whatcanGOwrong

2024-09-19 21:38:24 -04:00
commit d0ae4d841d
17908 changed files with 4096831 additions and 0 deletions
@@ -0,0 +1,127 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfEvent struct {
+	Sport uint16
+	Dport uint16
+	Saddr uint32
+	Daddr uint32
+	Srtt  uint32
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	TcpClose *ebpf.ProgramSpec `ebpf:"tcp_close"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	TcpClose *ebpf.Program `ebpf:"tcp_close"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.TcpClose,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
@@ -0,0 +1,127 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfEvent struct {
+	Sport uint16
+	Dport uint16
+	Saddr uint32
+	Daddr uint32
+	Srtt  uint32
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	TcpClose *ebpf.ProgramSpec `ebpf:"tcp_close"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	TcpClose *ebpf.Program `ebpf:"tcp_close"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.TcpClose,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
@@ -0,0 +1,114 @@
+// This program demonstrates attaching a fentry eBPF program to
+// tcp_close and reading the RTT from the TCP socket using CO-RE helpers.
+// It prints the IPs/ports/RTT information
+// once the host closes a TCP connection.
+// It supports only IPv4 for this example.
+//
+// Sample output:
+//
+// examples# go run -exec sudo ./tcprtt
+// 2022/03/19 22:30:34 Src addr        Port   -> Dest addr       Port   RTT
+// 2022/03/19 22:30:36 10.0.1.205      50578  -> 117.102.109.186 5201   195
+// 2022/03/19 22:30:53 10.0.1.205      0      -> 89.84.1.178     9200   30
+// 2022/03/19 22:30:53 10.0.1.205      36022  -> 89.84.1.178     9200   28
+
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"log"
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/cilium/ebpf/internal"
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/ringbuf"
+	"github.com/cilium/ebpf/rlimit"
+)
+
+// $BPF_CLANG and $BPF_CFLAGS are set by the Makefile.
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS -type event bpf tcprtt.c -- -I../headers
+
+func main() {
+	stopper := make(chan os.Signal, 1)
+	signal.Notify(stopper, os.Interrupt, syscall.SIGTERM)
+
+	// Allow the current process to lock memory for eBPF resources.
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	// Load pre-compiled programs and maps into the kernel.
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatalf("loading objects: %v", err)
+	}
+	defer objs.Close()
+
+	link, err := link.AttachTracing(link.TracingOptions{
+		Program: objs.bpfPrograms.TcpClose,
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer link.Close()
+
+	rd, err := ringbuf.NewReader(objs.bpfMaps.Events)
+	if err != nil {
+		log.Fatalf("opening ringbuf reader: %s", err)
+	}
+	defer rd.Close()
+
+	log.Printf("%-15s %-6s -> %-15s %-6s %-6s",
+		"Src addr",
+		"Port",
+		"Dest addr",
+		"Port",
+		"RTT",
+	)
+	go readLoop(rd)
+
+	// Wait
+	<-stopper
+}
+
+func readLoop(rd *ringbuf.Reader) {
+	// bpfEvent is generated by bpf2go.
+	var event bpfEvent
+	for {
+		record, err := rd.Read()
+		if err != nil {
+			if errors.Is(err, ringbuf.ErrClosed) {
+				log.Println("received signal, exiting..")
+				return
+			}
+			log.Printf("reading from reader: %s", err)
+			continue
+		}
+
+		// Parse the ringbuf event entry into a bpfEvent structure.
+		if err := binary.Read(bytes.NewBuffer(record.RawSample), internal.NativeEndian, &event); err != nil {
+			log.Printf("parsing ringbuf event: %s", err)
+			continue
+		}
+
+		log.Printf("%-15s %-6d -> %-15s %-6d %-6d",
+			intToIP(event.Saddr),
+			event.Sport,
+			intToIP(event.Daddr),
+			event.Dport,
+			event.Srtt,
+		)
+	}
+}
+
+// intToIP converts IPv4 number to net.IP
+func intToIP(ipNum uint32) net.IP {
+	ip := make(net.IP, 4)
+	internal.NativeEndian.PutUint32(ip, ipNum)
+	return ip
+}
@@ -0,0 +1,116 @@
+//go:build ignore
+
+#include "common.h"
+
+#include "bpf_endian.h"
+#include "bpf_tracing.h"
+
+#define AF_INET 2
+
+char __license[] SEC("license") = "Dual MIT/GPL";
+
+/**
+ * For CO-RE relocatable eBPF programs, __attribute__((preserve_access_index))
+ * preserves the offset of the specified fields in the original kernel struct.
+ * So here we don't need to include "vmlinux.h". Instead we only need to define
+ * the kernel struct and their fields the eBPF program actually requires.
+ *
+ * Also note that BTF-enabled programs like fentry, fexit, fmod_ret, tp_btf,
+ * lsm, etc. declared using the BPF_PROG macro can read kernel memory without
+ * needing to call bpf_probe_read*().
+ */
+
+/**
+ * struct sock_common is the minimal network layer representation of sockets.
+ * This is a simplified copy of the kernel's struct sock_common.
+ * This copy contains only the fields needed for this example to
+ * fetch the source and destination port numbers and IP addresses.
+ */
+struct sock_common {
+	union {
+		struct {
+			// skc_daddr is destination IP address
+			__be32 skc_daddr;
+			// skc_rcv_saddr is the source IP address
+			__be32 skc_rcv_saddr;
+		};
+	};
+	union {
+		struct {
+			// skc_dport is the destination TCP/UDP port
+			__be16 skc_dport;
+			// skc_num is the source TCP/UDP port
+			__u16 skc_num;
+		};
+	};
+	// skc_family is the network address family (2 for IPV4)
+	short unsigned int skc_family;
+} __attribute__((preserve_access_index));
+
+/**
+ * struct sock is the network layer representation of sockets.
+ * This is a simplified copy of the kernel's struct sock.
+ * This copy is needed only to access struct sock_common.
+ */
+struct sock {
+	struct sock_common __sk_common;
+} __attribute__((preserve_access_index));
+
+/**
+ * struct tcp_sock is the Linux representation of a TCP socket.
+ * This is a simplified copy of the kernel's struct tcp_sock.
+ * For this example we only need srtt_us to read the smoothed RTT.
+ */
+struct tcp_sock {
+	u32 srtt_us;
+} __attribute__((preserve_access_index));
+
+struct {
+	__uint(type, BPF_MAP_TYPE_RINGBUF);
+	__uint(max_entries, 1 << 24);
+} events SEC(".maps");
+
+/**
+ * The sample submitted to userspace over a ring buffer.
+ * Emit struct event's type info into the ELF's BTF so bpf2go
+ * can generate a Go type from it.
+ */
+struct event {
+	u16 sport;
+	u16 dport;
+	u32 saddr;
+	u32 daddr;
+	u32 srtt;
+};
+struct event *unused_event __attribute__((unused));
+
+SEC("fentry/tcp_close")
+int BPF_PROG(tcp_close, struct sock *sk) {
+	if (sk->__sk_common.skc_family != AF_INET) {
+		return 0;
+	}
+
+	// The input struct sock is actually a tcp_sock, so we can type-cast
+	struct tcp_sock *ts = bpf_skc_to_tcp_sock(sk);
+	if (!ts) {
+		return 0;
+	}
+
+	struct event *tcp_info;
+	tcp_info = bpf_ringbuf_reserve(&events, sizeof(struct event), 0);
+	if (!tcp_info) {
+		return 0;
+	}
+
+	tcp_info->saddr = sk->__sk_common.skc_rcv_saddr;
+	tcp_info->daddr = sk->__sk_common.skc_daddr;
+	tcp_info->dport = bpf_ntohs(sk->__sk_common.skc_dport);
+	tcp_info->sport = sk->__sk_common.skc_num;
+
+	tcp_info->srtt = ts->srtt_us >> 3;
+	tcp_info->srtt /= 1000;
+
+	bpf_ringbuf_submit(tcp_info, 0);
+
+	return 0;
+}