Skip to content

Commit

Permalink
Merge pull request #143 from getanteon/develop
Browse files Browse the repository at this point in the history 
make container filter checks earlier
  • Loading branch information
@fatihbaltaci
fatihbaltaci authored May 28, 2024
2 parents a8a4db7 + 322a6a3 commit 2402b4b
Show file tree
Hide file tree
Showing 7 changed files with 97 additions and 110 deletions.
9 changes: 6 additions & 3 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
FROM golang:1.20-alpine as builder
FROM golang:1.22.1-bullseye as builder
WORKDIR /app
COPY . ./
RUN apk update && apk add gcc musl-dev
RUN apt update

ARG VERSION
RUN GOOS=linux go build -ldflags="-X 'github.com/ddosify/alaz/datastore.tag=$VERSION'" -o alaz
ENV GOCACHE=/root/.cache/go-build
RUN go mod tidy -v
RUN --mount=type=cache,target="/root/.cache/go-build" GOOS=linux go build -ldflags="-X 'github.com/ddosify/alaz/datastore.tag=$VERSION'" -o alaz

FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3-1552
RUN microdnf update -y && microdnf install procps ca-certificates -y && microdnf clean all
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

<p align="center">
<a href="https://github.com/getanteon/alaz/blob/master/LICENSE" target="_blank"><img src="https://img.shields.io/badge/LICENSE-AGPL--3.0-orange?style=for-the-badge&logo=none" alt="alaz license" /></a>
<a href="https://discord.gg/9KdnrSUZQg" target="_blank"><img src="https://img.shields.io/discord/898523141788287017?style=for-the-badge&logo=discord&label=DISCORD" alt="Anteon discord server" /></a>
<a href="https://discord.com/invite/9KdnrSUZQg" target="_blank"><img src="https://img.shields.io/discord/898523141788287017?style=for-the-badge&logo=discord&label=DISCORD" alt="Anteon discord server" /></a>
<a href="https://hub.docker.com/r/ddosify/alaz" target="_blank"><img src="https://img.shields.io/docker/v/ddosify/alaz?style=for-the-badge&logo=docker&label=docker&sort=semver" alt="alaz docker image" /></a>
</p>

Expand Down Expand Up @@ -204,7 +204,7 @@ Contributions to Alaz are welcome! To contribute, please follow these steps:

## Communication

You can join our [Discord Server](https://discord.gg/9KdnrSUZQg) for issues, feature requests, feedbacks or anything else.
You can join our [Discord Server](https://discord.com/invite/9KdnrSUZQg) for issues, feature requests, feedbacks or anything else.

## License

Expand Down
Binary file modified ebpf/c/bpf_bpfeb.o
View file
Binary file not shown.
Binary file modified ebpf/c/bpf_bpfel.o
View file
Binary file not shown.
162 changes: 73 additions & 89 deletions ebpf/c/l7.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,16 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha
__u64 timestamp = bpf_ktime_get_ns();
unsigned char func_name[] = "process_enter_of_syscalls_write_sendto";
__u64 id = bpf_get_current_pid_tgid();
__u32 pid = id >> 32;

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
return 0; // not a container process, ignore
}
#endif

__u32 tid = id & 0xFFFFFFFF;
__u32 seq = process_for_dist_trace_write(ctx,fd);

Expand Down Expand Up @@ -250,15 +260,6 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha
e->payload_read_complete = 1;
}

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
Expand Down Expand Up @@ -306,8 +307,18 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha
static __always_inline
int process_enter_of_syscalls_read_recvfrom(void *ctx, struct read_enter_args * params) {
unsigned char func_name[] = "process_enter_of_syscalls_read_recvfrom";
// __u64 id = bpf_get_current_pid_tgid();

__u64 id = bpf_get_current_pid_tgid();
__u32 pid = id >> 32;
#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char func_name[] = "process_enter_of_syscalls_read_recvfrom";
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif
// struct socket_key k = {};
// k.pid = pid;
// k.fd = fd;
Expand Down Expand Up @@ -340,12 +351,21 @@ int process_enter_of_syscalls_read_recvfrom(void *ctx, struct read_enter_args *
return 0;
}


static __always_inline
int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){
__u64 timestamp = bpf_ktime_get_ns();
__u64 id = bpf_get_current_pid_tgid();

__u32 pid = id >> 32;
#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char func_name[] = "process_exit_of_syscalls_write_sendto";
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif
// we only used this func for amqp, others will only be in active_l7_requests
// used active_writes for cases that only depends on writes, like amqp publish
// + postgres statement close, terminate
Expand Down Expand Up @@ -373,6 +393,7 @@ int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){
struct l7_event *e = bpf_map_lookup_elem(&l7_event_heap, &zero);
if (!e) {
bpf_map_delete_elem(&active_writes, &id);
bpf_map_delete_elem(&active_l7_requests, &k);
return 0;
}

Expand Down Expand Up @@ -404,17 +425,6 @@ int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){
e->seq = active_req->seq;
e->tid = active_req->tid;

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char func_name[] = "process_exit_of_syscalls_write_sendto";
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif

bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
}else{
// write failed
Expand All @@ -428,6 +438,17 @@ static __always_inline
int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 ret, __u8 is_tls) {
__u64 timestamp = bpf_ktime_get_ns();
unsigned char func_name[] = "process_exit_of_syscalls_read_recvfrom";
#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
bpf_map_delete_elem(&active_reads, &id);
return 0; // not a container process, ignore
}
#endif

if (ret < 0) { // read failed
// -ERRNO
// __u64 id = bpf_get_current_pid_tgid();
Expand Down Expand Up @@ -459,8 +480,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64
}




// __u64 id = bpf_get_current_pid_tgid();
struct read_args *read_info = bpf_map_lookup_elem(&active_reads, &id);
if (!read_info) {
Expand All @@ -476,6 +495,7 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64
int zero = 0;
struct l7_event *e = bpf_map_lookup_elem(&l7_event_heap, &zero);
if (!e) {
bpf_map_delete_elem(&active_l7_requests, &k);
bpf_map_delete_elem(&active_reads, &id);
return 0;
}
Expand Down Expand Up @@ -507,16 +527,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64

bpf_map_delete_elem(&active_reads, &id);

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif

bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
return 0;
}
Expand Down Expand Up @@ -544,23 +554,12 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64
e->payload_read_complete = 1;
}

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
unsigned char log_msg[] = "failed write to l7_events h2 -- res|fd|psize";
log_to_userspace(ctx, WARN, func_name, log_msg, r, e->fd, e->payload_size);
}
bpf_map_delete_elem(&go_active_reads, &k);
bpf_map_delete_elem(&active_reads, &id);
return 0;
}

Expand Down Expand Up @@ -600,6 +599,7 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64

if (r < 0) {
bpf_map_delete_elem(&active_reads, &id);
bpf_map_delete_elem(&active_l7_requests, &k); // TODO: check this line, should we delete the request here?
return 0;
}

Expand Down Expand Up @@ -635,15 +635,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64
bpf_map_delete_elem(&active_reads, &id);
bpf_map_delete_elem(&active_l7_requests, &k);

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);
return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
Expand Down Expand Up @@ -980,6 +971,17 @@ int process_enter_of_go_conn_write(void *ctx, __u32 pid, __u32 fd, char *buf_ptr
__u64 timestamp = bpf_ktime_get_ns();
unsigned char func_name[] = "process_enter_of_go_conn_write";
// parse and write to go_active_l7_req map
#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

struct go_req_key k = {};
k.pid = pid;
k.fd = fd;
Expand Down Expand Up @@ -1032,16 +1034,6 @@ int process_enter_of_go_conn_write(void *ctx, __u32 pid, __u32 fd, char *buf_ptr
e->payload_read_complete = 1;
}

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif
long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
unsigned char log_msg[] = "failed write to l7_events -- res|fd|psize";
Expand Down Expand Up @@ -1165,6 +1157,20 @@ int BPF_UPROBE(go_tls_conn_read_exit) {
unsigned char func_name[] = "go_tls_conn_read_exit";
// can't access to register we've access on read_enter here,
// registers are changed.
__u64 id = bpf_get_current_pid_tgid();
__u32 pid = id >> 32;

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &pid);
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

long int ret = GO_PARAM1(ctx);

struct go_read_key k = {};
Expand Down Expand Up @@ -1206,17 +1212,6 @@ int BPF_UPROBE(go_tls_conn_read_exit) {
e->payload_size = ret;
e->payload_read_complete = 1;
}

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
Expand Down Expand Up @@ -1309,17 +1304,6 @@ int BPF_UPROBE(go_tls_conn_read_exit) {
bpf_map_delete_elem(&go_active_reads, &k);
bpf_map_delete_elem(&go_active_l7_requests, &req_k);

#ifdef FILTER_OUT_NON_CONTAINER
__u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid));
if (!val)
{
// unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize";
// log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0);

return 0; // not a container process, ignore
}
#endif

long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
if (r < 0) {
unsigned char log_msg[] = "write failed to l7_events -- r|fd|method";
Expand Down
5 changes: 1 addition & 4 deletions ebpf/c/tcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
SEC("tracepoint/sock/inet_sock_set_state")
int inet_sock_set_state(void *ctx)
{
unsigned char func_name[] = "inet_sock_set_state";
// unsigned char func_name[] = "inet_sock_set_state";
__u64 timestamp = bpf_ktime_get_ns();
struct trace_event_raw_inet_sock_set_state args = {};
if (bpf_core_read(&args, sizeof(args), ctx) < 0)
Expand Down Expand Up @@ -130,9 +130,6 @@ int inet_sock_set_state(void *ctx)
__u8 *val = bpf_map_lookup_elem(&container_pids, &e.pid);
if (!val)
{
unsigned char log_msg[] = "tcp connect event for plain second -- pid|fd|psize";
log_to_userspace(ctx, DEBUG, func_name, log_msg, pid, 0, 0);

return 0; // not a container process, ignore
}

Expand Down
27 changes: 15 additions & 12 deletions ebpf/headers/log.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,25 @@ struct {
__uint(max_entries, 1);
} log_heap SEC(".maps");

// use while development
// struct log_message l = {};
// l.level = DEBUG;
// BPF_SNPRINTF(l.payload, sizeof(l.payload),"process_enter_of_syscalls_write_sendto %d %s\n", 1, "cakir");
// log_to_trace_pipe(l.payload, sizeof(l.payload));
static __always_inline
void log_to_trace_pipe(char *msg, __u32 size) {
long res = bpf_trace_printk(msg, size);
if(res < 0){
bpf_printk("bpf_trace_printk failed %d\n", res);
}
}

static __always_inline
void log_to_userspace(void *ctx, __u32 level, unsigned char *func_name, unsigned char * log_msg, __u64 arg1, __u64 arg2, __u64 arg3){
int zero = 0;
struct log_message *l = bpf_map_lookup_elem(&log_heap, &zero);
if (!l) {
bpf_printk("log_to_userspace failed, %s %s\n",func_name, log_msg);
return;
}

Expand All @@ -57,15 +71,4 @@ void log_to_userspace(void *ctx, __u32 level, unsigned char *func_name, unsigned
bpf_perf_event_output(ctx, &log_map, BPF_F_CURRENT_CPU, l, sizeof(*l));
}

// use while development
// struct log_message l = {};
// l.level = DEBUG;
// BPF_SNPRINTF(l.payload, sizeof(l.payload),"process_enter_of_syscalls_write_sendto %d %s\n", 1, "cakir");
// log_to_trace_pipe(l.payload, sizeof(l.payload));
static __always_inline
void log_to_trace_pipe(const char *msg, __u32 size) {
long res = bpf_trace_printk(msg, size);
if(res < 0){
bpf_printk("bpf_trace_printk failed %d\n", res);
}
}

0 comments on commit 2402b4b

Please sign in to comment.