | ||
| __be32 saddr; | ||
| __be32 daddr; | ||
| __be16 dport; | ||
| __u16 sport; | ||
|
|
||
| err = bpf_probe_read(&saddr, sizeof(saddr), (void *)&sk->__sk_common.skc_rcv_saddr); | ||
| if (err != 0) { | ||
| log_error(ctx, LOG_ERROR_READING_SOCKET_SADDR, id, err, 0l); | ||
| return -1; | ||
| } | ||
| err = bpf_probe_read(&daddr, sizeof(daddr), (void *)&sk->__sk_common.skc_daddr); | ||
| if (err != 0) { | ||
| log_error(ctx, LOG_ERROR_READING_SOCKET_DADDR, id, err, 0l); | ||
| return -1; | ||
| } | ||
| err = bpf_probe_read(&dport, sizeof(dport), (void *)&sk->__sk_common.skc_dport); | ||
| if (err != 0) { | ||
| log_error(ctx, LOG_ERROR_READING_SOCKET_DPORT, id, err, 0l); | ||
| return -1; | ||
| } | ||
| err = bpf_probe_read(&sport, sizeof(sport), (void *)&sk->__sk_common.skc_num); | ||
| if (err != 0) { | ||
| log_error(ctx, LOG_ERROR_READING_SOCKET_SPORT, id, err, 0l); | ||
| return -1; | ||
| } | ||
|
|
||
| address_info_ptr->daddr = daddr; | ||
| address_info_ptr->saddr = saddr; | ||
| address_info_ptr->dport = dport; | ||
| address_info_ptr->sport = bpf_htons(sport); | ||
| address_info_ptr->daddr = scommon.skc_daddr; |
There was a problem hiding this comment.
Indentation?
https://github.com/MaJerle/c-code-style?tab=readme-ov-file#general-rules ?
Explain how it adds IPv6 support?
|
Don't use forks. Push branches to https://github.com/kubeshark/tracer |
I do not have push access to this repository |
These changes are insufficient for IPv6 support. It only makes the existing code more forgiving by handling the case where the socket is created for IPv6 but the underlying traffic is still IPv4. This needs more work to capture IPv6 traffic. I agree that it is no longer MySQL specific, but it is not to add IPv6 support either. |
mertyildiran
requested review from
iluxa and
mertyildiran
and removed request for
mertyildiran
iluxa
requested changes
Feb 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Mysql uses an ipv6 socket to accept connections. Because of this, the ebpf code completely ignored data captured from MySQL. This PR changes the ebpf logic to accept both ipv4 and ipv6 sockets, but captures only ipv4 addresses from them.