Merge branch 'develop'

21-tc-parse-packet-with-bpf_skb_load_bytes/main.bpf.c

@@ -9,8 +9,8 @@
 #define ETH_HLEN 14 /* Total octets in header.	 */
 
 #define TC_ACT_UNSPEC -1
-#define TC_ACT_SHOT 2
-#define TC_ACT_SHOT 2
+#define TC_ACT_OK      0
+#define TC_ACT_SHOT    2
 
 #define DATA_LEN 1024
 struct payload_t {
@@ -26,6 +26,8 @@ struct {
 
 SEC("tc")
 int handle_ingress(struct __sk_buff *skb) {
+    bpf_skb_pull_data(skb, 0);
+
     u16 h_proto;
     if (bpf_skb_load_bytes(skb, offsetof(struct ethhdr, h_proto), &h_proto,
                            sizeof(h_proto)) < 0)

25-tc-parse-packet-with-direct-memory-access/README.md

@@ -18,5 +18,4 @@ $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 &
 
 $ curl http://127.0.0.1:9090
 
-$ make cat
 ```

25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/README.md

@@ -18,5 +18,4 @@ $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 &
 
 $ curl http://127.0.0.1:9090
 
-$ make cat
 ```

25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"log"
 	"net"
@@ -12,9 +13,12 @@ import (
 	"unsafe"
 
 	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/perf"
 	"github.com/cilium/ebpf/rlimit"
 	"github.com/florianl/go-tc"
 	"github.com/florianl/go-tc/core"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
 	"golang.org/x/sys/unix"
 )
 
@@ -92,6 +96,18 @@ func attachTc(devID *net.Interface, prog *ebpf.Program) (func(), error) {
 
 }
 
+func parseEvent(data []byte) {
+	// Decode a packet
+	packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.Default)
+	// Get the TCP layer from this packet
+	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+		log.Println("This is a TCP packet!")
+		// Get actual TCP data from this layer
+		tcp, _ := tcpLayer.(*layers.TCP)
+		log.Printf("From src port %d to dst port %d", tcp.SrcPort, tcp.DstPort)
+	}
+}
+
 func main() {
 	if err := rlimit.RemoveMemlock(); err != nil {
 		log.Fatal(err)
@@ -119,13 +135,40 @@ func main() {
 		return
 	}
 	defer closeFunc()
+	reader, err := perf.NewReader(objs.Events, 4096)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer reader.Close()
 
 	ctx, stop := signal.NotifyContext(
 		context.Background(), syscall.SIGINT, syscall.SIGTERM,
 	)
 	defer stop()
 
 	log.Println("...")
-	<-ctx.Done()
+loop:
+	for {
+		select {
+		case <-ctx.Done():
+			break loop
+		default:
+		}
+		record, err := reader.Read()
+		if err != nil {
+			if errors.Is(err, perf.ErrClosed) {
+				log.Println("Received signal, exiting...")
+				return
+			}
+			log.Printf("reading from reader: %s", err)
+			continue
+		}
+		if record.LostSamples > 0 {
+			log.Printf("lost %d events", record.LostSamples)
+			continue
+		}
+		parseEvent(record.RawSample)
+	}
 	log.Println("bye bye")
 }

25-tc-parse-packet-with-direct-memory-access/main.bpf.c

@@ -9,20 +9,17 @@
 #define ETH_HLEN 14 /* Total octets in header.	 */
 
 #define TC_ACT_UNSPEC -1
-#define TC_ACT_SHOT 2
-#define TC_ACT_SHOT 2
+#define TC_ACT_OK      0
+#define TC_ACT_SHOT    2
 
-#define DATA_LEN 1024
-struct payload_t {
-    char data[DATA_LEN];
+struct event_t {
 };
 
 struct {
-    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
-    __type(key, u32);
-    __type(value, struct payload_t);
-    __uint(max_entries, 1);
-} tmp_map SEC(".maps");
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(u32));
+    __uint(value_size, sizeof(u32));
+} events SEC(".maps");
 
 SEC("tc")
 int handle_ingress(struct __sk_buff *skb) {
@@ -31,39 +28,47 @@ int handle_ingress(struct __sk_buff *skb) {
 
     struct iphdr *ip_hdr = data + ETH_HLEN;
     if ((void *)ip_hdr + sizeof(struct iphdr) > data_end) {
-        return TC_ACT_UNSPEC;
+        return TC_ACT_OK;
     }
     if (ip_hdr->protocol != IPPROTO_TCP) { // not tcp
-        return TC_ACT_UNSPEC;
+        return TC_ACT_OK;
     }
 
     struct tcphdr *tcp_hdr = (void *)ip_hdr + sizeof(struct iphdr);
     if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end) {
-        return TC_ACT_UNSPEC;
+        return TC_ACT_OK;
     }
     if (tcp_hdr->dest != bpf_htons(9090)) // not 9090 port
-        return TC_ACT_UNSPEC;
-    if (tcp_hdr->psh == 0) // no payload
-        return TC_ACT_UNSPEC;
+        return TC_ACT_OK;
+    // if (tcp_hdr->psh == 0) // no payload
+    //     return TC_ACT_OK;
+
+    struct event_t event = {};
+
+    u64 flags = BPF_F_CURRENT_CPU;
+    u64 save_size = (u64)(skb->len);
+    flags |= save_size << 32;
+    bpf_perf_event_output(skb, &events, flags, &event, sizeof(event));
 
     // parse tcp payload
-    char *raw_payload = (void *)tcp_hdr + tcp_hdr->doff * 4;;
-    unsigned raw_payload_size = bpf_htons(ip_hdr->tot_len) - (tcp_hdr->doff * 4) - sizeof(struct iphdr);
-    if ((void *)raw_payload + raw_payload_size > data_end) {
-        return TC_ACT_UNSPEC;
-    }
+    // char *raw_payload = (void *)tcp_hdr + tcp_hdr->doff * 4;;
+    // unsigned raw_payload_size = bpf_htons(ip_hdr->tot_len) - (tcp_hdr->doff * 4) - sizeof(struct iphdr);
+    // if ((void *)raw_payload + raw_payload_size > data_end) {
+    //     return TC_ACT_OK;
+    // }
 
-    u32 id = 0;
-    struct payload_t *payload = bpf_map_lookup_elem(&tmp_map, &id);
-    if (!payload)
-        return TC_ACT_UNSPEC;
+    // u32 id = 0;
+    // struct payload_t *payload = bpf_map_lookup_elem(&tmp_map, &id);
+    // if (!payload)
+    //     return TC_ACT_OK;
 
-    bpf_probe_read_kernel(&payload->data, sizeof(payload->data), raw_payload);
+    // __builtin_memset(payload->data, 0, sizeof(payload->data));
+    // bpf_probe_read_kernel(&payload->data, sizeof(payload->data), raw_payload);
 
-    char fmt[] = "payload:\n%s";
-    bpf_trace_printk(fmt, sizeof(fmt), payload->data);
+    // char fmt[] = "payload:\n%s";
+    // bpf_trace_printk(fmt, sizeof(fmt), payload->data);
 
-    return TC_ACT_UNSPEC;
+    return TC_ACT_OK;
 }
 
 char _license[] SEC("license") = "GPL";

25-tc-parse-packet-with-direct-memory-access/main.go

@@ -7,8 +7,22 @@ import (
 	"syscall"
 
 	bpf "github.com/aquasecurity/libbpfgo"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
 )
 
+func parseEvent(data []byte) {
+	// Decode a packet
+	packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.Default)
+	// Get the TCP layer from this packet
+	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+		log.Println("This is a TCP packet!")
+		// Get actual TCP data from this layer
+		tcp, _ := tcpLayer.(*layers.TCP)
+		log.Printf("From src port %d to dst port %d", tcp.SrcPort, tcp.DstPort)
+	}
+}
+
 func main() {
 	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
 	if err != nil {
@@ -28,6 +42,7 @@ func main() {
 	hook.SetAttachPoint(bpf.BPFTcIngress)
 	err = hook.Create()
 	if err != nil {
+		log.Println(err)
 		if errno, ok := err.(syscall.Errno); ok && errno != syscall.EEXIST {
 			log.Fatalf("tc hook create: %v", err)
 		}
@@ -46,12 +61,33 @@ func main() {
 		log.Fatal(err)
 	}
 
+	eventsChannel := make(chan []byte)
+	lostChannel := make(chan uint64)
+	pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1024)
+	if err != nil {
+		return
+	}
 	ctx, stop := signal.NotifyContext(
 		context.Background(), syscall.SIGINT, syscall.SIGTERM,
 	)
-	defer stop()
+	pb.Start()
+	defer func() {
+		pb.Stop()
+		pb.Close()
+		stop()
+	}()
 
 	log.Println("...")
-	<-ctx.Done()
-	log.Println("bye bye")
+loop:
+	for {
+		select {
+		case data := <-eventsChannel:
+			parseEvent(data)
+		case n := <-lostChannel:
+			log.Printf("lost %d events", n)
+		case <-ctx.Done():
+			break loop
+		}
+	}
+	log.Println("bye bye~")
 }

26-lsm-path_chmod/Makefile

@@ -0,0 +1 @@
+../common/Makefile

26-lsm-path_chmod/README.md

@@ -0,0 +1,26 @@
+
+
+## Ensure that BPF LSM is enabled
+
+...
+
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+
+touch /tmp/a.txt
+chmod 600 /tmp/a.txt
+
+$ make cat
+```

26-lsm-path_chmod/cilium-ebpf/Makefile

@@ -0,0 +1 @@
+../../common/cilium-ebpf.Makefile