netobserv
diff --git a/‎.mk/bc.mk‎
Lines changed: 8 additions & 2 deletions b/‎.mk/bc.mk‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎bpf/configs.h‎
Lines changed: 1 addition & 0 deletions b/‎bpf/configs.h‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎bpf/flows.c‎
Lines changed: 5 additions & 0 deletions b/‎bpf/flows.c‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎bpf/ipsec.h‎
Lines changed: 186 additions & 0 deletions b/‎bpf/ipsec.h‎
Lines changed: 186 additions & 0 deletions
diff --git a/‎bpf/maps_definition.h‎
Lines changed: 20 additions & 0 deletions b/‎bpf/maps_definition.h‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎bpf/types.h‎
Lines changed: 2 additions & 0 deletions b/‎bpf/types.h‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎bpf/utils.h‎
Lines changed: 8 additions & 0 deletions b/‎bpf/utils.h‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎pkg/ebpf/bpf_arm64_bpfel.go‎
Lines changed: 23 additions & 1 deletion b/‎pkg/ebpf/bpf_arm64_bpfel.go‎
Lines changed: 23 additions & 1 deletion
diff --git a/‎pkg/ebpf/bpf_arm64_bpfel.o‎
42.5 KB b/‎pkg/ebpf/bpf_arm64_bpfel.o‎
42.5 KB
@@ -18,7 +18,11 @@ define PROGRAMS
 	"tcp_rcv_kprobe":"kprobe",
 	"kfree_skb":"tracepoint",
 	"network_events_monitoring":"kprobe",
-	"track_nat_manip_pkt":"kprobe"
+	"track_nat_manip_pkt":"kprobe",
+	"xfrm_input_kprobe": "kprobe",
+	"xfrm_input_kretprobe": "kretprobe",
+	"xfrm_output_kprobe": "kprobe",
+	"xfrm_output_kretprobe": "kretprobe"
 }
 endef
 
@@ -32,7 +36,9 @@ define MAPS
 	"dns_flows":"hash",
 	"global_counters":"per_cpu_array",
 	"filter_map":"lpm_trie",
-	"peer_filter_map":"lpm_trie"
+	"peer_filter_map":"lpm_trie",
+	"ipsec_ingress_map":"hash",
+	"ipsec_egress_map":"hash"
 }
 endef
 
 
@@ -14,4 +14,5 @@ volatile const u16 dns_port = 0;
 volatile const u8 enable_network_events_monitoring = 0;
 volatile const u8 network_events_monitoring_groupid = 0;
 volatile const u8 enable_pkt_translation_tracking = 0;
+volatile const u8 enable_ipsec = 0;
 #endif //__CONFIGS_H__
@@ -52,6 +52,11 @@
  */
 #include "pkt_translation.h"
 
+/*
+ * Defines ipsec tracker
+ */
+#include "ipsec.h"
+
 // return 0 on success, 1 if capacity reached
 static __always_inline int add_observed_intf(flow_metrics *value, pkt_info *pkt, u32 if_index,
                                              u8 direction) {
 
@@ -0,0 +1,186 @@
+/*
+ * IPsec monitoring kretprobe eBPF hook.
+ */
+
+#ifndef __IPSEC_H__
+#define __IPSEC_H__
+
+#include "utils.h"
+
+static inline int ipsec_lookup_and_update_flow(flow_id *id, int flow_encrypted_ret,
+                                               u16 eth_protocol) {
+    additional_metrics *extra_metrics = bpf_map_lookup_elem(&additional_flow_metrics, id);
+    if (extra_metrics != NULL) {
+        extra_metrics->end_mono_time_ts = bpf_ktime_get_ns();
+        extra_metrics->eth_protocol = eth_protocol;
+        extra_metrics->flow_encrypted_ret = flow_encrypted_ret;
+        extra_metrics->flow_encrypted = flow_encrypted_ret == 0 ? true : false;
+        return 0;
+    }
+    return -1;
+}
+
+static inline int update_flow_with_ipsec_return(int flow_encrypted_ret, direction dir) {
+    u64 pid_tgid = bpf_get_current_pid_tgid();
+    u16 eth_protocol = 0;
+    flow_id *id = NULL;
+    int ret = 0;
+
+    if (dir == INGRESS) {
+        id = bpf_map_lookup_elem(&ipsec_ingress_map, &pid_tgid);
+    } else {
+        id = bpf_map_lookup_elem(&ipsec_egress_map, &pid_tgid);
+    }
+
+    if (!id) {
+        BPF_PRINTK("ipsec flow id not found in dir: %d", dir);
+        return 0;
+    }
+
+    if (is_ipv4(id->src_ip)) {
+        eth_protocol = ETH_P_IP;
+    } else {
+        eth_protocol = ETH_P_IPV6;
+    }
+
+    BPF_PRINTK("found encrypted flow dir: %d encrypted: %d\n", dir,
+               flow_encrypted_ret == 0 ? true : false);
+
+    // update flow with ipsec info
+    ret = ipsec_lookup_and_update_flow(id, flow_encrypted_ret, eth_protocol);
+    if (ret == 0) {
+        goto end;
+    }
+
+    u64 current_time = bpf_ktime_get_ns();
+    additional_metrics new_flow;
+    __builtin_memset(&new_flow, 0, sizeof(new_flow));
+    new_flow.start_mono_time_ts = current_time;
+    new_flow.end_mono_time_ts = current_time;
+    new_flow.eth_protocol = eth_protocol;
+    new_flow.flow_encrypted_ret = flow_encrypted_ret;
+    new_flow.flow_encrypted = flow_encrypted_ret == 0 ? true : false;
+    ret = bpf_map_update_elem(&additional_flow_metrics, id, &new_flow, BPF_NOEXIST);
+    if (ret != 0) {
+        if (ret != -EEXIST) {
+            BPF_PRINTK("error ipsec creating flow err: %d\n", ret);
+        }
+        if (ret == -EEXIST) {
+            ret = ipsec_lookup_and_update_flow(id, flow_encrypted_ret, eth_protocol);
+            if (ret != 0) {
+                BPF_PRINTK("error ipsec updating an existing flow err: %d\n", ret);
+            }
+        }
+    }
+end:
+    if (dir == INGRESS) {
+        bpf_map_delete_elem(&ipsec_ingress_map, &pid_tgid);
+    } else {
+        bpf_map_delete_elem(&ipsec_egress_map, &pid_tgid);
+    }
+    return 0;
+}
+
+static inline int enter_xfrm_func(struct sk_buff *skb, direction dir) {
+    u64 pid_tgid = bpf_get_current_pid_tgid();
+    u16 family = 0, flags = 0, eth_protocol = 0;
+    u8 dscp = 0, protocol = 0;
+    flow_id id;
+    int ret = 0;
+
+    __builtin_memset(&id, 0, sizeof(id));
+
+    u32 if_index = BPF_CORE_READ(skb, skb_iif);
+
+    // read L2 info
+    core_fill_in_l2(skb, &eth_protocol, &family);
+
+    // read L3 info
+    core_fill_in_l3(skb, &id, family, &protocol, &dscp);
+
+    // read L4 info
+    switch (protocol) {
+    case IPPROTO_TCP:
+        core_fill_in_tcp(skb, &id, &flags);
+        break;
+    case IPPROTO_UDP:
+        core_fill_in_udp(skb, &id);
+        break;
+    case IPPROTO_SCTP:
+        core_fill_in_sctp(skb, &id);
+        break;
+    case IPPROTO_ICMP:
+        core_fill_in_icmpv4(skb, &id);
+        break;
+    case IPPROTO_ICMPV6:
+        core_fill_in_icmpv6(skb, &id);
+        break;
+    default:
+        fill_in_others_protocol(&id, protocol);
+    }
+
+    // check if this packet need to be filtered if filtering feature is enabled
+    bool skip = check_and_do_flow_filtering(&id, flags, 0, eth_protocol, NULL, dir);
+    if (skip) {
+        return 0;
+    }
+
+    BPF_PRINTK("Enter xfm dir: %d protocol: %d family: %d if_index: %d \n", dir, protocol, family,
+               if_index);
+
+    if (dir == INGRESS) {
+        ret = bpf_map_update_elem(&ipsec_ingress_map, &pid_tgid, &id, BPF_NOEXIST);
+    } else {
+        ret = bpf_map_update_elem(&ipsec_egress_map, &pid_tgid, &id, BPF_NOEXIST);
+    }
+    if (ret != 0) {
+        if (trace_messages && ret != -EEXIST) {
+            BPF_PRINTK("error creating new ipsec map dir: %d err: %d\n", dir, ret);
+        }
+    }
+    return 0;
+}
+
+SEC("kprobe/xfrm_input")
+int BPF_KPROBE(xfrm_input_kprobe) {
+    if (do_sampling == 0 || enable_ipsec == 0) {
+        return 0;
+    }
+    struct sk_buff *skb = (struct sk_buff *)PT_REGS_PARM1(ctx);
+    if (!skb) {
+        return 0;
+    }
+    return enter_xfrm_func(skb, INGRESS);
+}
+
+SEC("kretprobe/xfrm_input")
+int BPF_KRETPROBE(xfrm_input_kretprobe) {
+    if (do_sampling == 0 || enable_ipsec == 0) {
+        return 0;
+    }
+    int xfrm_ret = PT_REGS_RC(ctx);
+    return update_flow_with_ipsec_return(xfrm_ret, INGRESS);
+}
+
+SEC("kprobe/xfrm_output")
+int BPF_KPROBE(xfrm_output_kprobe) {
+    if (do_sampling == 0 || enable_ipsec == 0) {
+        return 0;
+    }
+    struct sk_buff *skb = (struct sk_buff *)PT_REGS_PARM2(ctx);
+    if (!skb) {
+        return 0;
+    }
+    return enter_xfrm_func(skb, EGRESS);
+}
+
+SEC("kretprobe/xfrm_output")
+int BPF_KRETPROBE(xfrm_output_kretprobe) {
+    if (do_sampling == 0 || enable_ipsec == 0) {
+        return 0;
+    }
+    int xfrm_ret = PT_REGS_RC(ctx);
+    return update_flow_with_ipsec_return(xfrm_ret, EGRESS);
+}
+
+#endif /* __IPSEC_H__  */
@@ -79,4 +79,24 @@ struct {
     __uint(pinning, LIBBPF_PIN_BY_NAME);
 } peer_filter_map SEC(".maps");
 
+// HashMap to store ingress flowid to be able to retrieve them from kretprobe hook
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 1 << 20); // Will take around 64MB of space.
+    __type(key, u64);
+    __type(value, flow_id);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
+    __uint(pinning, LIBBPF_PIN_BY_NAME);
+} ipsec_ingress_map SEC(".maps");
+
+// HashMap to store egress flowid to be able to retrieve them from kretprobe hook
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 1 << 20); // Will take around 64MB of space.
+    __type(key, u64);
+    __type(value, flow_id);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
+    __uint(pinning, LIBBPF_PIN_BY_NAME);
+} ipsec_egress_map SEC(".maps");
+
 #endif //__MAPS_DEFINITION_H__
@@ -140,6 +140,8 @@ typedef struct additional_metrics_t {
     } translated_flow;
     u16 eth_protocol;
     u8 network_events_idx;
+    bool flow_encrypted;
+    u8 flow_encrypted_ret;
 } additional_metrics;
 
 // Force emitting enums/structs into the ELF
 
@@ -362,4 +362,12 @@ static inline bool is_transport_protocol(u8 protocol) {
     return false;
 }
 
+static inline bool is_ipv4(u8 *ip) {
+    for (int i = 0; i < IP_MAX_LEN; i++) {
+        if (ip[i] == 255) {
+            return true;
+        }
+    }
+    return false;
+}
 #endif // __UTILS_H__