fix: fix source IP address (#43)

## Which problem is this PR solving? - Closes #39 ## Short description of the changes - Use autogenerated `bpfSocketEvent` instead of creating a new `Event` struct - Remove `BytesSent` because it looks to be incorrect and therefore is going to be misleading. We can re-address this later. ## How to verify that this has the expected result see source pod names and updated ip addresses in honeycomb --------- Co-authored-by: Purvi Kanal <kanal.purvi@gmail.com> Co-authored-by: Mike Goldsmith <goldsmith.mike@gmail.com>
honeycombio · Jul 31, 2023 · 4c350a9 · 4c350a9
1 parent 736a2d4
commit 4c350a9
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 47 deletions.
diff --git a/DEVELOPING.md b/DEVELOPING.md
@@ -13,6 +13,13 @@ Recommended:
 - [remake](https://remake.readthedocs.io/) - A better make
   - View them with `remake --tasks`
 
+## Local Development
+
+When making changes to C files, run `make docker-generate` to update the generated go files.
+For example, run it after changing the `socket_event` struct in `tcp_probe.c`.
+
+When building with `make docker-build`, the generated files are included in the build but not updated locally.
+
 ## To pull a published image from ghcr
 
 Docker images are found in [`ghcr.io/honeycombio/ebpf-agent:latest`](https://github.com/honeycombio/honeycomb-ebpf-agent/pkgs/container/ebpf-agent).

diff --git a/bpf/probes/bpf_bpfel_arm64.go b/bpf/probes/bpf_bpfel_arm64.go
diff --git a/bpf/probes/bpf_bpfel_x86.go b/bpf/probes/bpf_bpfel_x86.go
diff --git a/bpf/probes/manager.go b/bpf/probes/manager.go
@@ -23,16 +23,6 @@ import (
 
 const mapKey uint32 = 0
 
-type Event struct {
-	StartTime uint64
-	EndTime   uint64
-	Daddr     uint32
-	Dport     uint16
-	Saddr     uint32
-	Sport     uint16
-	BytesSent uint64
-}
-
 func Setup() {
 	// Load pre-compiled programs and maps into the kernel.
 	objs := bpfObjects{}
@@ -48,13 +38,6 @@ func Setup() {
 	}
 	defer kprobeTcpConnect.Close()
 
-	// Deploy tcp_sendmsg kprobe
-	kprobeSendMsg, err := link.Kprobe("tcp_sendmsg", objs.KprobeSendmsg, nil)
-	if err != nil {
-		log.Fatalf("opening kprobe: %s", err)
-	}
-	defer kprobeSendMsg.Close()
-
 	// Deploy tcp_close kprobe
 	kprobeTcpClose, err := link.Kprobe("tcp_close", objs.KprobeTcpClose, nil)
 	if err != nil {
@@ -69,7 +52,8 @@ func Setup() {
 	}
 
 	log.Println("Agent is ready!")
-	var event Event
+	// bpfSocketEvent is generated by bpf2go from socket_event struct in tcp_probe.c
+	var event bpfSocketEvent
 	for {
 		record, err := reader.Read()
 		if err != nil {
@@ -120,7 +104,7 @@ func getPodByIPAddr(ipAddr string) v1.Pod {
 }
 
 // Send event to Honeycomb
-func sendEvent(event Event) {
+func sendEvent(event bpfSocketEvent) {
 
 	sourceIpAddr := intToIP(event.Saddr).String()
 	destIpAddr := intToIP(event.Daddr).String()
@@ -133,7 +117,6 @@ func sendEvent(event Event) {
 	ev.AddField("duration_ms", (event.EndTime-event.StartTime)/1_000_000) // convert ns to ms
 	ev.AddField("source", fmt.Sprintf("%s:%d", sourceIpAddr, event.Sport))
 	ev.AddField("dest", fmt.Sprintf("%s:%d", destIpAddr, event.Dport))
-	ev.AddField("num_bytes", event.BytesSent)
 	ev.AddField("k8s.pod.dest.name", destPod.Name)
 	ev.AddField("k8s.pod.source.name", sourcePod.Name)
 

diff --git a/bpf/probes/tcp_probe.c b/bpf/probes/tcp_probe.c
@@ -56,7 +56,6 @@ typedef struct socket_event
 	u16 dport;
 	u32 saddr;
 	u16 sport;
-	u64 bytes_sent;
 } socket_event;
 
 struct
@@ -92,24 +91,6 @@ int kprobe__tcp_connect(struct pt_regs *ctx)
 	return 0;
 }
 
-SEC("kprobe/tcp_sendmsg")
-int kprobe__sendmsg(struct pt_regs *ctx)
-{
-	u64 pid = bpf_get_current_pid_tgid();
-	void *event_ptr = bpf_map_lookup_elem(&context_to_http_events, &pid);
-	if (!event_ptr)
-	{
-		return 0;
-	}
-
-	struct socket_event event = {};
-	bpf_probe_read(&event, sizeof(socket_event), event_ptr);
-	event.bytes_sent += PT_REGS_RC(ctx);
-
-	bpf_map_update_elem(&context_to_http_events, &pid, &event, BPF_ANY);
-	return 0;
-}
-
 SEC("kprobe/tcp_close")
 int kprobe__tcp_close(struct pt_regs *ctx)
 {