feat: Improve handling of large L7 payloads and indicate truncation

[mayankpande88]

This commit addresses issues with parsing HTTP and other L7 payloads that could appear as "garbage data" due to truncation or incomplete capture.

Key changes:

eBPF (ebpftracer/ebpf/):

• Increased MAX_PAYLOAD_SIZE from 5KB to 16KB in ebpftracer/ebpf/tcp/state.c to allow capturing larger payloads. The new size (16384) is a power of 2.
• Modified struct l7_event in ebpftracer/ebpf/l7/l7.c:
  • Renamed padding field to flags (__u16).
  • Introduced L7_EVENT_FLAG_REQUEST_TRUNCATED and L7_EVENT_FLAG_RESPONSE_TRUNCATED flags.
• Added request_potentially_truncated field to struct l7_request in ebpftracer/ebpf/tcp/state.c.
• Updated eBPF logic in ebpftracer/ebpf/l7/l7.c to:
  • Set request_potentially_truncated in struct l7_request if the original request size meets/exceeds MAX_PAYLOAD_SIZE.
  • Set the appropriate truncation flags in l7_event.flags if the original request or response data (before being copied to the event) meets/exceeds MAX_PAYLOAD_SIZE.

Go (ebpftracer/):

• Updated l7Event struct in ebpftracer/tracer.go to change Padding to Flags.
• Added corresponding L7EventFlagRequestTruncated and L7EventFlagResponseTruncated constants.
• Added RequestTruncated and ResponseTruncated boolean fields to l7.RequestData in ebpftracer/l7/l7.go.
• Refactored L7 event processing in ebpftracer/tracer.go:
  • Extracted logic into a new processL7Record function.
  • processL7Record now checks the l7Event.Flags and:
    • Logs a klog.Warningf message if either request or response payload is marked as potentially truncated.
    • Populates the RequestTruncated and ResponseTruncated fields in l7.RequestData.
• Added TestProcessL7RecordTruncationFlags in ebpftracer/tracer_test.go to unit test the flag parsing, l7.RequestData population, and klog warnings for truncated events.

These changes allow the system to capture larger L7 payloads and provide clear indication to the user-space components when a captured payload might have been truncated, improving observability and aiding in diagnosing issues related to incomplete data.

[gemini-code-assist]

Hello @mayankpande88, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Gemini here, providing a summary for this pull request. This PR focuses on improving the handling of large L7 (Layer 7) payloads captured by the eBPF tracer and providing clear indications when these payloads have been truncated. The goal is to reduce instances of 'garbage data' due to incomplete captures and give users visibility into potential data loss.

Highlights

• Increased Payload Capture Size: The maximum size for captured L7 payloads in the eBPF code has been increased from 5KB to 16KB (MAX_PAYLOAD_SIZE in ebpftracer/ebpf/tcp/state.c) to accommodate larger requests and responses.
• Truncation Flags in eBPF: New flags (L7_EVENT_FLAG_REQUEST_TRUNCATED, L7_EVENT_FLAG_RESPONSE_TRUNCATED) have been added to the struct l7_event in ebpftracer/ebpf/l7/l7.c. The eBPF code now sets these flags if the original size of the request or response data met or exceeded MAX_PAYLOAD_SIZE before being copied into the event buffer.
• Propagating Truncation Status to Go: The Go l7.RequestData struct in ebpftracer/l7/l7.go now includes RequestTruncated and ResponseTruncated boolean fields. The processL7Record function in ebpftracer/tracer.go (extracted from runEventsReader) reads the new flags from the eBPF event and populates these boolean fields, also logging a warning when truncation is detected.
• Improved HTTP Parsing Robustness: The ParseHTTPRequest function in ebpftracer/l7/http.go has been refactored to handle different line endings (CRLF and LF) and the separation of headers and body more reliably, which should help in parsing potentially truncated or malformed HTTP data.
• Unit Tests for Truncation Handling: A new unit test (TestProcessL7RecordTruncationFlags in ebpftracer/tracer_test.go) has been added to verify that the Go code correctly interprets the new eBPF truncation flags and populates the l7.RequestData fields accordingly, including checking for the expected warning logs.

Changelog

Click here to see the changelog

• ebpftracer/ebpf/l7/l7.c
  • Added L7_EVENT_FLAG_REQUEST_TRUNCATED and L7_EVENT_FLAG_RESPONSE_TRUNCATED defines (lines 30-31).
  • Renamed padding field to flags in struct l7_event (line 71).
  • Added request_potentially_truncated field to struct l7_request (line 221).
  • Set req->request_potentially_truncated based on total_size in trace_enter_write (line 225).
  • Set e->flags |= L7_EVENT_FLAG_REQUEST_TRUNCATED and update payload_size for direct event sends (Postgres, MySQL, HTTP2) in trace_enter_write (lines 244-249, 267-272, 315-320).
  • Set e->flags |= L7_EVENT_FLAG_RESPONSE_TRUNCATED and update response_size for responses in trace_exit_read (lines 441-446).
  • Adjusted DNS response handling in trace_exit_read to use e->payload for response data and set L7_EVENT_FLAG_RESPONSE_TRUNCATED based on total_size (lines 474-491).
  • Copied req->payload to e->payload and propagated req->request_potentially_truncated flag for events with matching requests in trace_exit_read (lines 526-532).
  • Updated protocol parsing functions (is_http_response, etc.) to use e->response and e->response_size (lines 542, 544, 549, 551, 553, 558, 564, 566, 572, 578))
• ebpftracer/ebpf/tcp/state.c
  • Increased MAX_PAYLOAD_SIZE from 5KB to 16KB (line 2).
  • Added request_potentially_truncated field to struct l7_request (line 98).
• ebpftracer/l7/http.go
  • Refactored ParseHTTPRequest to improve header/body separation logic, handling LF-only line endings and cases without a body more robustly (lines 47-91).
  • Adjusted header parsing loop to use the refactored header data (lines 111-114).
• ebpftracer/l7/l7.go
  • Added RequestTruncated and ResponseTruncated boolean fields to RequestData struct (lines 162-163).
• ebpftracer/tracer.go
  • Added L7EventFlagRequestTruncated and L7EventFlagResponseTruncated constants (lines 49-50).
  • Renamed Padding field to Flags in l7Event struct (line 359).
  • Extracted L7 event processing logic into a new processL7Record function (lines 471-532).
  • Updated runEventsReader to call processL7Record for perfMapTypeL7Events (lines 390-399).
  • processL7Record reads the Flags field, logs warnings for truncation, and populates RequestTruncated/ResponseTruncated in l7.RequestData (lines 501-522).
• ebpftracer/tracer_test.go
  • Removed TestProcessEvents, TestTcpEvents, and TestFileEvents (lines 1-354).
  • Added TestProcessL7RecordTruncationFlags to test L7 truncation flag handling in Go (lines 16-160).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Large data flows fast,
Truncation flags now show,
What the trace has missed.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces significant improvements to how the tracer handles large L7 payloads by increasing the capture size and adding explicit truncation flags. The refactoring of the Go-based L7 event processing into a dedicated function is a good step for modularity. The enhanced HTTP parsing logic and the new table-driven HTTP test cases are also valuable additions. However, there are some areas related to correctness in the eBPF code and a notable reduction in test coverage that should be addressed before merging.

Summary of Findings

• DNS Response Truncation Logic (eBPF): The logic for handling DNS response truncation flags in trace_exit_read appears confusing due to the clearing and re-setting of flags and a placeholder flag. This could lead to incorrect reporting of truncation status for DNS events.
• Zookeeper Parsing Inconsistency (eBPF): The is_zk_response function is called with the original total_size while other protocol parsers use the copied e->response_size. While a comment suggests this is intentional, it introduces inconsistency and potential confusion. Clarification or confirmation of this design choice is needed.
• Incomplete HTTP Parsing Test Coverage (Go): The new HTTP parsing tests are good but lack coverage for truncated input data, which is a relevant scenario when dealing with fixed-size buffers from eBPF.
• Significant Reduction in Tracer Test Coverage (Go): Several existing tests for process, TCP, and file events, as well as the general tracer runner, were removed. This leaves significant portions of the eBPF tracer logic untested, particularly the eBPF code responsible for generating these events and setting L7 flags.

Merge Readiness

This pull request introduces valuable features and refactorings. However, the identified high-severity issues related to the significant reduction in test coverage and the potential correctness issue in the DNS handling logic should be addressed before merging. The medium-severity issues regarding Zookeeper parsing consistency and HTTP parsing test coverage are also important for code quality. I am unable to approve this pull request, and recommend that these issues are resolved and the code is reviewed and approved by others before merging.

[gemini-code-assist]

This section of code handling DNS responses seems a bit confusing. You clear the L7_EVENT_FLAG_RESPONSE_TRUNCATED flag, then set a placeholder L7_EVENT_FLAG_PAYLOAD_TRUNCATED_ALIAS, and then immediately re-set L7_EVENT_FLAG_RESPONSE_TRUNCATED.

Could you clarify the intent here? Since the DNS response is copied into e->payload, perhaps L7_EVENT_FLAG_RESPONSE_TRUNCATED should apply to the truncation of e->payload directly, and the placeholder flag isn't needed? The current logic feels a bit convoluted.

[gemini-code-assist]

This pull request removes several existing tests (TestProcessEvents, TestTcpEvents, TestFileEvents, runTracer). While the new TestProcessL7RecordTruncationFlags is good for testing the Go-side processing of L7 flags, it doesn't cover the eBPF logic responsible for setting these flags or the overall functionality of the tracer for other event types (process, TCP, file).

Removing these tests significantly reduces the test coverage for the eBPF tracer component. Could these tests be reinstated or replaced with equivalent tests that cover the core eBPF logic and different event types?

[gemini-code-assist]

For Zookeeper, the is_zk_response function is called with total_size (the original size) while most other protocol parsing functions are now called with e->response_size (the copied size). The comment mentions that total_size matters for ZK logic.

Could you confirm if is_zk_response truly requires the original total_size for its parsing logic, or if it can work with the potentially truncated e->response_size? If it needs total_size, the comment is helpful, but it's an inconsistency compared to other protocols.