kmesh-net · kmesh-bot · Nov 18, 2024 · Nov 5, 2024 · Nov 12, 2024 · Nov 12, 2024
diff --git a/bpf/include/bpf_log.h b/bpf/include/bpf_log.h
@@ -90,11 +90,11 @@ lower than 22.09, compile would report an error of bpf_snprintf dont exist */
 static inline int map_lookup_log_level()
 {
     int zero = 0;
-    int *value = NULL;
+    struct kmesh_config *value = {0};
     value = kmesh_map_lookup_elem(&kmesh_config_map, &zero);
     if (!value)
         return BPF_LOG_INFO;
-    return *value;
+    return value->bpf_log_level;
 }
 
 #define BPF_LOG(l, t, f, ...)                                                                                          \

diff --git a/bpf/include/common.h b/bpf/include/common.h
@@ -63,6 +63,12 @@ struct kmesh_context {
     bool via_waypoint;
 };
 
+struct kmesh_config {
+    __u32 bpf_log_level;
+    __u32 node_ip[4];
+    __u32 pod_gateway[4];
+};
+
 static inline void *kmesh_map_lookup_elem(void *map, const void *key)
 {
     return bpf_map_lookup_elem(map, key);
@@ -134,8 +140,8 @@ struct {
 struct {
     __uint(type, BPF_MAP_TYPE_ARRAY);
     __uint(max_entries, 1);
-    __uint(key_size, sizeof(__u32));
-    __uint(value_size, sizeof(__u32));
+    __type(key, int);
+    __type(value, struct kmesh_config);
 } kmesh_config_map SEC(".maps");
 
 #if KERNEL_VERSION_HIGHER_5_13_0

diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go
diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go
diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go
diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go
diff --git a/bpf/kmesh/workload/sockops.c b/bpf/kmesh/workload/sockops.c
@@ -46,6 +46,39 @@ static inline bool is_managed_by_kmesh(struct bpf_sock_ops *skops)
     return (*value == 0);
 }
 
+static inline bool skip_specific_probe(struct bpf_sock_ops *skops)
+{
+    struct kmesh_config *data = {0};
+    int key_of_kmesh_config = 0;
+    data = kmesh_map_lookup_elem(&kmesh_config_map, &key_of_kmesh_config);
+    if (!data) {
+        BPF_LOG(ERR, SOCKOPS, "get kmesh config failed");
+        return false;
+    }
+
+    if (skops->family == AF_INET) {
+        if (data->node_ip[3] == skops->remote_ip4) {
+            return true;
+        }
+        if (data->pod_gateway[3] == skops->remote_ip4) {
+            return true;
+        }
+    }
+
+    if (skops->family == AF_INET6) {
+        if (data->node_ip[0] == skops->remote_ip6[0] && data->node_ip[1] == skops->remote_ip6[1]
+            && data->node_ip[2] == skops->remote_ip6[2] && data->node_ip[3] == skops->remote_ip6[3]) {
+            return true;
+        }
+        if (data->pod_gateway[0] == skops->remote_ip6[0] && data->pod_gateway[1] == skops->remote_ip6[1]
+            && data->pod_gateway[2] == skops->remote_ip6[2] && data->pod_gateway[3] == skops->remote_ip6[3]) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
 static inline void extract_skops_to_tuple(struct bpf_sock_ops *skops, struct bpf_sock_tuple *tuple_key)
 {
     if (skops->family == AF_INET) {
@@ -233,7 +266,7 @@ int sockops_prog(struct bpf_sock_ops *skops)
             enable_encoding_metadata(skops);
         break;
     case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB:
-        if (!is_managed_by_kmesh(skops))
+        if (!is_managed_by_kmesh(skops) || skip_specific_probe(skops))
             break;
         observe_on_connect_established(skops->sk, INBOUND);
         if (bpf_sock_ops_cb_flags_set(skops, BPF_SOCK_OPS_STATE_CB_FLAG) != 0)

diff --git a/deploy/yaml/clusterrole.yaml b/deploy/yaml/clusterrole.yaml
@@ -6,7 +6,7 @@ metadata:
     app: kmesh
 rules:
 - apiGroups: [""]
-  resources: ["pods","services","namespaces"]
+  resources: ["pods","services","namespaces","nodes"]
   verbs: ["get", "update", "patch", "list", "watch"]
 - apiGroups: ["apps"]
   resources: ["daemonsets"]