diff --git a/samples/bpf/cookie_uid_helper_example.c b/samples/bpf/cookie_uid_helper_example.c index f6e5e58931c521f540ea91a51a33e20ea154116b..ad5afedf2e7047db24db8565e0a433122e479912 100644 --- a/samples/bpf/cookie_uid_helper_example.c +++ b/samples/bpf/cookie_uid_helper_example.c @@ -4,10 +4,11 @@ * program into the xt_bpf match. * * TEST: - * ./run_cookie_uid_helper_example.sh - * Then generate some traffic in variate ways. ping 0 -c 10 would work - * but the cookie and uid in this case could both be 0. A sample output - * with some traffic generated by web browser is shown below: + * ./run_cookie_uid_helper_example.sh -option + * option: + * -t: do traffic monitoring test, the program will continuously + * print out network traffic happens after program started A sample + * output is shown below: * * cookie: 877, uid: 0x3e8, Pakcet Count: 20, Bytes Count: 11058 * cookie: 132, uid: 0x0, Pakcet Count: 2, Bytes Count: 286 @@ -18,6 +19,10 @@ * cookie: 0, uid: 0x0, Pakcet Count: 6, Bytes Count: 712 * cookie: 880, uid: 0xfffe, Pakcet Count: 1, Bytes Count: 70 * + * -s: do getsockopt SO_COOKIE test, the program will set up a pair of + * UDP sockets and send packets between them. And read out the traffic data + * directly from the ebpf map based on the socket cookie. + * * Clean up: if using shell script, the script file will delete the iptables * rule and unmount the bpf program when exit. Else the iptables rule need * to be deleted by hand, see run_cookie_uid_helper_example.sh for detail. @@ -34,6 +39,8 @@ #include #include #include +#include +#include #include #include #include @@ -46,6 +53,8 @@ #include #include "libbpf.h" +#define PORT 8888 + struct stats { uint32_t uid; uint64_t packets; @@ -54,6 +63,8 @@ struct stats { static int map_fd, prog_fd; +static bool test_finish; + static void maps_create(void) { map_fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(uint32_t), @@ -164,7 +175,7 @@ static void prog_attach_iptables(char *file) printf("file path too long: %s\n", file); exit(1); } - sprintf(rules, "iptables -A INPUT -m bpf --object-pinned %s -j ACCEPT", + sprintf(rules, "iptables -A OUTPUT -m bpf --object-pinned %s -j ACCEPT", file); ret = system(rules); if (ret < 0) { @@ -177,7 +188,8 @@ static void print_table(void) { struct stats curEntry; uint32_t curN = UINT32_MAX; - uint32_t nextN, res; + uint32_t nextN; + int res; while (bpf_map_get_next_key(map_fd, &curN, &nextN) > -1) { curN = nextN; @@ -193,25 +205,117 @@ static void print_table(void) } } -int main(int argc, char *argv[]) +static void udp_client(void) { - if (argc > 2) { - printf("Too many argument provided\n"); - return 1; - } else if (argc < 2) { - printf("Usage: %s bpfObjName\n", argv[0]); - return 1; + struct sockaddr_in si_other = {0}; + struct sockaddr_in si_me = {0}; + struct stats dataEntry; + int s_rcv, s_send, i, recv_len; + char message = 'a'; + char buf; + uint64_t cookie; + int res; + socklen_t cookie_len = sizeof(cookie); + socklen_t slen = sizeof(si_other); + + s_rcv = socket(PF_INET, SOCK_DGRAM, 0); + if (s_rcv < 0) + error(1, errno, "rcv socket creat failed!\n"); + si_other.sin_family = AF_INET; + si_other.sin_port = htons(PORT); + if (inet_aton("127.0.0.1", &si_other.sin_addr) == 0) + error(1, errno, "inet_aton\n"); + if (bind(s_rcv, (struct sockaddr *)&si_other, sizeof(si_other)) == -1) + error(1, errno, "bind\n"); + s_send = socket(PF_INET, SOCK_DGRAM, 0); + if (s_send < 0) + error(1, errno, "send socket creat failed!\n"); + res = getsockopt(s_send, SOL_SOCKET, SO_COOKIE, &cookie, &cookie_len); + if (res < 0) + printf("get cookie failed: %s\n", strerror(errno)); + res = bpf_map_lookup_elem(map_fd, &cookie, &dataEntry); + if (res != -1) + error(1, errno, "socket stat found while flow not active\n"); + for (i = 0; i < 10; i++) { + res = sendto(s_send, &message, sizeof(message), 0, + (struct sockaddr *)&si_other, slen); + if (res == -1) + error(1, errno, "send\n"); + if (res != sizeof(message)) + error(1, 0, "%uB != %luB\n", res, sizeof(message)); + recv_len = recvfrom(s_rcv, &buf, sizeof(buf), 0, + (struct sockaddr *)&si_me, &slen); + if (recv_len < 0) + error(1, errno, "revieve\n"); + res = memcmp(&(si_other.sin_addr), &(si_me.sin_addr), + sizeof(si_me.sin_addr)); + if (res != 0) + error(1, EFAULT, "sender addr error: %d\n", res); + printf("Message received: %c\n", buf); + res = bpf_map_lookup_elem(map_fd, &cookie, &dataEntry); + if (res < 0) + error(1, errno, "lookup sk stat failed, cookie: %lu\n", + cookie); + printf("cookie: %lu, uid: 0x%x, Packet Count: %lu," + " Bytes Count: %lu\n\n", cookie, dataEntry.uid, + dataEntry.packets, dataEntry.bytes); } + close(s_send); + close(s_rcv); +} - maps_create(); - prog_load(); - prog_attach_iptables(argv[1]); +static int usage(void) +{ + printf("Usage: ./run_cookie_uid_helper_example.sh" + " bpfObjName -option\n" + " -t traffic monitor test\n" + " -s getsockopt cookie test\n"); + return 1; +} - while (true) { - print_table(); - printf("\n"); - sleep(1); - }; +void finish(int ret) +{ + test_finish = true; +} + +int main(int argc, char *argv[]) +{ + int opt; + bool cfg_test_traffic = false; + bool cfg_test_cookie = false; + + if (argc != 3) + return usage(); + while ((opt = getopt(argc, argv, "ts")) != -1) { + switch (opt) { + case 't': + cfg_test_traffic = true; + break; + case 's': + cfg_test_cookie = true; + break; + default: + printf("unknown option %c\n", opt); + usage(); + return -1; + } + } + maps_create(); + prog_load(); + prog_attach_iptables(argv[2]); + if (cfg_test_traffic) { + if (signal(SIGINT, finish) == SIG_ERR) + error(1, errno, "register handler failed"); + while (!test_finish) { + print_table(); + printf("\n"); + sleep(1); + }; + } else if (cfg_test_cookie) { + udp_client(); + } + close(prog_fd); + close(map_fd); return 0; } diff --git a/samples/bpf/run_cookie_uid_helper_example.sh b/samples/bpf/run_cookie_uid_helper_example.sh old mode 100644 new mode 100755 index 40da8aa75c44ed9b27f87388dfd9f609a1f5dca9..f898cfa2b1aa52f71a65db469450d4d001b08b2c --- a/samples/bpf/run_cookie_uid_helper_example.sh +++ b/samples/bpf/run_cookie_uid_helper_example.sh @@ -4,11 +4,11 @@ root_dir=$local_dir/../.. mnt_dir=$(mktemp -d --tmp) on_exit() { - iptables -D INPUT -m bpf --object-pinned ${mnt_dir}/bpf_prog -j ACCEPT + iptables -D OUTPUT -m bpf --object-pinned ${mnt_dir}/bpf_prog -j ACCEPT umount ${mnt_dir} rm -r ${mnt_dir} } trap on_exit EXIT mount -t bpf bpf ${mnt_dir} -./per_socket_stats_example ${mnt_dir}/bpf_prog +./per_socket_stats_example ${mnt_dir}/bpf_prog $1