bpf: initial pcap exporter for lb #15376
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
borkmann
added
sig/datapath
borkmann
force-pushed
the
pr/lb-observ
branch
3 times, most recently
from
ba9e583
to
a4ad6d6
Compare
Add a per-cpu ktime cache we can use for the packet capturing exporter facility from the LB. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add a new capture type for pcap exporter to perf RB that we're going to use for the lb-only mode out of XDP initially. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add both to the XDP DSR load balancer for capture points upon packet arrival and departure after encap. Also guard it under ENABLE_CAPTURE so that there's no overhead when not compiled in, plus so that the agent can probe the boot ktime helper availability. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
And also add __ prefixed variants that abstract the ktime handling away from caller. Right now the capture is unconditional, next step we'll add a classifier where the value (rule_id) of the match is then passed through the capture helpers. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
force-pushed
the
pr/lb-observ
branch
8 times, most recently
from
e6f0de6
to
4da7db7
Compare
Add a common interface such that we prep both v4/v6 maps for allowing to dump their entries from CLI. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
force-pushed
the
pr/lb-observ
branch
2 times, most recently
from
2d696d5
to
ab0f473
Compare
|
test-me-please |
1 similar comment
|
test-me-please |
|
retest-1.21-4.9 |
Move the v4/v6 maps under ENABLE_CAPTURE so they are not attempted to be included given we also don't define their names/sizes from agent size. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add `cilium bpf recorder list` command to dump both the v4 and v6 wildcarded maps tht contain the capture n-tuple filters. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add the dump of the recorder map to the sysdump for introspection. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add generated cmdref to the documentation. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
test-me-please |
gandro
approved these changes
Mar 30, 2021
|
retest-runtime (CI provision fail) |
|
retest-runtime |
Allow for easy debugging of recorder events and thus provide a monitoring
dissector.
Example:
# ./daemon/cilium-agent --enable-ipv4=true --enable-ipv6=true \
--datapath-mode=lb-only --bpf-lb-algorithm=maglev \
--bpf-lb-maglev-table-size=2039 --bpf-lb-mode=dsr \
--bpf-lb-acceleration=native --devices=enp10s0f0np0 \
--bpf-lb-dsr-dispatch=ipip --disable-envoy-version-check=true \
--enable-bpf-clock-probe=true --enable-recorder=true
# bpftool map update pinned /sys/fs/bpf/tc/globals/cilium_capture4_rules \
key hex 0 0 0 0 c0 a8 a0 04 0 0 0 0 0 0 20 0 value hex 0 1 0 0 0 0 0 0
# ./cilium/cilium bpf recorder list
192.168.160.4/32:0 -> 0.0.0.0/0:0 ANY ID:256 CapLen:0
# ./cilium/cilium service list
ID Frontend Service Type Backend
1 192.168.160.3:8080 ExternalIPs 1 => 192.168.160.4:8080
(from remote)# curl 192.168.160.3:8080
[...]
# ./cilium/cilium monitor
[...]
Recorder capture: dir:ingress rule:256 ts:99992076120464 caplen:74 len:74
Ethernet {Contents=[..14..] Payload=[..62..] SrcMAC=b8:ce:f6:05:e7:76 DstMAC=b8:ce:f6:05:e7:62 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=44495 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=52115 SrcIP=192.168.160.4 DstIP=192.168.160.3 Options=[] Padding=[]}
TCP {Contents=[..40..] Payload=[] SrcPort=52128 DstPort=8080(http-alt) Seq=592744369 Ack=0 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=false URG=false ECE=false CWR=false NS=false Window=42340 Checksum=59261 Urgent=0 Options=[..5..] Padding=[]}
----
Recorder capture: dir:egress rule:256 ts:99992076120464 caplen:94 len:94
Ethernet {Contents=[..14..] Payload=[..86..] SrcMAC=b8:ce:f6:05:e7:62 DstMAC=b8:ce:f6:05:e7:76 EthernetType=IPv4 Length=0}
IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=44495 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=52115 SrcIP=192.168.160.4 DstIP=192.168.160.3 Options=[] Padding=[]}
IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=44495 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=52115 SrcIP=192.168.160.4 DstIP=192.168.160.3 Options=[] Padding=[]}
TCP {Contents=[..40..] Payload=[] SrcPort=52128 DstPort=8080(http-alt) Seq=592744369 Ack=0 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=false URG=false ECE=false CWR=false NS=false Window=42340 Checksum=59261 Urgent=0 Options=[..5..] Padding=[]}
----
[...]
Note that our monitor dissector code is currently broken in that it cannot
handle IPIP correctly (hence the same IP header twice above). It can only
cache/dump IP layer once right now, subject to a different fix at some point.
The future pcap writer code, needs to:
1) Translate the boot time ts into a time of day ts.
2) Dump into a different pcap file based on rule id.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
test-me-please |
|
retest-runtime |
|
Hit #15469 in 4.19: unrelated. |
|
Hit #14959 in 4.9: unrelated. |
This was referenced Apr 28, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit msgs.
Basis for agent + Hubble recorder framework: