mirror of
https://github.com/daeuniverse/dae.git
synced 2025-01-26 15:40:28 +07:00
5f3249bcb3
Co-authored-by: Sumire (菫) <151038614+sumire88@users.noreply.github.com>
284 lines
7.0 KiB
Go
284 lines
7.0 KiB
Go
/*
|
|
* SPDX-License-Identifier: AGPL-3.0-only
|
|
* Copyright (c) 2022-2024, daeuniverse Organization <dae@v2raya.org>
|
|
*/
|
|
|
|
package trace
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/binary"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"os"
|
|
"syscall"
|
|
"unsafe"
|
|
|
|
"github.com/cilium/ebpf"
|
|
"github.com/cilium/ebpf/btf"
|
|
"github.com/cilium/ebpf/link"
|
|
"github.com/cilium/ebpf/ringbuf"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
//go:generate go run -mod=mod github.com/cilium/ebpf/cmd/bpf2go -cc "$BPF_CLANG" "$BPF_STRIP_FLAG" -cflags "$BPF_CFLAGS" -target "$BPF_TRACE_TARGET" -type event bpf kern/trace.c -- -I./headers
|
|
|
|
var nativeEndian binary.ByteOrder
|
|
|
|
func init() {
|
|
buf := [2]byte{}
|
|
*(*uint16)(unsafe.Pointer(&buf[0])) = uint16(0xABCD)
|
|
|
|
switch buf {
|
|
case [2]byte{0xCD, 0xAB}:
|
|
nativeEndian = binary.LittleEndian
|
|
case [2]byte{0xAB, 0xCD}:
|
|
nativeEndian = binary.BigEndian
|
|
default:
|
|
panic("Could not determine native endianness.")
|
|
}
|
|
}
|
|
|
|
func StartTrace(ctx context.Context, ipVersion int, l4ProtoNo uint16, port int, outputFile string) (err error) {
|
|
objs, err := rewriteAndLoadBpf(ipVersion, l4ProtoNo, port)
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer objs.Close()
|
|
|
|
targets, kfreeSkbReasons, err := searchAvailableTargets()
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
links, err := attachBpfToTargets(objs, targets)
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer func() {
|
|
i := 0
|
|
fmt.Printf("\n")
|
|
for _, link := range links {
|
|
i++
|
|
fmt.Printf("detaching kprobes: %04d/%04d\r", i, len(links))
|
|
link.Close()
|
|
}
|
|
fmt.Printf("\n")
|
|
}()
|
|
|
|
fmt.Printf("\nstart tracing\n")
|
|
if err = handleEvents(ctx, objs, outputFile, kfreeSkbReasons); err != nil {
|
|
return
|
|
}
|
|
return
|
|
}
|
|
|
|
func rewriteAndLoadBpf(ipVersion int, l4ProtoNo uint16, port int) (_ *bpfObjects, err error) {
|
|
spec, err := loadBpf()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load BPF: %+v\n", err)
|
|
}
|
|
if err := spec.RewriteConstants(map[string]interface{}{
|
|
"tracing_cfg": struct {
|
|
port uint16
|
|
l4Proto uint16
|
|
ipVersion uint8
|
|
pad uint8
|
|
}{
|
|
port: Htons(uint16(port)),
|
|
l4Proto: uint16(l4ProtoNo),
|
|
ipVersion: uint8(ipVersion),
|
|
pad: 0,
|
|
},
|
|
}); err != nil {
|
|
return nil, fmt.Errorf("failed to rewrite constants: %+v\n", err)
|
|
}
|
|
var opts ebpf.CollectionOptions
|
|
opts.Programs.LogLevel = ebpf.LogLevelInstruction
|
|
opts.Programs.LogSize = ebpf.DefaultVerifierLogSize * 100
|
|
objs := bpfObjects{}
|
|
if err := spec.LoadAndAssign(&objs, &opts); err != nil {
|
|
var (
|
|
ve *ebpf.VerifierError
|
|
verifierLog string
|
|
)
|
|
if errors.As(err, &ve) {
|
|
verifierLog = fmt.Sprintf("Verifier error: %+v\n", ve)
|
|
}
|
|
return nil, fmt.Errorf("failed to load BPF: %+v\n%s", err, verifierLog)
|
|
}
|
|
|
|
return &objs, nil
|
|
}
|
|
|
|
func searchAvailableTargets() (targets map[string]int, kfreeSkbReasons map[uint64]string, err error) {
|
|
targets = map[string]int{}
|
|
|
|
btfSpec, err := btf.LoadKernelSpec()
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("failed to load kernel BTF: %+v\n", err)
|
|
}
|
|
|
|
if kfreeSkbReasons, err = getKFreeSKBReasons(btfSpec); err != nil {
|
|
return
|
|
}
|
|
|
|
iter := btfSpec.Iterate()
|
|
for iter.Next() {
|
|
typ := iter.Type
|
|
fn, ok := typ.(*btf.Func)
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
fnName := string(fn.Name)
|
|
|
|
fnProto := fn.Type.(*btf.FuncProto)
|
|
i := 1
|
|
for _, p := range fnProto.Params {
|
|
if ptr, ok := p.Type.(*btf.Pointer); ok {
|
|
if strct, ok := ptr.Target.(*btf.Struct); ok {
|
|
if strct.Name == "sk_buff" && i <= 5 {
|
|
name := fnName
|
|
targets[name] = i
|
|
continue
|
|
}
|
|
}
|
|
}
|
|
i += 1
|
|
}
|
|
}
|
|
|
|
return targets, kfreeSkbReasons, nil
|
|
}
|
|
|
|
func getKFreeSKBReasons(spec *btf.Spec) (map[uint64]string, error) {
|
|
if _, err := spec.AnyTypeByName("kfree_skb_reason"); err != nil {
|
|
// Kernel is too old to have kfree_skb_reason
|
|
return nil, nil
|
|
}
|
|
|
|
var dropReasonsEnum *btf.Enum
|
|
if err := spec.TypeByName("skb_drop_reason", &dropReasonsEnum); err != nil {
|
|
return nil, fmt.Errorf("failed to find 'skb_drop_reason' enum: %v", err)
|
|
}
|
|
|
|
ret := map[uint64]string{}
|
|
for _, val := range dropReasonsEnum.Values {
|
|
ret[uint64(val.Value)] = val.Name
|
|
|
|
}
|
|
|
|
return ret, nil
|
|
}
|
|
|
|
func attachBpfToTargets(objs *bpfObjects, targets map[string]int) (links []link.Link, err error) {
|
|
kp, err := link.Kprobe("kfree_skbmem", objs.KprobeSkbLifetimeTermination, nil)
|
|
if err != nil {
|
|
logrus.Warnf("failed to attach kprobe to kfree_skbmem: %+v\n", err)
|
|
}
|
|
|
|
i := 0
|
|
for fn, pos := range targets {
|
|
i++
|
|
fmt.Printf("attaching kprobes: %04d/%04d\r", i, len(targets))
|
|
var kp link.Link
|
|
switch pos {
|
|
case 1:
|
|
kp, err = link.Kprobe(fn, objs.KprobeSkb1, nil)
|
|
case 2:
|
|
kp, err = link.Kprobe(fn, objs.KprobeSkb2, nil)
|
|
case 3:
|
|
kp, err = link.Kprobe(fn, objs.KprobeSkb3, nil)
|
|
case 4:
|
|
kp, err = link.Kprobe(fn, objs.KprobeSkb4, nil)
|
|
case 5:
|
|
kp, err = link.Kprobe(fn, objs.KprobeSkb5, nil)
|
|
}
|
|
if err != nil {
|
|
logrus.Debugf("failed to attach kprobe to %s: %+v\n", fn, err)
|
|
continue
|
|
}
|
|
links = append(links, kp)
|
|
}
|
|
if len(links) == 0 {
|
|
err = fmt.Errorf("failed to attach kprobes to any target")
|
|
}
|
|
links = append(links, kp)
|
|
return links, nil
|
|
}
|
|
|
|
func handleEvents(ctx context.Context, objs *bpfObjects, outputFile string, kfreeSkbReasons map[uint64]string) (err error) {
|
|
writer, err := os.Create(outputFile)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
eventsReader, err := ringbuf.NewReader(objs.Events)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create ringbuf reader: %+v\n", err)
|
|
}
|
|
defer eventsReader.Close()
|
|
|
|
go func() {
|
|
<-ctx.Done()
|
|
eventsReader.Close()
|
|
}()
|
|
|
|
type bpfEvent struct {
|
|
Pc uint64
|
|
Skb uint64
|
|
SecondParam uint64
|
|
Mark uint32
|
|
Netns uint32
|
|
Ifindex uint32
|
|
Pid uint32
|
|
Ifname [16]uint8
|
|
Pname [32]uint8
|
|
Saddr [16]byte
|
|
Daddr [16]byte
|
|
Sport uint16
|
|
Dport uint16
|
|
L3Proto uint16
|
|
L4Proto uint8
|
|
TcpFlags uint8
|
|
PayloadLen uint16
|
|
}
|
|
|
|
for {
|
|
rec, err := eventsReader.Read()
|
|
if err != nil {
|
|
if errors.Is(err, ringbuf.ErrClosed) {
|
|
return nil
|
|
}
|
|
logrus.Debugf("failed to read ringbuf: %+v", err)
|
|
continue
|
|
}
|
|
|
|
var event bpfEvent
|
|
if err = binary.Read(bytes.NewBuffer(rec.RawSample), nativeEndian, &event); err != nil {
|
|
logrus.Debugf("failed to parse ringbuf event: %+v", err)
|
|
continue
|
|
}
|
|
|
|
fmt.Fprintf(writer, "%x mark=%x netns=%010d if=%d(%s) proc=%d(%s) ", event.Skb, event.Mark, event.Netns, event.Ifindex, TrimNull(string(event.Ifname[:])), event.Pid, TrimNull(string(event.Pname[:])))
|
|
if event.L3Proto == syscall.ETH_P_IP {
|
|
fmt.Fprintf(writer, "%s:%d > %s:%d ", net.IP(event.Saddr[:4]).String(), Ntohs(event.Sport), net.IP(event.Daddr[:4]).String(), Ntohs(event.Dport))
|
|
} else {
|
|
fmt.Fprintf(writer, "[%s]:%d > [%s]:%d ", net.IP(event.Saddr[:]).String(), Ntohs(event.Sport), net.IP(event.Daddr[:]).String(), Ntohs(event.Dport))
|
|
}
|
|
if event.L4Proto == syscall.IPPROTO_TCP {
|
|
fmt.Fprintf(writer, "tcp_flags=%s ", TcpFlags(event.TcpFlags))
|
|
}
|
|
fmt.Fprintf(writer, "payload_len=%d ", event.PayloadLen)
|
|
sym := NearestSymbol(event.Pc)
|
|
fmt.Fprintf(writer, "%s", sym.Name)
|
|
if sym.Name == "kfree_skb_reason" {
|
|
fmt.Fprintf(writer, "(%s)", kfreeSkbReasons[event.SecondParam])
|
|
}
|
|
fmt.Fprintf(writer, "\n")
|
|
}
|
|
}
|