Skip to content

Commit

Permalink
feature(network): add packet metadata argument
Browse files Browse the repository at this point in the history 
Add new `metadata` argument to all packet events. This metadata struct
duplicates the previous src and dst and port arguments to a single
struct, with the addition of including a new `direction` field.
This direction is an enum describing if the packet was ingress(1) or
egress(2).
  • Loading branch information
@NDStrahilevitz
NDStrahilevitz committed Nov 23, 2023
1 parent 18b4663 commit 5345cf9
Show file tree
Hide file tree
Showing 12 changed files with 95 additions and 37 deletions.
2 changes: 2 additions & 0 deletions pkg/ebpf/c/common/network.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,8 @@ struct {
#define family_ipv6 (1 << 1)
#define proto_http_req (1 << 2)
#define proto_http_resp (1 << 3)
#define packet_ingress (1 << 4)
#define packet_egress (1 << 5)

// payload size: full packets, only headers
#define FULL 65536 // 1 << 16
Expand Down
7 changes: 7 additions & 0 deletions pkg/ebpf/c/tracee.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5335,12 +5335,15 @@ int BPF_KPROBE(cgroup_bpf_run_filter_skb)
if (!sk || !skb)
return 0;

s64 packet_dir_flag; // used later to set packet direction flag
switch (type) {
case BPF_CGROUP_INET_INGRESS:
cgrpctxmap = &cgrpctxmap_in;
packet_dir_flag = packet_ingress;
break;
case BPF_CGROUP_INET_EGRESS:
cgrpctxmap = &cgrpctxmap_eg;
packet_dir_flag = packet_egress;
break;
default:
return 0; // other attachment type, return fast
Expand Down Expand Up @@ -5469,6 +5472,10 @@ int BPF_KPROBE(cgroup_bpf_run_filter_skb)
default:
return 1;
}

// ... and packet direction(ingress/egress) ...
eventctx->retval |= packet_dir_flag; // set to packet_ingress/egress beforehand

// ... through event ctx ret val

// read IP/IPv6 headers
Expand Down
70 changes: 39 additions & 31 deletions pkg/events/core.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11300,33 +11300,35 @@ var CoreEvents = map[ID]Definition{
id: NetPacketIPv4,
id32Bit: Sys32Undefined,
name: "net_packet_ipv4",
version: NewVersion(1, 0, 0),
version: NewVersion(1, 1, 0),
dependencies: Dependencies{
ids: []ID{
NetPacketIPBase,
},
},
sets: []string{"network_events"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "src"}, // TODO: remove after filter supports ProtoIPv4
{Type: "const char*", Name: "dst"}, // TODO: remove after filter supports ProtoIPv4
{Type: "const char*", Name: "src"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "const char*", Name: "dst"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "trace.PacketMetadata", Name: "metadata"},
{Type: "trace.ProtoIPv4", Name: "proto_ipv4"},
},
},
NetPacketIPv6: {
id: NetPacketIPv6,
id32Bit: Sys32Undefined,
name: "net_packet_ipv6",
version: NewVersion(1, 0, 0),
version: NewVersion(1, 1, 0),
dependencies: Dependencies{
ids: []ID{
NetPacketIPBase,
},
},
sets: []string{"network_events"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "src"}, // TODO: remove after filter supports ProtoIPv6
{Type: "const char*", Name: "dst"}, // TODO: remove after filter supports ProtoIPv6
{Type: "const char*", Name: "src"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "const char*", Name: "dst"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "trace.PacketMetadata", Name: "metadata"},
{Type: "trace.ProtoIPv6", Name: "proto_ipv6"},
},
},
Expand All @@ -11350,18 +11352,19 @@ var CoreEvents = map[ID]Definition{
id: NetPacketTCP,
id32Bit: Sys32Undefined,
name: "net_packet_tcp",
version: NewVersion(1, 0, 0),
version: NewVersion(1, 1, 0),
dependencies: Dependencies{
ids: []ID{
NetPacketTCPBase,
},
},
sets: []string{"network_events"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "src"},
{Type: "const char*", Name: "dst"},
{Type: "u16", Name: "src_port"}, // TODO: remove after filter supports ProtoTCP
{Type: "u16", Name: "dst_port"}, // TODO: remove after filter supports ProtoTCP
{Type: "const char*", Name: "src"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "const char*", Name: "dst"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "u16", Name: "src_port"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "u16", Name: "dst_port"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "trace.PacketMetadata", Name: "metadata"},
{Type: "trace.ProtoTCP", Name: "proto_tcp"},
},
},
Expand All @@ -11385,18 +11388,19 @@ var CoreEvents = map[ID]Definition{
id: NetPacketUDP,
id32Bit: Sys32Undefined,
name: "net_packet_udp",
version: NewVersion(1, 0, 0),
version: NewVersion(1, 1, 0),
dependencies: Dependencies{
ids: []ID{
NetPacketUDPBase,
},
},
sets: []string{"network_events"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "src"},
{Type: "const char*", Name: "dst"},
{Type: "u16", Name: "src_port"}, // TODO: remove after filter supports ProtoUDP
{Type: "u16", Name: "dst_port"}, // TODO: remove after filter supports ProtoUDP
{Type: "const char*", Name: "src"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "const char*", Name: "dst"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "u16", Name: "src_port"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "u16", Name: "dst_port"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "trace.PacketMetadata", Name: "metadata"},
{Type: "trace.ProtoUDP", Name: "proto_udp"},
},
},
Expand All @@ -11420,16 +11424,17 @@ var CoreEvents = map[ID]Definition{
id: NetPacketICMP,
id32Bit: Sys32Undefined,
name: "net_packet_icmp",
version: NewVersion(1, 0, 0),
version: NewVersion(1, 1, 0),
dependencies: Dependencies{
ids: []ID{
NetPacketICMPBase,
},
},
sets: []string{"default", "network_events"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "src"},
{Type: "const char*", Name: "dst"},
{Type: "const char*", Name: "src"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "const char*", Name: "dst"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "trace.PacketMetadata", Name: "metadata"},
{Type: "trace.ProtoICMP", Name: "proto_icmp"},
},
},
Expand All @@ -11453,16 +11458,17 @@ var CoreEvents = map[ID]Definition{
id: NetPacketICMPv6,
id32Bit: Sys32Undefined,
name: "net_packet_icmpv6",
version: NewVersion(1, 0, 0),
version: NewVersion(1, 1, 0),
dependencies: Dependencies{
ids: []ID{
NetPacketICMPv6Base,
},
},
sets: []string{"default", "network_events"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "src"},
{Type: "const char*", Name: "dst"},
{Type: "const char*", Name: "src"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "const char*", Name: "dst"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "trace.PacketMetadata", Name: "metadata"},
{Type: "trace.ProtoICMPv6", Name: "proto_icmpv6"},
},
},
Expand All @@ -11486,18 +11492,19 @@ var CoreEvents = map[ID]Definition{
id: NetPacketDNS,
id32Bit: Sys32Undefined,
name: "net_packet_dns", // preferred event to write signatures
version: NewVersion(1, 0, 0),
version: NewVersion(1, 1, 0),
dependencies: Dependencies{
ids: []ID{
NetPacketDNSBase,
},
},
sets: []string{"network_events"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "src"},
{Type: "const char*", Name: "dst"},
{Type: "u16", Name: "src_port"},
{Type: "u16", Name: "dst_port"},
{Type: "const char*", Name: "src"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "const char*", Name: "dst"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "u16", Name: "src_port"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "u16", Name: "dst_port"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "trace.PacketMetadata", Name: "metadata"},
{Type: "trace.ProtoDNS", Name: "proto_dns"},
},
},
Expand Down Expand Up @@ -11561,10 +11568,11 @@ var CoreEvents = map[ID]Definition{
},
sets: []string{"network_events"},
params: []trace.ArgMeta{
{Type: "const char*", Name: "src"},
{Type: "const char*", Name: "dst"},
{Type: "u16", Name: "src_port"},
{Type: "u16", Name: "dst_port"},
{Type: "const char*", Name: "src"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "const char*", Name: "dst"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "u16", Name: "src_port"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "u16", Name: "dst_port"}, // TODO: pack and remove into trace.PacketMetadata after it supports filtering
{Type: "trace.PacketMetadata", Name: "metadata"},
{Type: "trace.ProtoHTTP", Name: "proto_http"},
},
},
Expand Down
5 changes: 5 additions & 0 deletions pkg/events/derive/net_packet_dns.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,16 @@ func deriveDNSEvents(event trace.Event) ([]interface{}, error) {
return nil, parsePacketError()
}

md := trace.PacketMetadata{
Direction: getPacketDirection(&event),
}

return []interface{}{
net.srcIP,
net.dstIP,
net.srcPort,
net.dstPort,
md,
dns,
}, nil
}
Expand Down
12 changes: 12 additions & 0 deletions pkg/events/derive/net_packet_helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ const (
familyIpv6
protoHttpRequest
protoHttpResponse
packetIngress
packetEgress
)

func boolToUint8(b bool) uint8 {
Expand Down Expand Up @@ -175,3 +177,13 @@ func parseUntilLayer7(event *trace.Event, pair *netPair) (gopacket.ApplicationLa

return layer7, nil
}

func getPacketDirection(event *trace.Event) trace.PacketDirection {
if event.ReturnValue&packetIngress == packetIngress {
return trace.PacketIngress
}
if event.ReturnValue&packetEgress == packetEgress {
return trace.PacketEgress
}
return trace.InvalidPacketDirection
}
5 changes: 5 additions & 0 deletions pkg/events/derive/net_packet_http.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,16 @@ func deriveHTTPEvents(event trace.Event) ([]interface{}, error) {
return nil, parsePacketError()
}

md := trace.PacketMetadata{
Direction: getPacketDirection(&event),
}

return []interface{}{
net.srcIP,
net.dstIP,
net.srcPort,
net.dstPort,
md,
h,
}, nil
}
Expand Down
4 changes: 4 additions & 0 deletions pkg/events/derive/net_packet_icmp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,12 +60,16 @@ func deriveNetPacketICMPArgs() deriveArgsFunction {
var icmp trace.ProtoICMP

copyICMPToProtoICMP(l4, &icmp)
md := trace.PacketMetadata{
Direction: getPacketDirection(&event),
}

// TODO: parse subsequent ICMP type layers

return []interface{}{
srcIP,
dstIP,
md,
icmp,
}, nil
}
Expand Down
4 changes: 4 additions & 0 deletions pkg/events/derive/net_packet_icmpv6.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,12 +60,16 @@ func deriveNetPacketICMPv6Args() deriveArgsFunction {
var icmpv6 trace.ProtoICMPv6

copyICMPv6ToProtoICMPv6(l4, &icmpv6)
md := trace.PacketMetadata{
Direction: getPacketDirection(&event),
}

// TODO: parse subsequent ICMPv6 type layers

return []interface{}{
srcIP,
dstIP,
md,
icmpv6,
}, nil
}
Expand Down
4 changes: 4 additions & 0 deletions pkg/events/derive/net_packet_ipv4.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,14 @@ func deriveNetPacketIPv4Args() deriveArgsFunction {
case (*layers.IPv4):
var ipv4 trace.ProtoIPv4
copyIPv4ToProtoIPv4(l3, &ipv4)
md := trace.PacketMetadata{
Direction: getPacketDirection(&event),
}

return []interface{}{
l3.SrcIP.String(),
l3.DstIP.String(),
md,
ipv4,
}, nil
}
Expand Down
4 changes: 4 additions & 0 deletions pkg/events/derive/net_packet_ipv6.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,14 @@ func deriveNetPacketIPv6Args() deriveArgsFunction {
case (*layers.IPv6):
var ipv6 trace.ProtoIPv6
copyIPv6ToProtoIPv6(l3, &ipv6)
md := trace.PacketMetadata{
Direction: getPacketDirection(&event),
}

return []interface{}{
l3.SrcIP.String(),
l3.DstIP.String(),
md,
ipv6,
}, nil
}
Expand Down
9 changes: 4 additions & 5 deletions pkg/events/derive/net_packet_tcp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,6 @@ func deriveNetPacketTCPArgs() deriveArgsFunction {
return nil, err
}

// event retval encodes ingress/egress
if event.ReturnValue&packetIngress == packetIngress {

}

// event retval encodes layer 3 protocol type

if event.ReturnValue&familyIpv4 == familyIpv4 {
Expand Down Expand Up @@ -70,12 +65,16 @@ func deriveNetPacketTCPArgs() deriveArgsFunction {
case (*layers.TCP):
var tcp trace.ProtoTCP
copyTCPToProtoTCP(l4, &tcp)
md := trace.PacketMetadata{
Direction: getPacketDirection(&event),
}

return []interface{}{
srcIP,
dstIP,
tcp.SrcPort,
tcp.DstPort,
md,
tcp,
}, nil
}
Expand Down
6 changes: 5 additions & 1 deletion pkg/events/derive/net_packet_udp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ func deriveNetPacketUDPArgs() deriveArgsFunction {
if err != nil {
return nil, err
}

// event retval encodes layer 3 protocol type

if event.ReturnValue&familyIpv4 == familyIpv4 {
Expand Down Expand Up @@ -65,12 +65,16 @@ func deriveNetPacketUDPArgs() deriveArgsFunction {
case (*layers.UDP):
var udp trace.ProtoUDP
copyUDPToProtoUDP(l4, &udp)
md := trace.PacketMetadata{
Direction: getPacketDirection(&event),
}

return []interface{}{
srcIP,
dstIP,
udp.SrcPort,
udp.DstPort,
md,
udp,
}, nil
}
Expand Down

0 comments on commit 5345cf9

Please sign in to comment.