ebpf/ebpftracer/ebpf/tcp/state.c

#ifndef IPPROTO_TCP
#define IPPROTO_TCP 6
#endif
#define MAX_CONNECTIONS 1000000

struct tcp_event {
    __u64 fd;
    __u64 timestamp;
    __u64 duration;
    __u64 first_read_time;
    __u64 first_write_time;
    __u64 new_read_time;
    __u32 type;
    __u32 pid;
    __u64 bytes_sent;
    __u64 bytes_received;
    __u16 sport;
    __u16 dport;
    __u8 saddr[16];
    __u8 daddr[16];
};

struct {
    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
    __uint(key_size, sizeof(int));
    __uint(value_size, sizeof(int));
} tcp_listen_events SEC(".maps");

struct {
    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
    __uint(key_size, sizeof(int));
    __uint(value_size, sizeof(int));
} tcp_connect_events SEC(".maps");

struct {
    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
    __uint(key_size, sizeof(int));
    __uint(value_size, sizeof(int));
} tcp_accept_events SEC(".maps");

struct trace_event_raw_inet_sock_set_state__stub {
    __u64 unused;
    void *skaddr;
    int oldstate;
    int newstate;
    __u16 sport;
    __u16 dport;
    __u16 family;
#if __KERNEL_FROM >= 506
    __u16 protocol;
#else
    __u8 protocol;
#endif
    __u8 saddr[4];
    __u8 daddr[4];
    __u8 saddr_v6[16];
    __u8 daddr_v6[16];
};

struct {
    __uint(type, BPF_MAP_TYPE_HASH);
    __uint(key_size, sizeof(__u64));
    __uint(value_size, sizeof(__u64));
    __uint(max_entries, 10240);
} fd_by_pid_tgid SEC(".maps");

struct connection_id {
    __u64 fd;
    __u32 pid;
};

struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(key_size, sizeof(void *));
    __uint(value_size, sizeof(struct connection_id));
    __uint(max_entries, MAX_CONNECTIONS);
} connection_id_by_socket SEC(".maps");

struct connection {
    __u64 timestamp;
    __u64 bytes_sent;
    __u64 bytes_received;
    __u64 first_read_time;
    __u64 first_write_time;
    __u64 new_read_time;
};

struct accept_connection {
    __u16 sport;
    __u16 dport;
    __u8 saddr[16];
    __u8 daddr[16];
};

struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(key_size, sizeof(struct connection_id));
    __uint(value_size, sizeof(struct connection));
    __uint(max_entries, MAX_CONNECTIONS);
} active_connections SEC(".maps");

struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(key_size, sizeof(struct connection_id));
    __uint(value_size, sizeof(struct accept_connection));
    __uint(max_entries, MAX_CONNECTIONS);
} active_accepts SEC(".maps");


SEC("tracepoint/sock/inet_sock_set_state")
int inet_sock_set_state(void *ctx)
{
    struct trace_event_raw_inet_sock_set_state__stub args = {};
    if (bpf_probe_read(&args, sizeof(args), ctx) < 0) {
        return 0;
    }
    if (args.protocol != IPPROTO_TCP) {
        return 0;
    }
    __u64 id = bpf_get_current_pid_tgid();
    __u32 pid = id >> 32;
    cw_bpf_debug("fucksocket pid=%lld inet_sock_set_state -- args.oldstate=%lld, args.newstate=%lld\n", pid, args.oldstate, args.newstate);
    cw_bpf_debug("fucksocket pid=%lld inet_sock_set_state -- id=%lld\n", pid, id);

    if (args.oldstate == BPF_TCP_CLOSE && args.newstate == BPF_TCP_SYN_SENT) {
        
        __u64 *fdp = bpf_map_lookup_elem(&fd_by_pid_tgid, &id);

        if (!fdp) {
            return 0;
        }
        struct connection_id cid = {};
        cid.pid = pid;
        cid.fd = *fdp;

        struct connection conn = {};
        conn.timestamp = bpf_ktime_get_ns();
        conn.first_read_time = 0;
        conn.first_write_time = 0;
        conn.new_read_time = 0;

        bpf_map_delete_elem(&fd_by_pid_tgid, &id);
        bpf_map_update_elem(&connection_id_by_socket, &args.skaddr, &cid, BPF_ANY);
        bpf_map_update_elem(&active_connections, &cid, &conn, BPF_ANY);
        return 0;
    }

    __u64 fd = 0;
    __u32 type = 0;
    __u64 timestamp = 0;
    __u64 duration = 0;
    void *map = &tcp_connect_events;

    struct tcp_event e = {};

    if (args.oldstate == BPF_TCP_SYN_SENT) {
        struct connection_id *cid = bpf_map_lookup_elem(&connection_id_by_socket, &args.skaddr);
        if (!cid) {
            return 0;
        }
        struct connection *conn = bpf_map_lookup_elem(&active_connections, cid);
        if (!conn) {
            return 0;
        }
        if (args.newstate == BPF_TCP_ESTABLISHED) {
            timestamp = conn->timestamp;
            type = EVENT_TYPE_CONNECTION_OPEN;
        } else if (args.newstate == BPF_TCP_CLOSE) {
            bpf_map_delete_elem(&active_connections, cid);
            type = EVENT_TYPE_CONNECTION_ERROR;
        }
        duration = bpf_ktime_get_ns() - conn->timestamp;
        pid = cid->pid;
        fd = cid->fd;
    }
    if (args.oldstate == BPF_TCP_ESTABLISHED && (args.newstate == BPF_TCP_FIN_WAIT1 || args.newstate == BPF_TCP_CLOSE_WAIT)) {
        bpf_map_delete_elem(&connection_id_by_socket, &args.skaddr);
    }
    if (args.oldstate == BPF_TCP_CLOSE && args.newstate == BPF_TCP_LISTEN) {
        type = EVENT_TYPE_LISTEN_OPEN;
        map = &tcp_listen_events;
    }
    if (args.oldstate == BPF_TCP_LISTEN && args.newstate == BPF_TCP_CLOSE) {
        type = EVENT_TYPE_LISTEN_CLOSE;
        map = &tcp_listen_events;
    }

    if (type == 0) {
        return 0;
    }
    e.type = type;
    e.duration = duration;
    e.timestamp = timestamp;
    e.first_read_time = 0;
    e.first_write_time = 0;
    e.new_read_time = 0;
    e.pid = pid;
    e.sport = args.sport;
    e.dport = args.dport;
    // e.sport = bpf_ntohs(args.sport);  
    // e.dport = bpf_ntohs(args.dport);
    e.fd = fd;
    __builtin_memcpy(&e.saddr, &args.saddr_v6, sizeof(e.saddr));
    __builtin_memcpy(&e.daddr, &args.daddr_v6, sizeof(e.saddr));

    bpf_perf_event_output(ctx, map, BPF_F_CURRENT_CPU, &e, sizeof(e));

    return 0;
}

struct trace_event_raw_args_with_fd__stub {
    __u64 unused;
    long int id;
    __u64 fd;
};

SEC("tracepoint/syscalls/sys_enter_connect")
int sys_enter_connect(void *ctx) {
    struct trace_event_raw_args_with_fd__stub args = {};
    if (bpf_probe_read(&args, sizeof(args), ctx) < 0) {
        return 0;
    }
    __u64 id = bpf_get_current_pid_tgid();
    __u64 pid = id >> 32;
    cw_bpf_debug("fucksocket pid=%lld sys_enter_connect -- id=%lld, fd=%lld\n", pid, id, args.fd);
    bpf_map_update_elem(&fd_by_pid_tgid, &id, &args.fd, BPF_ANY);
    return 0;
}

SEC("tracepoint/syscalls/sys_exit_connect")
int sys_exit_connect(struct trace_event_raw_sys_exit__stub* ctx) {
    __u64 id = bpf_get_current_pid_tgid();
    __u64 *fdp = bpf_map_lookup_elem(&fd_by_pid_tgid, &id);
    if (!fdp) {
        return 0;
    }
    struct connection_id cid = {};
    cid.pid = id >> 32;
    cid.fd = *fdp;
    struct connection *conn = bpf_map_lookup_elem(&active_connections, &cid);
    if (!conn && ctx->ret == 0) { // non-TCP connection
        struct connection conn = {};
        conn.timestamp = bpf_ktime_get_ns();
        conn.first_read_time = 0;
        conn.first_write_time = 0;
        cw_bpf_debug("fucksocket pid=%lld sys_exit_connect -- id=%lld, fd=%lld\n", cid.pid, id, cid.fd);
        bpf_map_update_elem(&active_connections, &cid, &conn, BPF_ANY);
    }
    bpf_map_delete_elem(&fd_by_pid_tgid, &id);
    return 0;
}

SEC("tracepoint/syscalls/sys_enter_close")
int sys_enter_close(void *ctx) {
    struct trace_event_raw_args_with_fd__stub args = {};
    if (bpf_probe_read(&args, sizeof(args), ctx) < 0) {
        return 0;
    }
    __u64 id = bpf_get_current_pid_tgid();
    struct connection_id cid = {};
    cid.pid = id >> 32;
    cid.fd = args.fd;
    struct connection *conn = bpf_map_lookup_elem(&active_connections, &cid);
    if (cid.pid == 3269744) {
        cw_bpf_debug("fucksocket pid=%lld sys_enter_close -- id=%lld, fd=%lld\n", cid.pid, id, cid.fd);
    }
    cw_bpf_debug("socket accept socket sys_enter_close connection before -- cid.pid=%lld, cid.fd=%lld\n", cid.pid, cid.fd);
    if (conn) {
        if (cid.pid == 3269744) {
            cw_bpf_debug("fucksocket pid=%lld sys_enter_close2 -- id=%lld, fd=%lld\n", cid.pid, id, cid.fd);
        }
        cw_bpf_debug("socket accept socket sys_enter_close connection before cid.pid=%lld, cid.fd=%lld\n", conn->bytes_sent, conn->bytes_received);
        struct tcp_event e = {};
        e.type = EVENT_TYPE_CONNECTION_CLOSE;
        e.pid = cid.pid;
        e.fd = cid.fd;
        e.bytes_sent = conn->bytes_sent;
        e.bytes_received = conn->bytes_received;
        e.timestamp = conn->timestamp;
        e.first_read_time = conn->first_read_time;
        e.first_write_time = conn->first_write_time;
        e.new_read_time = conn->new_read_time;
        bpf_perf_event_output(ctx, &tcp_connect_events, BPF_F_CURRENT_CPU, &e, sizeof(e));
        bpf_map_delete_elem(&active_connections, &cid);
    }
    cw_bpf_debug("socket accept socket sys_enter_close accept_Connection before cid.pid=%d, cid.fd=%d\n", cid.pid, cid.fd);
    struct accept_connection *acceptConn = bpf_map_lookup_elem(&active_accepts, &cid);
    if (acceptConn) {
        // struct tcp_event e = {};
        // e.type = EVENT_TYPE_ACCEPT_CLOSE;
        // e.pid = cid.pid;
        // e.fd = cid.fd;
        // e.bytes_sent = acceptConn->bytes_sent;
        // e.bytes_received = acceptConn->bytes_received;
        // e.timestamp = acceptConn->timestamp;
        // bpf_perf_event_output(ctx, &tcp_accept_events, BPF_F_CURRENT_CPU, &e, sizeof(e));
        bpf_map_delete_elem(&active_accepts, &cid);
        // cw_bpf_debug("socket accept socket sys_enter_close accept_Connection cid.pid=%d, cid.fd=%d\n", cid.pid, cid.fd);
        // cw_bpf_debug("socket accept socket sys_enter_close accept_Connection cid.bytes_sent=%d, cid.bytes_received=%d\n", e.bytes_sent, e.bytes_received);
    }

    //TODO 2，增加active_accept 对应的判断，类比234行操作，新增EVENT_TYPE_accept_conn_CLOSE类型

    //TODO 3 bpf_map_delete_elem(&active_accept, &cid);
    return 0;
}

void u32_to_ip(__u32 ip, unsigned char* bytes) {  
    // 将32位整数拆分为四个8位整数  
    // unsigned char bytes[4];  
    bytes[15] = (ip >> 24) & 0xFF;  
    bytes[14] = (ip >> 16) & 0xFF;  
    bytes[13] = (ip >> 8) & 0xFF;  
    bytes[12] = ip & 0xFF;  
    bytes[11] = 0xFF;  
    bytes[10] = 0xFF;  

    // 使用sprintf将这些整数格式化为字符串  
    cw_bpf_debug("[Go] [socket/IP: %u.%u", bytes[15], bytes[14]);  
    cw_bpf_debug("[Go] [socket/IP: %u.%u", bytes[13], bytes[12]);  
}  


// 用于存储文件描述符和套接字指针的 map  
struct {  
    __uint(type, BPF_MAP_TYPE_HASH);  
    __type(key, __u64);  // 使用进程 ID 作为键  
    __type(value, struct sock *);  
    __uint(max_entries, 1024);  
} socket_map SEC(".maps");  


struct ipv4_tuple_t {  
    __u32 saddr;  
    __u32 daddr;  
    __u16 sport;  
    __u16 dport;  
    __u8  protocol;  
};

SEC("kretprobe/inet_csk_accept")
int kprobeinet_csk_accept(struct pt_regs *ctx) {
    cw_bpf_debug("socket inet_csk_accept Connection exit pid_tgid: pid_tgid=\n");
    __u64 pid_tgid = bpf_get_current_pid_tgid();
    cw_bpf_debug("socket inet_csk_accept Connection exit pid_tgid: pid_tgid=%d\n", pid_tgid);
    struct sock *sk = (struct sock *)PT_REGS_RC(ctx);
    // __u16 family = 0;
    // bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
    // cw_bpf_debug("socket inet_csk_accept Connection family: family=%d\n", family);
    // if (family == AF_INET)
	// {
    //     cw_bpf_debug("socket inet_csk_accept Connection family: IPv4=%d\n", family);
    // }
    // struct ipv4_tuple_t tuple = {};  
    // // 从 __sk_common 获取信息  
    // bpf_probe_read(&tuple.saddr, sizeof(tuple.saddr), &sk->__sk_common.skc_rcv_saddr);  
    // bpf_probe_read(&tuple.daddr, sizeof(tuple.daddr), &sk->__sk_common.skc_daddr);  
    // bpf_probe_read(&tuple.sport, sizeof(tuple.sport), &sk->__sk_common.skc_num);  
    // bpf_probe_read(&tuple.dport, sizeof(tuple.dport), &sk->__sk_common.skc_dport);  

    // tuple.sport = bpf_ntohs(tuple.sport);  
    // tuple.dport = bpf_ntohs(tuple.dport);

    // __u64 hash;
    // bpf_probe_read(&hash, sizeof(hash), &sk->__sk_common.skc_hash);

    // cw_bpf_debug("socket inet_csk_accept Connection accepted: sk=%x, hash: %lld\n", sk, hash);
    // cw_bpf_debug("socket inet_csk_accept Connection accepted: dport=%d, lport=%d\n", tuple.dport, tuple.sport);
    // cw_bpf_debug("socket inet_csk_accept Connection accepted: saddr=%lld, daddr=%lld\n", tuple.saddr, tuple.daddr);
    // u32_to_ip(tuple.saddr);
    // u32_to_ip(tuple.daddr);
    // 将进程 ID 关联到 `struct sock` 指针  
    bpf_map_update_elem(&socket_map, &pid_tgid, &sk, BPF_ANY);  

    return 0;
}

struct sys_exit_accept4_ctx {
	__u64 __unused_syscall_header;
	__u32 __unused_syscall_nr;
	long ret;
};
struct sys_enter_accept4_ctx {
	__u64 __unused_syscall_header;
	__u32 __unused_syscall_nr;

	long fd;
	__u64 *sockaddr;
	int addrlen;
};

struct sys_exit_accept_ctx {
	__u64 __unused_syscall_header;
	__u32 __unused_syscall_nr;
	long ret;
};
// 在系统调用accept返回时挂钩获取文件描述符  
SEC("tracepoint/syscalls/sys_enter_accept4")  
int tracepoint__sys_enter_accept4(struct sys_enter_accept4_ctx *ctx) {  
    __u64 pid_tgid = bpf_get_current_pid_tgid();  
    cw_bpf_debug("[Go] [socket/tracepoint__sys_entry_accept4]getget: rdi_ptr::pid: %d,-- %d\n", pid_tgid, ctx->fd);
    return 0;  
}  

SEC("tracepoint/syscalls/sys_enter_accept")  
int tracepoint__sys_enter_accept(struct trace_event_raw_sys_enter *ctx) {  
    __u64 pid_tgid = bpf_get_current_pid_tgid();  
    cw_bpf_debug("[Go] [socket/tracepoint__sys_entry_accept----]getget: rdi_ptr::pid: %d\n", pid_tgid);  
    return 0;  
} 

SEC("tracepoint/syscalls/sys_exit_accept")
int sys_exit_accept(struct sys_exit_accept_ctx *ctx)
{
    long fd = ctx->ret;  
    __u64 pid_tgid = bpf_get_current_pid_tgid();  
    cw_bpf_debug("[Go] [socket/tracepoint__sys_exit_accept-----]getget: rdi_ptr::pid: %d,-- %d\n", pid_tgid, fd);
    // bpf_map_update_elem(&fd_by_pid_tgid, &pid_tgid, &fd, BPF_ANY);
    struct sock **skp;  
    // 从 map 中获取 `struct sock` 指针  
    skp = bpf_map_lookup_elem(&socket_map, &pid_tgid);  
    if (skp && fd > 0) {
        struct sock *sk = *skp;
        __u16 family = 0;
        bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
        cw_bpf_debug("socket sys_exit_accept--- family: family=%d\n", family);
        if (family == AF_INET)
        {
            cw_bpf_debug("socket sys_exit_accept--- family: IPv4=%d\n", family);
        }
        struct ipv4_tuple_t tuple = {};  
        // 从 __sk_common 获取信息  
        bpf_probe_read(&tuple.saddr, sizeof(tuple.saddr), &sk->__sk_common.skc_rcv_saddr);  
        bpf_probe_read(&tuple.daddr, sizeof(tuple.daddr), &sk->__sk_common.skc_daddr);  
        bpf_probe_read(&tuple.sport, sizeof(tuple.sport), &sk->__sk_common.skc_num);  
        bpf_probe_read(&tuple.dport, sizeof(tuple.dport), &sk->__sk_common.skc_dport);  

        // tuple.sport = bpf_ntohs(tuple.sport);  
        tuple.dport = bpf_ntohs(tuple.dport);

        __u64 hash;
        bpf_probe_read(&hash, sizeof(hash), &sk->__sk_common.skc_hash);

        cw_bpf_debug("socket sys_exit_accept--- sk=%x, hash: %lld\n", sk, hash);
        cw_bpf_debug("socket sys_exit_accept--- dport=%d, lport=%d\n", tuple.dport, tuple.sport);
        cw_bpf_debug("socket sys_exit_accept--- saddr=%lld, daddr=%lld\n", tuple.saddr, tuple.daddr);
        unsigned char saddr[16] = {};
        unsigned char daddr[16] = {};
        u32_to_ip(tuple.saddr, saddr);
        u32_to_ip(tuple.daddr, daddr);

        void *map = &tcp_accept_events;

        struct tcp_event e = {};

        e.type = EVENT_TYPE_ACCEPT_OPEN;
        e.duration = 0;
        e.timestamp = 0;
        e.pid = pid_tgid >> 32;
        e.sport = tuple.sport;
        e.dport = tuple.dport;
        e.fd = fd;
        __builtin_memcpy(&e.saddr, &saddr, sizeof(e.saddr));
        __builtin_memcpy(&e.daddr, &daddr, sizeof(e.daddr));
        cw_bpf_debug("socket sys_exit_accept--- addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[10], e.saddr[11]);
        cw_bpf_debug("socket sys_exit_accept--- addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[12], e.saddr[13]);
        cw_bpf_debug("socket sys_exit_accept--- addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[14], e.saddr[15]);

        cw_bpf_debug("socket sys_exit_accept--- addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[10], e.daddr[11]);
        cw_bpf_debug("socket sys_exit_accept--- addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[12], e.daddr[13]);
        cw_bpf_debug("socket sys_exit_accept--- addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[14], e.daddr[15]);

        bpf_perf_event_output(ctx, map, BPF_F_CURRENT_CPU, &e, sizeof(e));
        struct connection_id cid = {};
        cid.pid = pid_tgid >> 32;
        cid.fd = fd;

        struct accept_connection conn = {};
        conn.sport = tuple.sport;
        conn.dport = tuple.dport;
        __builtin_memcpy(&conn.saddr, &saddr, sizeof(conn.saddr));
        __builtin_memcpy(&conn.daddr, &daddr, sizeof(conn.daddr));
        cw_bpf_debug("socket accept update active_accepts before cid.pid=%d, cid.fd=%lld\n", cid.pid, cid.fd);
        bpf_map_update_elem(&active_accepts, &cid, &conn, BPF_ANY);
        cw_bpf_debug("socket accept update active_accepts after cid.pid=%d, cid.fd=%lld\n", cid.pid, cid.fd);

        // TODO 1: tcp_accept_events 把数据发到go层。update active_accept 定义一个 e.type
    }

    // 从地图中移除项目，避免泄漏  
    bpf_map_delete_elem(&socket_map, &pid_tgid);  

    return 0;  
}

// 在系统调用accept返回时挂钩获取文件描述符  
SEC("tracepoint/syscalls/sys_exit_accept4")  
int tracepoint__sys_exit_accept4(struct sys_exit_accept4_ctx *ctx) {  
    long fd = ctx->ret;  
    __u64 pid_tgid = bpf_get_current_pid_tgid();  
    cw_bpf_debug("[Go] [socket/tracepoint__sys_exit_accept4]getget: rdi_ptr::pid: %d,-- %d\n", pid_tgid, fd);
    // bpf_map_update_elem(&fd_by_pid_tgid, &pid_tgid, &fd, BPF_ANY);
    struct sock **skp;  
    // 从 map 中获取 `struct sock` 指针  
    skp = bpf_map_lookup_elem(&socket_map, &pid_tgid);  
    if (skp && fd > 0) {
        struct sock *sk = *skp;
        __u16 family = 0;
        bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
        cw_bpf_debug("socket sys_exit_accept4 family: family=%d\n", family);
        if (family == AF_INET)
        {
            cw_bpf_debug("socket sys_exit_accept4 family: IPv4=%d\n", family);
        }
        struct ipv4_tuple_t tuple = {};  
        // 从 __sk_common 获取信息  
        bpf_probe_read(&tuple.saddr, sizeof(tuple.saddr), &sk->__sk_common.skc_rcv_saddr);  
        bpf_probe_read(&tuple.daddr, sizeof(tuple.daddr), &sk->__sk_common.skc_daddr);  
        bpf_probe_read(&tuple.sport, sizeof(tuple.sport), &sk->__sk_common.skc_num);  
        bpf_probe_read(&tuple.dport, sizeof(tuple.dport), &sk->__sk_common.skc_dport);  

        // tuple.sport = bpf_ntohs(tuple.sport);  
        tuple.dport = bpf_ntohs(tuple.dport);

        __u64 hash;
        bpf_probe_read(&hash, sizeof(hash), &sk->__sk_common.skc_hash);

        cw_bpf_debug("socket sys_exit_accept4 sk=%x, hash: %lld\n", sk, hash);
        cw_bpf_debug("socket sys_exit_accept4 dport=%d, lport=%d\n", tuple.dport, tuple.sport);
        cw_bpf_debug("socket sys_exit_accept4 saddr=%lld, daddr=%lld\n", tuple.saddr, tuple.daddr);
        unsigned char saddr[16] = {};
        unsigned char daddr[16] = {};
        u32_to_ip(tuple.saddr, saddr);
        u32_to_ip(tuple.daddr, daddr);

        void *map = &tcp_accept_events;

        struct tcp_event e = {};

        e.type = EVENT_TYPE_ACCEPT_OPEN;
        e.duration = 0;
        e.timestamp = 0;
        e.pid = pid_tgid >> 32;
        e.sport = tuple.sport;
        e.dport = tuple.dport;
        e.fd = fd;
        __builtin_memcpy(&e.saddr, &saddr, sizeof(e.saddr));
        __builtin_memcpy(&e.daddr, &daddr, sizeof(e.daddr));
        cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[10], e.saddr[11]);
        cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[12], e.saddr[13]);
        cw_bpf_debug("socket sys_exit_accept4 addraddraddr saddr=%llu, saddr=%llu\n", e.saddr[14], e.saddr[15]);

        cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[10], e.daddr[11]);
        cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[12], e.daddr[13]);
        cw_bpf_debug("socket sys_exit_accept4 addraddraddr daddr=%llu, daddr=%llu\n", e.daddr[14], e.daddr[15]);

        bpf_perf_event_output(ctx, map, BPF_F_CURRENT_CPU, &e, sizeof(e));
        struct connection_id cid = {};
        cid.pid = pid_tgid >> 32;
        cid.fd = fd;

        struct accept_connection conn = {};
        conn.sport = tuple.sport;
        conn.dport = tuple.dport;
        __builtin_memcpy(&conn.saddr, &saddr, sizeof(conn.saddr));
        __builtin_memcpy(&conn.daddr, &daddr, sizeof(conn.daddr));
        cw_bpf_debug("socket accept update active_accepts before cid.pid=%d, cid.fd=%lld\n", cid.pid, cid.fd);
        bpf_map_update_elem(&active_accepts, &cid, &conn, BPF_ANY);
        cw_bpf_debug("socket accept update active_accepts after cid.pid=%d, cid.fd=%lld\n", cid.pid, cid.fd);

        // TODO 1: tcp_accept_events 把数据发到go层。update active_accept 定义一个 e.type
    }

    // 从地图中移除项目，避免泄漏  
    bpf_map_delete_elem(&socket_map, &pid_tgid);  

    return 0;  
}