Bump libbpf version and add https trace

feiskyer · Aug 11, 2024 · 79ce995 · 79ce995
1 parent 1256949
commit 79ce995
Show file tree

Hide file tree

Showing 35 changed files with 69,115 additions and 53,382 deletions.
diff --git a/.gitignore b/.gitignore
@@ -46,6 +46,8 @@ bpf-apps/hello_btf
 bpf-apps/tc_block_tcp
 bpf-apps/xdppass
 bpf-apps/http_trace
+bpf-apps/https_trace
+bpf-apps/https_trace_bad
 
 # Debug files
 *.dSYM/

diff --git a/bpf-apps/Makefile b/bpf-apps/Makefile
@@ -1,4 +1,4 @@
-APPS = hello execsnoop execsnoop_v2 bashreadline hello_btf block_shell xdppass tc_block_tcp http_trace
+APPS = hello execsnoop execsnoop_v2 bashreadline hello_btf block_shell xdppass tc_block_tcp http_trace https_trace https_trace_bad
 bpftool = $(shell which bpftool || ../tools/bpftool)
 LIBBPF_SRC := $(abspath ../libbpf/src)
 LIBBPF_OBJ := $(abspath libbpf/libbpf.a)
@@ -7,7 +7,7 @@ INCLUDES := -Ilibbpf/usr/include -I../libbpf/include/uapi -I/usr/include/x86_64-
 .PHONY: all
 all: $(APPS)
 
-$(APPS): %: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h)
+$(APPS): %: %.bpf.c %.c $(LIBBPF_OBJ) $(wildcard %.h)
 	clang -g -O2 -target bpf -D__TARGET_ARCH_x86 $(INCLUDES) -c $@.bpf.c -o $@.bpf.o
 	$(bpftool) gen skeleton $@.bpf.o > $@.skel.h
 	clang -g -O2 -Wall $(INCLUDES) -c $@.c -o $@.o

diff --git a/bpf-apps/bashreadline.bpf.c b/bpf-apps/bashreadline.bpf.c
@@ -12,8 +12,7 @@ struct {
 	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 	__uint(key_size, sizeof(__u32));
 	__uint(value_size, sizeof(__u32));
-}
-events SEC(".maps");
+} events SEC(".maps");
 
 SEC("uretprobe/readline")
 int BPF_KRETPROBE(printret, const void *ret)
@@ -35,4 +34,4 @@ int BPF_KRETPROBE(printret, const void *ret)
 	return 0;
 };
 
-char LICENSE[] SEC("license") = "GPL";
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
diff --git a/bpf-apps/bashreadline.skel.h b/bpf-apps/bashreadline.skel.h
diff --git a/bpf-apps/block_shell.skel.h b/bpf-apps/block_shell.skel.h
diff --git a/bpf-apps/execsnoop.bpf.c b/bpf-apps/execsnoop.bpf.c
@@ -19,7 +19,8 @@ struct {
 	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 	__uint(key_size, sizeof(u32));
 	__uint(value_size, sizeof(u32));
-} events SEC(".maps");
+}
+events SEC(".maps");
 
 // tracepoint for sys_enter_execve.
 SEC("tracepoint/syscalls/sys_enter_execve")

diff --git a/bpf-apps/execsnoop.skel.h b/bpf-apps/execsnoop.skel.h
diff --git a/bpf-apps/execsnoop_v2.bpf.c b/bpf-apps/execsnoop_v2.bpf.c
@@ -21,8 +21,7 @@ struct {
 	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 	__uint(key_size, sizeof(u32));
 	__uint(value_size, sizeof(u32));
-}
-events SEC(".maps");
+} events SEC(".maps");
 
 static __always_inline bool valid_uid(uid_t uid)
 {

diff --git a/bpf-apps/execsnoop_v2.skel.h b/bpf-apps/execsnoop_v2.skel.h
diff --git a/bpf-apps/hello.skel.h b/bpf-apps/hello.skel.h
@@ -194,11 +194,11 @@ static inline const void *hello_bpf__elf_bytes(size_t *sz)
 \x10\x0a\xb9\0\0\0\x02\xb1\x08\xbe\0\0\0\x09\xc3\0\0\0\x11\xd4\0\0\0\x12\xd8\0\
 \0\0\x12\xdd\0\0\0\x13\0\x05\x0b\x05\x08\x09\xac\0\0\0\x0b\xe5\0\0\0\x0d\x01\
 \x0e\x05\x0c\x07\x04\x03\xf5\0\0\0\x04\x42\0\0\0\x06\0\x05\x0e\x07\x08\x05\x10\
-\x05\x04\x09\x02\x01\0\0\x14\x1d\x40\x01\x4d\xb3\x01\0\x15\x12\x3b\x01\0\0\x01\
-\x4e\xb3\x01\0\0\x15\x1a\xd4\0\0\0\x01\x4f\xb3\x01\0\x08\x15\x1b\xe9\0\0\0\x01\
-\x50\xb3\x01\0\x10\x15\x1c\x72\x01\0\0\x01\x51\xb3\x01\0\x40\0\x16\x19\x08\x01\
-\x08\x17\x17\x13\x6a\x01\0\0\x01\x09\x17\0\x17\x15\x6e\x01\0\0\x01\x0a\x17\x02\
-\x17\x17\x6e\x01\0\0\x01\x0b\x17\x03\x17\x18\xf9\0\0\0\x01\x0c\x17\x04\0\x05\
+\x05\x04\x09\x02\x01\0\0\x14\x1d\x40\x01\xf7\xba\x01\0\x15\x12\x3b\x01\0\0\x01\
+\xf8\xba\x01\0\0\x15\x1a\xd4\0\0\0\x01\xf9\xba\x01\0\x08\x15\x1b\xe9\0\0\0\x01\
+\xfa\xba\x01\0\x10\x15\x1c\x72\x01\0\0\x01\xfb\xba\x01\0\x40\0\x16\x19\x08\x01\
+\x79\x17\x17\x13\x6a\x01\0\0\x01\x7a\x17\0\x17\x15\x6e\x01\0\0\x01\x7b\x17\x02\
+\x17\x17\x6e\x01\0\0\x01\x7c\x17\x03\x17\x18\xf9\0\0\0\x01\x7d\x17\x04\0\x05\
 \x14\x07\x02\x05\x16\x08\x01\x03\x3e\0\0\0\x04\x42\0\0\0\0\0\x0b\x86\x01\0\0\
 \x20\x01\x32\x0b\xf9\0\0\0\x1f\x01\x24\0\x88\0\0\0\x05\0\0\0\0\0\0\0\x27\0\0\0\
 \x33\0\0\0\x4a\0\0\0\x52\0\0\0\x57\0\0\0\x6b\0\0\0\x84\0\0\0\x97\0\0\0\x9d\0\0\
@@ -277,8 +277,8 @@ static inline const void *hello_bpf__elf_bytes(size_t *sz)
 \0\0\0\0\0\0\0\0\0\0\x50\0\0\0\0\0\0\0\x91\0\0\0\x05\0\x08\0\x69\0\0\0\x08\x01\
 \x01\xfb\x0e\x0d\0\x01\x01\x01\x01\0\0\0\x01\0\0\x01\x01\x01\x1f\x03\0\0\0\0\
 \x17\0\0\0\x19\0\0\0\x03\x01\x1f\x02\x0f\x05\x1e\x03\x30\0\0\0\0\x55\x2f\x2b\
-\x7f\x54\xcd\x0e\x67\x1a\xe0\xdb\x10\x27\xbe\x3b\x3b\x3c\0\0\0\x01\xe2\xf1\x38\
-\x92\x39\x2c\x96\x17\xaa\x42\x64\xed\x33\xe7\xb5\x02\x46\0\0\0\x02\x65\xe4\xdc\
+\x7f\x54\xcd\x0e\x67\x1a\xe0\xdb\x10\x27\xbe\x3b\x3b\x3c\0\0\0\x01\x2f\x85\xf9\
+\x98\x02\xa5\xf4\x44\xa8\x02\xdd\x45\xb0\x0d\x10\x14\x46\0\0\0\x02\x65\xe4\xdc\
 \x8e\x31\x21\xf9\x1a\x5c\x2c\x9e\xb8\x56\x3c\x56\x92\x04\0\0\x09\x02\0\0\0\0\0\
 \0\0\0\x03\x0a\x01\x05\x28\x0a\x13\x05\x0e\x21\x05\x02\x22\x67\x02\x02\0\x01\
 \x01\x2f\x67\x6f\x2f\x65\x62\x70\x66\x2d\x61\x70\x70\x73\x2f\x62\x70\x66\x2d\

diff --git a/bpf-apps/hello_btf.skel.h b/bpf-apps/hello_btf.skel.h
diff --git a/bpf-apps/http_trace.bpf.c b/bpf-apps/http_trace.bpf.c
@@ -7,12 +7,23 @@
 
 #define ETH_HLEN 14
 #define ETH_P_IP 0x0800		/* Internet Protocol packet     */
+#define IP_MF 0x2000		/* More Fragments */
+#define IP_OFFSET 0x1FFF	/* Mask for fragmenting bits */
 
 struct {
 	__uint(type, BPF_MAP_TYPE_RINGBUF);
 	__uint(max_entries, 256 * 1024);
 } events SEC(".maps");
 
+static inline int ip_is_fragment(struct __sk_buff *skb)
+{
+	__u16 frag_off;
+	bpf_skb_load_bytes(skb, ETH_HLEN + offsetof(struct iphdr, frag_off),
+			   &frag_off, sizeof(frag_off));
+	frag_off = bpf_ntohs(frag_off);
+	return frag_off & (IP_MF | IP_OFFSET);
+}
+
 SEC("socket")
 int http_trace(struct __sk_buff *skb)
 {
@@ -26,6 +37,11 @@ int http_trace(struct __sk_buff *skb)
 		return 0;
 	}
 
+	// 如果是分片包则不跟踪
+	if (ip_is_fragment(skb)) {
+		return 0;
+	}
+
 	// 只跟踪 TCP 协议的数据包
 	bpf_skb_load_bytes(skb, ETH_HLEN + offsetof(struct iphdr, protocol),
 			   &ip_proto, 1);
@@ -91,4 +107,4 @@ int http_trace(struct __sk_buff *skb)
 	return 0;
 }
 
-char _license[] SEC("license") = "GPL";
+char _license[] SEC("license") = "Dual BSD/GPL";
diff --git a/bpf-apps/http_trace.c b/bpf-apps/http_trace.c
@@ -3,6 +3,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
+#include <signal.h>
 #include <arpa/inet.h>
 #include <linux/if_ether.h>
 #include <linux/if_packet.h>
@@ -27,6 +28,13 @@ static int libbpf_print_fn(enum libbpf_print_level level, const char *format,
 #endif
 }
 
+static volatile bool exiting = false;
+
+static void sig_handler(int signo)
+{
+	exiting = true;
+}
+
 // 创建原始套接字
 static inline int open_raw_sock(const char *name)
 {
@@ -90,6 +98,10 @@ int main(int argc, char **argv)
 	// 设置libbpf的错误和调试信息回调
 	libbpf_set_print(libbpf_print_fn);
 
+	// 注册信号处理程序
+	signal(SIGINT, sig_handler);
+	signal(SIGTERM, sig_handler);
+
 	// 提升RLIMIT_MEMLOCK以允许BPF子系统执行任何需要的操作
 	bump_memlock_rlimit();
 
@@ -120,12 +132,21 @@ int main(int argc, char **argv)
 	}
 	// 从ring buffer中读取数据
 	printf("Tracing HTTP traffic... Hit Ctrl-C to end.\n");
-	while ((err = ring_buffer__poll(rb, 100)) >= 0) ;
-	printf("Error polling perf buffer: %d\n", err);
+	while (!exiting) {
+		err = ring_buffer__poll(rb, 100);
+		if (err == -EINTR) {
+			err = 0;
+			break;
+		}
+		if (err < 0) {
+			fprintf(stderr, "Error polling ring buffer: %d\n", err);
+			break;
+		}
+	}
 
  cleanup:
 	// 释放资源
 	ring_buffer__free(rb);
 	http_trace_bpf__destroy(skel);
-	return err != 0;
+	return -err;
 }