|
|
@@ -32,11 +32,11 @@ struct {
|
|
|
__uint(value_size, sizeof(int));
|
|
|
} tcp_connect_events SEC(".maps");
|
|
|
|
|
|
-// struct {
|
|
|
-// __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
|
|
|
-// __uint(key_size, sizeof(int));
|
|
|
-// __uint(value_size, sizeof(int));
|
|
|
-// } tcp_accept_events SEC(".maps");
|
|
|
+struct {
|
|
|
+ __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
|
|
|
+ __uint(key_size, sizeof(int));
|
|
|
+ __uint(value_size, sizeof(int));
|
|
|
+} tcp_accept_events SEC(".maps");
|
|
|
|
|
|
struct trace_event_raw_inet_sock_set_state__stub {
|
|
|
__u64 unused;
|
|
|
@@ -92,12 +92,12 @@ struct {
|
|
|
__uint(max_entries, MAX_CONNECTIONS);
|
|
|
} active_connections SEC(".maps");
|
|
|
|
|
|
-// struct {
|
|
|
-// __uint(type, BPF_MAP_TYPE_LRU_HASH);
|
|
|
-// __uint(key_size, sizeof(struct connection_id));
|
|
|
-// __uint(value_size, sizeof(struct connection));
|
|
|
-// __uint(max_entries, MAX_CONNECTIONS);
|
|
|
-// } active_accepts SEC(".maps");
|
|
|
+struct {
|
|
|
+ __uint(type, BPF_MAP_TYPE_LRU_HASH);
|
|
|
+ __uint(key_size, sizeof(struct connection_id));
|
|
|
+ __uint(value_size, sizeof(struct connection));
|
|
|
+ __uint(max_entries, MAX_CONNECTIONS);
|
|
|
+} active_accepts SEC(".maps");
|
|
|
|
|
|
|
|
|
SEC("tracepoint/sock/inet_sock_set_state")
|
|
|
@@ -274,21 +274,21 @@ int sys_enter_close(void *ctx) {
|
|
|
bpf_perf_event_output(ctx, &tcp_connect_events, BPF_F_CURRENT_CPU, &e, sizeof(e));
|
|
|
bpf_map_delete_elem(&active_connections, &cid);
|
|
|
}
|
|
|
- // cw_bpf_debug("socket accept socket sys_enter_close accept_Connection before cid.pid=%d, cid.fd=%d\n", cid.pid, cid.fd);
|
|
|
- // struct connection *acceptConn = bpf_map_lookup_elem(&active_accepts, &cid);
|
|
|
- // if (acceptConn) {
|
|
|
- // struct tcp_event e = {};
|
|
|
- // e.type = EVENT_TYPE_ACCEPT_CLOSE;
|
|
|
- // e.pid = cid.pid;
|
|
|
- // e.fd = cid.fd;
|
|
|
- // e.bytes_sent = acceptConn->bytes_sent;
|
|
|
- // e.bytes_received = acceptConn->bytes_received;
|
|
|
- // e.timestamp = acceptConn->timestamp;
|
|
|
- // bpf_perf_event_output(ctx, &tcp_accept_events, BPF_F_CURRENT_CPU, &e, sizeof(e));
|
|
|
- // bpf_map_delete_elem(&active_accepts, &cid);
|
|
|
- // cw_bpf_debug("socket accept socket sys_enter_close accept_Connection cid.pid=%d, cid.fd=%d\n", cid.pid, cid.fd);
|
|
|
- // cw_bpf_debug("socket accept socket sys_enter_close accept_Connection cid.bytes_sent=%d, cid.bytes_received=%d\n", e.bytes_sent, e.bytes_received);
|
|
|
- // }
|
|
|
+ cw_bpf_debug("socket accept socket sys_enter_close accept_Connection before cid.pid=%d, cid.fd=%d\n", cid.pid, cid.fd);
|
|
|
+ struct connection *acceptConn = bpf_map_lookup_elem(&active_accepts, &cid);
|
|
|
+ if (acceptConn) {
|
|
|
+ struct tcp_event e = {};
|
|
|
+ e.type = EVENT_TYPE_ACCEPT_CLOSE;
|
|
|
+ e.pid = cid.pid;
|
|
|
+ e.fd = cid.fd;
|
|
|
+ e.bytes_sent = acceptConn->bytes_sent;
|
|
|
+ e.bytes_received = acceptConn->bytes_received;
|
|
|
+ e.timestamp = acceptConn->timestamp;
|
|
|
+ bpf_perf_event_output(ctx, &tcp_accept_events, BPF_F_CURRENT_CPU, &e, sizeof(e));
|
|
|
+ bpf_map_delete_elem(&active_accepts, &cid);
|
|
|
+ cw_bpf_debug("socket accept socket sys_enter_close accept_Connection cid.pid=%d, cid.fd=%d\n", cid.pid, cid.fd);
|
|
|
+ cw_bpf_debug("socket accept socket sys_enter_close accept_Connection cid.bytes_sent=%d, cid.bytes_received=%d\n", e.bytes_sent, e.bytes_received);
|
|
|
+ }
|
|
|
|
|
|
//TODO 2,增加active_accept 对应的判断,类比234行操作,新增EVENT_TYPE_accept_conn_CLOSE类型
|
|
|
|
|
|
@@ -296,174 +296,174 @@ int sys_enter_close(void *ctx) {
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
-// void u32_to_ip(__u32 ip, unsigned char* bytes) {
|
|
|
-// // 将32位整数拆分为四个8位整数
|
|
|
-// // unsigned char bytes[4];
|
|
|
-// bytes[15] = (ip >> 24) & 0xFF;
|
|
|
-// bytes[14] = (ip >> 16) & 0xFF;
|
|
|
-// bytes[13] = (ip >> 8) & 0xFF;
|
|
|
-// bytes[12] = ip & 0xFF;
|
|
|
-// bytes[11] = 0xFF;
|
|
|
-// bytes[10] = 0xFF;
|
|
|
+void u32_to_ip(__u32 ip, unsigned char* bytes) {
|
|
|
+ // 将32位整数拆分为四个8位整数
|
|
|
+ // unsigned char bytes[4];
|
|
|
+ bytes[15] = (ip >> 24) & 0xFF;
|
|
|
+ bytes[14] = (ip >> 16) & 0xFF;
|
|
|
+ bytes[13] = (ip >> 8) & 0xFF;
|
|
|
+ bytes[12] = ip & 0xFF;
|
|
|
+ bytes[11] = 0xFF;
|
|
|
+ bytes[10] = 0xFF;
|
|
|
|
|
|
-// // 使用sprintf将这些整数格式化为字符串
|
|
|
-// cw_bpf_debug("[Go] [socket/IP: %u.%u", bytes[15], bytes[14]);
|
|
|
-// cw_bpf_debug("[Go] [socket/IP: %u.%u", bytes[13], bytes[12]);
|
|
|
-// }
|
|
|
+ // 使用sprintf将这些整数格式化为字符串
|
|
|
+ cw_bpf_debug("[Go] [socket/IP: %u.%u", bytes[15], bytes[14]);
|
|
|
+ cw_bpf_debug("[Go] [socket/IP: %u.%u", bytes[13], bytes[12]);
|
|
|
+}
|
|
|
|
|
|
|
|
|
// 用于存储文件描述符和套接字指针的 map
|
|
|
-// struct {
|
|
|
-// __uint(type, BPF_MAP_TYPE_HASH);
|
|
|
-// __type(key, __u64); // 使用进程 ID 作为键
|
|
|
-// __type(value, struct sock *);
|
|
|
-// __uint(max_entries, 1024);
|
|
|
-// } socket_map SEC(".maps");
|
|
|
-
|
|
|
-
|
|
|
-// struct ipv4_tuple_t {
|
|
|
-// __u32 saddr;
|
|
|
-// __u32 daddr;
|
|
|
-// __u16 sport;
|
|
|
-// __u16 dport;
|
|
|
-// __u8 protocol;
|
|
|
-// };
|
|
|
-
|
|
|
-// SEC("kretprobe/inet_csk_accept")
|
|
|
-// int kprobeinet_csk_accept(struct pt_regs *ctx) {
|
|
|
-// cw_bpf_debug("socket inet_csk_accept Connection exit pid_tgid: pid_tgid=\n");
|
|
|
-// __u64 pid_tgid = bpf_get_current_pid_tgid();
|
|
|
-// cw_bpf_debug("socket inet_csk_accept Connection exit pid_tgid: pid_tgid=%d\n", pid_tgid);
|
|
|
-// struct sock *sk = (struct sock *)PT_REGS_RC(ctx);
|
|
|
-// // __u16 family = 0;
|
|
|
-// // bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
|
|
|
-// // cw_bpf_debug("socket inet_csk_accept Connection family: family=%d\n", family);
|
|
|
-// // if (family == AF_INET)
|
|
|
-// // {
|
|
|
-// // cw_bpf_debug("socket inet_csk_accept Connection family: IPv4=%d\n", family);
|
|
|
-// // }
|
|
|
-// // struct ipv4_tuple_t tuple = {};
|
|
|
-// // // 从 __sk_common 获取信息
|
|
|
-// // bpf_probe_read(&tuple.saddr, sizeof(tuple.saddr), &sk->__sk_common.skc_rcv_saddr);
|
|
|
-// // bpf_probe_read(&tuple.daddr, sizeof(tuple.daddr), &sk->__sk_common.skc_daddr);
|
|
|
-// // bpf_probe_read(&tuple.sport, sizeof(tuple.sport), &sk->__sk_common.skc_num);
|
|
|
-// // bpf_probe_read(&tuple.dport, sizeof(tuple.dport), &sk->__sk_common.skc_dport);
|
|
|
-
|
|
|
-// // tuple.sport = bpf_ntohs(tuple.sport);
|
|
|
-// // tuple.dport = bpf_ntohs(tuple.dport);
|
|
|
-
|
|
|
-// // __u64 hash;
|
|
|
-// // bpf_probe_read(&hash, sizeof(hash), &sk->__sk_common.skc_hash);
|
|
|
-
|
|
|
-// // cw_bpf_debug("socket inet_csk_accept Connection accepted: sk=%x, hash: %lld\n", sk, hash);
|
|
|
-// // cw_bpf_debug("socket inet_csk_accept Connection accepted: dport=%d, lport=%d\n", tuple.dport, tuple.sport);
|
|
|
-// // cw_bpf_debug("socket inet_csk_accept Connection accepted: saddr=%lld, daddr=%lld\n", tuple.saddr, tuple.daddr);
|
|
|
-// // u32_to_ip(tuple.saddr);
|
|
|
-// // u32_to_ip(tuple.daddr);
|
|
|
-// // 将进程 ID 关联到 `struct sock` 指针
|
|
|
-// bpf_map_update_elem(&socket_map, &pid_tgid, &sk, BPF_ANY);
|
|
|
-
|
|
|
-// return 0;
|
|
|
-// }
|
|
|
-
|
|
|
-// struct sys_exit_accept4_ctx {
|
|
|
-// __u64 __unused_syscall_header;
|
|
|
-// __u32 __unused_syscall_nr;
|
|
|
-// long ret;
|
|
|
-// };
|
|
|
-// struct sys_enter_accept4_ctx {
|
|
|
-// __u64 __unused_syscall_header;
|
|
|
-// __u32 __unused_syscall_nr;
|
|
|
-
|
|
|
-// long fd;
|
|
|
-// __u64 *sockaddr;
|
|
|
-// int addrlen;
|
|
|
-// };
|
|
|
+struct {
|
|
|
+ __uint(type, BPF_MAP_TYPE_HASH);
|
|
|
+ __type(key, __u64); // 使用进程 ID 作为键
|
|
|
+ __type(value, struct sock *);
|
|
|
+ __uint(max_entries, 1024);
|
|
|
+} socket_map SEC(".maps");
|
|
|
+
|
|
|
+
|
|
|
+struct ipv4_tuple_t {
|
|
|
+ __u32 saddr;
|
|
|
+ __u32 daddr;
|
|
|
+ __u16 sport;
|
|
|
+ __u16 dport;
|
|
|
+ __u8 protocol;
|
|
|
+};
|
|
|
+
|
|
|
+SEC("kretprobe/inet_csk_accept")
|
|
|
+int kprobeinet_csk_accept(struct pt_regs *ctx) {
|
|
|
+ cw_bpf_debug("socket inet_csk_accept Connection exit pid_tgid: pid_tgid=\n");
|
|
|
+ __u64 pid_tgid = bpf_get_current_pid_tgid();
|
|
|
+ cw_bpf_debug("socket inet_csk_accept Connection exit pid_tgid: pid_tgid=%d\n", pid_tgid);
|
|
|
+ struct sock *sk = (struct sock *)PT_REGS_RC(ctx);
|
|
|
+ // __u16 family = 0;
|
|
|
+ // bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
|
|
|
+ // cw_bpf_debug("socket inet_csk_accept Connection family: family=%d\n", family);
|
|
|
+ // if (family == AF_INET)
|
|
|
+ // {
|
|
|
+ // cw_bpf_debug("socket inet_csk_accept Connection family: IPv4=%d\n", family);
|
|
|
+ // }
|
|
|
+ // struct ipv4_tuple_t tuple = {};
|
|
|
+ // // 从 __sk_common 获取信息
|
|
|
+ // bpf_probe_read(&tuple.saddr, sizeof(tuple.saddr), &sk->__sk_common.skc_rcv_saddr);
|
|
|
+ // bpf_probe_read(&tuple.daddr, sizeof(tuple.daddr), &sk->__sk_common.skc_daddr);
|
|
|
+ // bpf_probe_read(&tuple.sport, sizeof(tuple.sport), &sk->__sk_common.skc_num);
|
|
|
+ // bpf_probe_read(&tuple.dport, sizeof(tuple.dport), &sk->__sk_common.skc_dport);
|
|
|
+
|
|
|
+ // tuple.sport = bpf_ntohs(tuple.sport);
|
|
|
+ // tuple.dport = bpf_ntohs(tuple.dport);
|
|
|
+
|
|
|
+ // __u64 hash;
|
|
|
+ // bpf_probe_read(&hash, sizeof(hash), &sk->__sk_common.skc_hash);
|
|
|
+
|
|
|
+ // cw_bpf_debug("socket inet_csk_accept Connection accepted: sk=%x, hash: %lld\n", sk, hash);
|
|
|
+ // cw_bpf_debug("socket inet_csk_accept Connection accepted: dport=%d, lport=%d\n", tuple.dport, tuple.sport);
|
|
|
+ // cw_bpf_debug("socket inet_csk_accept Connection accepted: saddr=%lld, daddr=%lld\n", tuple.saddr, tuple.daddr);
|
|
|
+ // u32_to_ip(tuple.saddr);
|
|
|
+ // u32_to_ip(tuple.daddr);
|
|
|
+ // 将进程 ID 关联到 `struct sock` 指针
|
|
|
+ bpf_map_update_elem(&socket_map, &pid_tgid, &sk, BPF_ANY);
|
|
|
+
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
+struct sys_exit_accept4_ctx {
|
|
|
+ __u64 __unused_syscall_header;
|
|
|
+ __u32 __unused_syscall_nr;
|
|
|
+ long ret;
|
|
|
+};
|
|
|
+struct sys_enter_accept4_ctx {
|
|
|
+ __u64 __unused_syscall_header;
|
|
|
+ __u32 __unused_syscall_nr;
|
|
|
+
|
|
|
+ long fd;
|
|
|
+ __u64 *sockaddr;
|
|
|
+ int addrlen;
|
|
|
+};
|
|
|
// 在系统调用accept返回时挂钩获取文件描述符
|
|
|
-// SEC("tracepoint/syscalls/sys_enter_accept4")
|
|
|
-// int tracepoint__sys_enter_accept4(struct sys_enter_accept4_ctx *ctx) {
|
|
|
-// __u64 pid_tgid = bpf_get_current_pid_tgid();
|
|
|
-// cw_bpf_debug("[Go] [socket/tracepoint__sys_entry_accept4]getget: rdi_ptr::pid: %d,-- %d\n", pid_tgid, ctx->fd);
|
|
|
-// return 0;
|
|
|
-// }
|
|
|
+SEC("tracepoint/syscalls/sys_enter_accept4")
|
|
|
+int tracepoint__sys_enter_accept4(struct sys_enter_accept4_ctx *ctx) {
|
|
|
+ __u64 pid_tgid = bpf_get_current_pid_tgid();
|
|
|
+ cw_bpf_debug("[Go] [socket/tracepoint__sys_entry_accept4]getget: rdi_ptr::pid: %d,-- %d\n", pid_tgid, ctx->fd);
|
|
|
+ return 0;
|
|
|
+}
|
|
|
|
|
|
// 在系统调用accept返回时挂钩获取文件描述符
|
|
|
-// SEC("tracepoint/syscalls/sys_exit_accept4")
|
|
|
-// int tracepoint__sys_exit_accept4(struct sys_exit_accept4_ctx *ctx) {
|
|
|
-// long fd = ctx->ret;
|
|
|
-// __u64 pid_tgid = bpf_get_current_pid_tgid();
|
|
|
-// cw_bpf_debug("[Go] [socket/tracepoint__sys_exit_accept4]getget: rdi_ptr::pid: %d,-- %d\n", pid_tgid, fd);
|
|
|
-// // bpf_map_update_elem(&fd_by_pid_tgid, &pid_tgid, &fd, BPF_ANY);
|
|
|
-// struct sock **skp;
|
|
|
-// // 从 map 中获取 `struct sock` 指针
|
|
|
-// skp = bpf_map_lookup_elem(&socket_map, &pid_tgid);
|
|
|
-// if (skp && fd > 0) {
|
|
|
-// struct sock *sk = *skp;
|
|
|
-// __u16 family = 0;
|
|
|
-// bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 family: family=%d\n", family);
|
|
|
-// if (family == AF_INET)
|
|
|
-// {
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 family: IPv4=%d\n", family);
|
|
|
-// }
|
|
|
-// struct ipv4_tuple_t tuple = {};
|
|
|
-// // 从 __sk_common 获取信息
|
|
|
-// bpf_probe_read(&tuple.saddr, sizeof(tuple.saddr), &sk->__sk_common.skc_rcv_saddr);
|
|
|
-// bpf_probe_read(&tuple.daddr, sizeof(tuple.daddr), &sk->__sk_common.skc_daddr);
|
|
|
-// bpf_probe_read(&tuple.sport, sizeof(tuple.sport), &sk->__sk_common.skc_num);
|
|
|
-// bpf_probe_read(&tuple.dport, sizeof(tuple.dport), &sk->__sk_common.skc_dport);
|
|
|
-
|
|
|
-// tuple.sport = bpf_ntohs(tuple.sport);
|
|
|
-// tuple.dport = bpf_ntohs(tuple.dport);
|
|
|
-
|
|
|
-// __u64 hash;
|
|
|
-// bpf_probe_read(&hash, sizeof(hash), &sk->__sk_common.skc_hash);
|
|
|
-
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 sk=%x, hash: %lld\n", sk, hash);
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 dport=%d, lport=%d\n", tuple.dport, tuple.sport);
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 saddr=%lld, daddr=%lld\n", tuple.saddr, tuple.daddr);
|
|
|
-// unsigned char saddr[16] = {};
|
|
|
-// unsigned char daddr[16] = {};
|
|
|
-// u32_to_ip(tuple.saddr, saddr);
|
|
|
-// u32_to_ip(tuple.daddr, daddr);
|
|
|
-
|
|
|
-// void *map = &tcp_accept_events;
|
|
|
-
|
|
|
-// struct tcp_event e = {};
|
|
|
-
|
|
|
-// e.type = EVENT_TYPE_ACCEPT_OPEN;
|
|
|
-// e.duration = 0;
|
|
|
-// e.timestamp = 0;
|
|
|
-// e.pid = pid_tgid >> 32;
|
|
|
-// e.sport = tuple.sport;
|
|
|
-// e.dport = tuple.dport;
|
|
|
-// e.fd = fd;
|
|
|
-// __builtin_memcpy(&e.saddr, &saddr, sizeof(e.saddr));
|
|
|
-// __builtin_memcpy(&e.daddr, &daddr, sizeof(e.daddr));
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[10], e.saddr[11]);
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[12], e.saddr[13]);
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[14], e.saddr[15]);
|
|
|
-
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[10], e.daddr[11]);
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[12], e.daddr[13]);
|
|
|
-// cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[14], e.daddr[15]);
|
|
|
-
|
|
|
-// bpf_perf_event_output(ctx, map, BPF_F_CURRENT_CPU, &e, sizeof(e));
|
|
|
-// struct connection_id cid = {};
|
|
|
-// cid.pid = pid_tgid >> 32;
|
|
|
-// cid.fd = fd;
|
|
|
-
|
|
|
-// struct connection conn = {};
|
|
|
-// conn.timestamp = bpf_ktime_get_ns();
|
|
|
-// cw_bpf_debug("socket accept update active_accepts before cid.pid=%d, cid.fd=%lld\n", cid.pid, cid.fd);
|
|
|
-// bpf_map_update_elem(&active_accepts, &cid, &conn, BPF_ANY);
|
|
|
-// cw_bpf_debug("socket accept update active_accepts after cid.pid=%d, cid.fd=%lld\n", cid.pid, cid.fd);
|
|
|
-
|
|
|
-// // TODO 1: tcp_accept_events 把数据发到go层。update active_accept 定义一个 e.type
|
|
|
-// }
|
|
|
-
|
|
|
-// // 从地图中移除项目,避免泄漏
|
|
|
-// bpf_map_delete_elem(&socket_map, &pid_tgid);
|
|
|
-
|
|
|
-// return 0;
|
|
|
-// }
|
|
|
+SEC("tracepoint/syscalls/sys_exit_accept4")
|
|
|
+int tracepoint__sys_exit_accept4(struct sys_exit_accept4_ctx *ctx) {
|
|
|
+ long fd = ctx->ret;
|
|
|
+ __u64 pid_tgid = bpf_get_current_pid_tgid();
|
|
|
+ cw_bpf_debug("[Go] [socket/tracepoint__sys_exit_accept4]getget: rdi_ptr::pid: %d,-- %d\n", pid_tgid, fd);
|
|
|
+ // bpf_map_update_elem(&fd_by_pid_tgid, &pid_tgid, &fd, BPF_ANY);
|
|
|
+ struct sock **skp;
|
|
|
+ // 从 map 中获取 `struct sock` 指针
|
|
|
+ skp = bpf_map_lookup_elem(&socket_map, &pid_tgid);
|
|
|
+ if (skp && fd > 0) {
|
|
|
+ struct sock *sk = *skp;
|
|
|
+ __u16 family = 0;
|
|
|
+ bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 family: family=%d\n", family);
|
|
|
+ if (family == AF_INET)
|
|
|
+ {
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 family: IPv4=%d\n", family);
|
|
|
+ }
|
|
|
+ struct ipv4_tuple_t tuple = {};
|
|
|
+ // 从 __sk_common 获取信息
|
|
|
+ bpf_probe_read(&tuple.saddr, sizeof(tuple.saddr), &sk->__sk_common.skc_rcv_saddr);
|
|
|
+ bpf_probe_read(&tuple.daddr, sizeof(tuple.daddr), &sk->__sk_common.skc_daddr);
|
|
|
+ bpf_probe_read(&tuple.sport, sizeof(tuple.sport), &sk->__sk_common.skc_num);
|
|
|
+ bpf_probe_read(&tuple.dport, sizeof(tuple.dport), &sk->__sk_common.skc_dport);
|
|
|
+
|
|
|
+ tuple.sport = bpf_ntohs(tuple.sport);
|
|
|
+ tuple.dport = bpf_ntohs(tuple.dport);
|
|
|
+
|
|
|
+ __u64 hash;
|
|
|
+ bpf_probe_read(&hash, sizeof(hash), &sk->__sk_common.skc_hash);
|
|
|
+
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 sk=%x, hash: %lld\n", sk, hash);
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 dport=%d, lport=%d\n", tuple.dport, tuple.sport);
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 saddr=%lld, daddr=%lld\n", tuple.saddr, tuple.daddr);
|
|
|
+ unsigned char saddr[16] = {};
|
|
|
+ unsigned char daddr[16] = {};
|
|
|
+ u32_to_ip(tuple.saddr, saddr);
|
|
|
+ u32_to_ip(tuple.daddr, daddr);
|
|
|
+
|
|
|
+ void *map = &tcp_accept_events;
|
|
|
+
|
|
|
+ struct tcp_event e = {};
|
|
|
+
|
|
|
+ e.type = EVENT_TYPE_ACCEPT_OPEN;
|
|
|
+ e.duration = 0;
|
|
|
+ e.timestamp = 0;
|
|
|
+ e.pid = pid_tgid >> 32;
|
|
|
+ e.sport = tuple.sport;
|
|
|
+ e.dport = tuple.dport;
|
|
|
+ e.fd = fd;
|
|
|
+ __builtin_memcpy(&e.saddr, &saddr, sizeof(e.saddr));
|
|
|
+ __builtin_memcpy(&e.daddr, &daddr, sizeof(e.daddr));
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[10], e.saddr[11]);
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[12], e.saddr[13]);
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[14], e.saddr[15]);
|
|
|
+
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[10], e.daddr[11]);
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[12], e.daddr[13]);
|
|
|
+ cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[14], e.daddr[15]);
|
|
|
+
|
|
|
+ bpf_perf_event_output(ctx, map, BPF_F_CURRENT_CPU, &e, sizeof(e));
|
|
|
+ struct connection_id cid = {};
|
|
|
+ cid.pid = pid_tgid >> 32;
|
|
|
+ cid.fd = fd;
|
|
|
+
|
|
|
+ struct connection conn = {};
|
|
|
+ conn.timestamp = bpf_ktime_get_ns();
|
|
|
+ cw_bpf_debug("socket accept update active_accepts before cid.pid=%d, cid.fd=%lld\n", cid.pid, cid.fd);
|
|
|
+ bpf_map_update_elem(&active_accepts, &cid, &conn, BPF_ANY);
|
|
|
+ cw_bpf_debug("socket accept update active_accepts after cid.pid=%d, cid.fd=%lld\n", cid.pid, cid.fd);
|
|
|
+
|
|
|
+ // TODO 1: tcp_accept_events 把数据发到go层。update active_accept 定义一个 e.type
|
|
|
+ }
|
|
|
+
|
|
|
+ // 从地图中移除项目,避免泄漏
|
|
|
+ bpf_map_delete_elem(&socket_map, &pid_tgid);
|
|
|
+
|
|
|
+ return 0;
|
|
|
+}
|
roger.wang