grafana · marctc · Jun 20, 2024 · Jun 20, 2024
@@ -108,27 +108,24 @@ int BPF_KPROBE(kprobe_tcp_rcv_established, struct sock *sk, struct sk_buff *skb)
 
     bpf_dbg_printk("=== tcp_rcv_established id=%d ===", id);
 
-    pid_connection_info_t info = {};
+    ssl_pid_connection_info_t pid_info = {};
 
-    if (parse_sock_info(sk, &info.conn)) {
+    if (parse_sock_info(sk, &pid_info.p_conn.conn)) {
         //u16 orig_dport = info.conn.d_port;
         //dbg_print_http_connection_info(&info.conn);
-        sort_connection_info(&info.conn);
-        info.pid = pid_from_pid_tgid(id);        
+        sort_connection_info(&pid_info.p_conn.conn);
+        pid_info.p_conn.pid = pid_from_pid_tgid(id);        
 
         http_connection_metadata_t meta = {};
         task_pid(&meta.pid);
         meta.type = EVENT_HTTP_REQUEST;
-        bpf_map_update_elem(&filtered_connections, &info, &meta, BPF_NOEXIST); // On purpose BPF_NOEXIST, we don't want to overwrite data by accept or connect
+        bpf_map_update_elem(&filtered_connections, &pid_info.p_conn, &meta, BPF_NOEXIST); // On purpose BPF_NOEXIST, we don't want to overwrite data by accept or connect
 
         // This is a current limitation for port ordering detection for SSL.
         // tcp_rcv_established flip flops the ports and we can't tell if it's client or server call.
         // If the source port for a client call is lower, we'll get this wrong.
         // TODO: Need to fix this. 
-        ssl_pid_connection_info_t pid_info = {
-            .conn = info,
-            .orig_dport = info.conn.s_port,
-        };
+        pid_info.orig_dport = pid_info.p_conn.conn.s_port,
         task_tid(&pid_info.c_tid);
         bpf_map_update_elem(&pid_tid_to_conn, &id, &pid_info, BPF_ANY); // to support SSL on missing handshake, respect the original info if there
     }
@@ -167,24 +164,22 @@ int BPF_KRETPROBE(kretprobe_sys_accept4, uint fd)
 
     bpf_dbg_printk("=== accept 4 ret id=%d, sock=%llx, fd=%d ===", id, args->addr, fd);
 
-    pid_connection_info_t info = {};
+    ssl_pid_connection_info_t info = {};
 
-    if (parse_accept_socket_info(args, &info.conn)) {
-        u16 orig_dport = info.conn.d_port;
+    if (parse_accept_socket_info(args, &info.p_conn.conn)) {
+        u16 orig_dport = info.p_conn.conn.d_port;
         //dbg_print_http_connection_info(&info.conn);
-        sort_connection_info(&info.conn);
-        info.pid = pid_from_pid_tgid(id);
+        sort_connection_info(&info.p_conn.conn);
+        info.p_conn.pid = pid_from_pid_tgid(id);
 
         http_connection_metadata_t meta = {};
         task_pid(&meta.pid);
         meta.type = EVENT_HTTP_REQUEST;
         bpf_map_update_elem(&filtered_connections, &info, &meta, BPF_ANY); // On purpose BPF_ANY, we want to overwrite stale
-        ssl_pid_connection_info_t pid_info = {
-            .conn = info,
-            .orig_dport = orig_dport,
-        };
-        task_tid(&pid_info.c_tid);
-        bpf_map_update_elem(&pid_tid_to_conn, &id, &pid_info, BPF_ANY); // to support SSL on missing handshake
+
+        info.orig_dport = orig_dport;
+        task_tid(&info.c_tid);
+        bpf_map_update_elem(&pid_tid_to_conn, &id, &info, BPF_ANY); // to support SSL on missing handshake
     }
 
 cleanup:
@@ -240,25 +235,22 @@ int BPF_KRETPROBE(kretprobe_sys_connect, int fd)
         goto cleanup;
     }
 
-    pid_connection_info_t info = {};
+    ssl_pid_connection_info_t info = {};
 
-    if (parse_connect_sock_info(args, &info.conn)) {
+    if (parse_connect_sock_info(args, &info.p_conn.conn)) {
         bpf_dbg_printk("=== connect ret id=%d, pid=%d ===", id, pid_from_pid_tgid(id));
-        u16 orig_dport = info.conn.d_port;
+        u16 orig_dport = info.p_conn.conn.d_port;
         //dbg_print_http_connection_info(&info.conn);
-        sort_connection_info(&info.conn);
-        info.pid = pid_from_pid_tgid(id);
+        sort_connection_info(&info.p_conn.conn);
+        info.p_conn.pid = pid_from_pid_tgid(id);
 
         http_connection_metadata_t meta = {};
         task_pid(&meta.pid);
         meta.type = EVENT_HTTP_CLIENT;
         bpf_map_update_elem(&filtered_connections, &info, &meta, BPF_ANY); // On purpose BPF_ANY, we want to overwrite stale
-        ssl_pid_connection_info_t pid_info = {
-            .conn = info,
-            .orig_dport = orig_dport,
-        };
-        task_tid(&pid_info.c_tid);
-        bpf_map_update_elem(&pid_tid_to_conn, &id, &pid_info, BPF_ANY); // to support SSL 
+        info.orig_dport = orig_dport;
+        task_tid(&info.c_tid);
+        bpf_map_update_elem(&pid_tid_to_conn, &id, &info, BPF_ANY); // to support SSL 
     }
 
 cleanup:
@@ -344,14 +336,14 @@ int BPF_KPROBE(kprobe_tcp_sendmsg, struct sock *sk, struct msghdr *msg, size_t s
         }
 
         bpf_dbg_printk("=== kprobe SSL tcp_sendmsg=%d sock=%llx ssl=%llx ===", id, sk, ssl);
-        ssl_pid_connection_info_t *conn = bpf_map_lookup_elem(&ssl_to_conn, &ssl);
-        if (conn) {
-            finish_possible_delayed_tls_http_request(&conn->conn, ssl);
+        ssl_pid_connection_info_t *s_conn = bpf_map_lookup_elem(&ssl_to_conn, &ssl);
+        if (s_conn) {
+            finish_possible_delayed_tls_http_request(&s_conn->p_conn, ssl);
         }
         ssl_pid_connection_info_t ssl_conn = {
-            .conn = s_args.p_conn,
             .orig_dport = orig_dport,
         };
+        bpf_memcpy(&ssl_conn.p_conn, &s_args.p_conn, sizeof(pid_connection_info_t));
         task_tid(&ssl_conn.c_tid);
         bpf_map_update_elem(&ssl_to_conn, &ssl, &ssl_conn, BPF_ANY);
     }

@@ -218,7 +218,8 @@ static __always_inline void *find_msghdr_buf(struct msghdr *msg) {
         for (int i = 1; i < 4; i++) {
             void *p = &iov[i];
             bpf_probe_read(&vec, sizeof(struct iovec), p);
-            bpf_dbg_printk("iov[%d]=%llx base %llx, len %d", i, p, vec.iov_base, vec.iov_len);
+            // No prints in loops on 5.10
+            // bpf_dbg_printk("iov[%d]=%llx base %llx, len %d", i, p, vec.iov_base, vec.iov_len);
             if (!vec.iov_base || !vec.iov_len) {
                 continue;
             }
@@ -502,7 +503,7 @@ static __always_inline void process_http2_grpc_frames(pid_connection_info_t *pid
         bpf_probe_read(&frame_buf, FRAME_HEADER_LEN, (void *)((u8 *)u_buf + pos));
         read_http2_grpc_frame_header(&frame, frame_buf, FRAME_HEADER_LEN);
 
-        bpf_dbg_printk("http2 frame type = %d, len = %d, stream_id = %d, flags = %d", frame.type, frame.length, frame.stream_id, frame.flags);
+        //bpf_dbg_printk("http2 frame type = %d, len = %d, stream_id = %d, flags = %d", frame.type, frame.length, frame.stream_id, frame.flags);
 
         if (is_headers_frame(&frame)) {
             stream.pid_conn = *pid_conn;

@@ -56,9 +56,9 @@ int BPF_UPROBE(uprobe_ssl_read, void *ssl, const void *buf, int num) {
 
     bpf_dbg_printk("=== uprobe SSL_read id=%d ssl=%llx ===", id, ssl);
 
-    ssl_pid_connection_info_t *conn = bpf_map_lookup_elem(&ssl_to_conn, &ssl);
-    if (conn) {
-        finish_possible_delayed_tls_http_request(&conn->conn, ssl);
+    ssl_pid_connection_info_t *s_conn = bpf_map_lookup_elem(&ssl_to_conn, &ssl);
+    if (s_conn) {
+        finish_possible_delayed_tls_http_request(&s_conn->p_conn, ssl);
     }
 
     ssl_args_t args = {};
@@ -99,9 +99,9 @@ int BPF_UPROBE(uprobe_ssl_read_ex, void *ssl, const void *buf, int num, size_t *
 
     bpf_dbg_printk("=== SSL_read_ex id=%d ===", id);
 
-    ssl_pid_connection_info_t *conn = bpf_map_lookup_elem(&ssl_to_conn, &ssl);
-    if (conn) {
-        finish_possible_delayed_tls_http_request(&conn->conn, ssl);
+    ssl_pid_connection_info_t *s_conn = bpf_map_lookup_elem(&ssl_to_conn, &ssl);
+    if (s_conn) {
+        finish_possible_delayed_tls_http_request(&s_conn->p_conn, ssl);
     }
 
     ssl_args_t args = {};
@@ -235,10 +235,10 @@ int BPF_UPROBE(uprobe_ssl_shutdown, void *s) {
 
     bpf_dbg_printk("=== SSL_shutdown id=%d ssl=%llx ===", id, s);
 
-    ssl_pid_connection_info_t *conn = bpf_map_lookup_elem(&ssl_to_conn, &s);
-    if (conn) {
-        finish_possible_delayed_tls_http_request(&conn->conn, s);
-        bpf_map_delete_elem(&active_ssl_connections, &conn->conn);
+    ssl_pid_connection_info_t *s_conn = bpf_map_lookup_elem(&ssl_to_conn, &s);
+    if (s_conn) {
+        finish_possible_delayed_tls_http_request(&s_conn->p_conn, s);
+        bpf_map_delete_elem(&active_ssl_connections, &s_conn->p_conn);
     }
 
     bpf_map_delete_elem(&ssl_to_conn, &s);

@@ -148,9 +148,9 @@ static __always_inline void handle_ssl_buf(u64 id, ssl_args_t *args, int bytes_l
             // even though we won't have peer information.
             ssl_pid_connection_info_t p_c = {};
             bpf_dbg_printk("setting fake connection info ssl=%llx", ssl);
-            bpf_memcpy(&p_c.conn.conn.s_addr, &ssl, sizeof(void *));
-            p_c.conn.conn.d_port = p_c.conn.conn.s_port = p_c.orig_dport = 0;
-            p_c.conn.pid = pid_from_pid_tgid(id);
+            bpf_memcpy(&p_c.p_conn.conn.s_addr, &ssl, sizeof(void *));
+            p_c.p_conn.conn.d_port = p_c.p_conn.conn.s_port = p_c.orig_dport = 0;
+            p_c.p_conn.pid = pid_from_pid_tgid(id);
             task_tid(&p_c.c_tid);
 
             bpf_map_update_elem(&ssl_to_conn, &ssl, &p_c, BPF_ANY);
@@ -166,12 +166,12 @@ static __always_inline void handle_ssl_buf(u64 id, ssl_args_t *args, int bytes_l
             // for (int i=0; i < 48; i++) {
             //     bpf_dbg_printk("%x ", buf[i]);
             // }
-            bpf_map_update_elem(&active_ssl_connections, &conn->conn, &ssl_ptr, BPF_ANY);
-            handle_buf_with_connection(&conn->conn, (void *)args->buf, bytes_len, WITH_SSL, direction, conn->orig_dport);
+            bpf_map_update_elem(&active_ssl_connections, &conn->p_conn, &ssl_ptr, BPF_ANY);
+            handle_buf_with_connection(&conn->p_conn, (void *)args->buf, bytes_len, WITH_SSL, direction, conn->orig_dport);
             // We should attempt to clean up the server trace immediately. The cleanup information
             // is keyed of the *ssl, so when it's delayed we might have different *ssl on the same
             // connection.
-            cleanup_trace_info_for_delayed_trace(&conn->conn, ssl);
+            cleanup_trace_info_for_delayed_trace(&conn->p_conn, ssl);
         } else {
             bpf_dbg_printk("No connection info! This is a bug.");
         }

@@ -58,7 +58,7 @@ typedef struct http_pid_connection_info {
 } pid_connection_info_t;
 
 typedef struct ssl_pid_connection_info {
-    pid_connection_info_t conn;
+    pid_connection_info_t p_conn;
     u16 orig_dport;
     pid_key_t c_tid;
 } ssl_pid_connection_info_t;

@@ -134,7 +134,8 @@ static __always_inline unsigned char *extract_flags(unsigned char *tp_start) {
 
 static __always_inline void delete_server_trace_tid(pid_key_t *c_tid) {
     int __attribute__((unused)) res = bpf_map_delete_elem(&server_traces, c_tid);
-    bpf_dbg_printk("Deleting server span for id=%llx, pid=%d, ns=%d, res = %d", bpf_get_current_pid_tgid(), c_tid->pid, c_tid->ns, res);
+    // Fails on 5.10 with unknown function
+    // bpf_dbg_printk("Deleting server span for id=%llx, pid=%d, ns=%d, res = %d", bpf_get_current_pid_tgid(), c_tid->pid, c_tid->ns, res);
 }
 
 static __always_inline void delete_server_trace() {