Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a new type argTypeDev to support device-based tracing filter #2165

Open
2 tasks done
sfc-gh-gshe opened this issue Feb 29, 2024 · 3 comments
Open
2 tasks done

Add a new type argTypeDev to support device-based tracing filter #2165

sfc-gh-gshe opened this issue Feb 29, 2024 · 3 comments
Labels
kind/enhancement This improves or streamlines existing functionality

Comments

@sfc-gh-gshe
Copy link
Contributor

sfc-gh-gshe commented Feb 29, 2024
edited

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem?

Yes.

I was wondering is there any ongoing plan to support struct net_device as the available argument selector option? Then I may leverage net_dev_xmit tracepoint to filter the traffic by devices name(net_device->name) at ebpf level.

It will kind of achieve the similar capability of what tcpdump -i provides.

Describe the feature you would like

With such feature, we may further be able to achieve the similar functionality of tcpdump filtering by devices.

Describe your proposed solution

I find that we already have argTypeSkb and argTypeSock for filtering.
So I am thinking about if we can add argTypeDev, MsgGenericKprobeDev, MsgGenericKprobeArgDev for struct net_device.

Code of Conduct

  • I agree to follow this project's Code of Conduct
@sfc-gh-gshe sfc-gh-gshe added the kind/enhancement This improves or streamlines existing functionality label Feb 29, 2024
@sfc-gh-gshe sfc-gh-gshe changed the title Add a new type argTypeDev to support device-based filter Add a new type argTypeDev to support device-based tracing filter Feb 29, 2024
@sfc-gh-gshe
Copy link
Contributor Author

sfc-gh-gshe commented Feb 29, 2024
edited

https://cilium.slack.com/archives/C03EV7KJPJ9/p1709229672081579?thread_ts=1709159598.233439&cid=C03EV7KJPJ9
cc: @kevsecurity

@kevsecurity
Copy link
Contributor

#2196 adds minimal support for the struct net_device * type.

@kevsecurity
Copy link
Contributor

#2196 has been merged. You can use a kprobe policy like this to see it in action (use latest CI image):

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "dev-hard-start-xmit"
spec:
  kprobes:
  - call: "dev_hard_start_xmit"
    syscall: false
    args:
    - index: 1
      type: "net_device"
    selectors:
    - matchArgs:
      - index: 1
        operator: Equal
        values:
        - "lo"

or if you do want to use a tracepoint, then you could use a tracepoint policy like this instead (based on a recent addition, again use latest CI image):

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "net-dev-start-xmit"
spec:
  tracepoints:
  - subsystem: "net"
    event: "net_dev_start_xmit"
    args:
    - index: 4
      type: "data_loc"
    - index: 6
      type: "skb"
    selectors:
    - matchArgs:
      - index: 4
        operator: Equal
        values:
        - "lo"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement This improves or streamlines existing functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kevsecurity @sfc-gh-gshe