ethtoolsnoop

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>

Author: Asphaltt

.gitignore

@@ -19,3 +19,5 @@
 
 # Go workspace file
 go.work
+
+*_bpfe*

README.md

@@ -0,0 +1,45 @@
+# ethtoolsnoop
+
+`ethtoolsnoop` is a tool for tracing the execution of `ethtool`.
+
+## Usage example
+
+```bash
+# echo Execute `ethtool -i enp0s1; ethtool -l enp0s1; ethtool -g enp0s1` in another terminal.
+# ./ethtoolsnoop
+Interface             PID:Process                          IOCTL_CMD/GENL_CMD             ethtool args
+enp0s1              11198:ethtool(parent 6373:zsh)         ETHTOOL_GDRVINFO               -d|--register-dump(Do a register dump), -e|--eeprom-dump(Do a EEPROM dump), -i|--driver(Show driver information)
+enp0s1              11199:ethtool(parent 6373:zsh)         ETHTOOL_MSG_CHANNELS_GET       -l|--show-channels(Query Channels)
+enp0s1              11200:ethtool(parent 6373:zsh)         ETHTOOL_MSG_RINGS_GET          -g|--show-ring(Query RX/TX ring parameters)
+```
+
+In the output:
+
+- First column is the interface name.
+- Second column is the PID and process name of the process that executed
+  `ethtool`, and the PID and process name of the parent process if the tracee
+  process is `ethtool`.
+- Third column is the underneath command for kernel to execute, including ways
+  of `ioctl()` syscall and genetlink message.
+- Fourth column is the arguments of `ethtool` command, which may be
+  corresponding to the third column. *But this column maybe incomplete.*
+
+## Download
+
+Please download the latest release from this repo's release page.
+
+`ethtoolsnoop` is expected to run on Linux kernel 5.2 or later with BTF support.
+
+## Intenals
+
+`ethtoolsnoop` uses `kprobe` on `dev_ethtool()` to trace the execution of
+`ethtool`'s `ioctl()` syscall.
+
+And it uses `kprobe` on `ethnl_default_doit()`, `ethnl_parse_header_dev_get()`
+and `kretprobe` on `ethnl_parse_header_dev_get()` to trace the execution of
+`ethtool`'s genetlink message.
+
+## License
+
+`ethtoolsnoop` is licensed under the Apache 2.0 license, and its bpf code is
+licensed under the GPL 2.0 license.

bpf/LICENSE.GPL

@@ -0,0 +1,179 @@
+/**
+ * Copyright 2024 Leon Hwang.
+ * SPDX-License-Identifier: GPL-2.0
+ */
+
+#include "vmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_compiler.h>
+#include <bpf/bpf_map_helpers.h>
+
+#define IFNAMSIZ 16
+
+// From include/uapi/linux/ethtool.h
+#define ETHTOOL_PERQUEUE	0x0000004b /* Set per queue options */
+
+#define EVENT_TYPE_IOCTL 1
+#define EVENT_TYPE_GENL  2
+
+struct event {
+    u8 type;
+    u8 genlhdr_cmd;
+    u16 ethcmd;
+    u32 pid;
+    char ifname[IFNAMSIZ];
+    char comm[TASK_COMM_LEN];
+
+    struct ethnl_req_info *req;
+} __attribute__((packed));
+
+#define SIZEOF_EVENT (offsetof(struct event, req))
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+} events SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
+    __type(key, u32);
+    __type(value, struct event);
+    __uint(max_entries, 1);
+} events_cache SEC(".maps");
+
+static __always_inline struct event *
+__get_or_init_event(void)
+{
+    struct event *ev, init = {};
+    u32 key = 0;
+
+    ev = bpf_map_lookup_elem(&events_cache, &key);
+    if (likely(ev))
+        return ev;
+
+    bpf_map_update_elem(&events_cache, &key, &init, BPF_NOEXIST);
+    return bpf_map_lookup_elem(&events_cache, &key);
+}
+
+static __always_inline struct event *
+__get_event(void)
+{
+    u32 key = 0;
+    return bpf_map_lookup_elem(&events_cache, &key);
+}
+
+static __always_inline struct event *
+__get_and_del_event(void)
+{
+    struct event *ev;
+    u32 key = 0;
+
+    ev = bpf_map_lookup_elem(&events_cache, &key);
+    if (unlikely(!ev))
+        return NULL;
+
+    bpf_map_delete_elem(&events_cache, &key);
+    return ev;
+}
+
+static __always_inline u32
+get_ethcmd(void *useraddr)
+{
+    u32 cmd;
+
+    bpf_probe_read_user(&cmd, sizeof(cmd), useraddr);
+    if (cmd == ETHTOOL_PERQUEUE)
+        cmd = bpf_probe_read_user(&cmd, sizeof(cmd), useraddr + sizeof(cmd));
+
+    return cmd;
+}
+
+static __always_inline int
+__kp_dev_ethtool(void *ctx, struct net *net, struct ifreq *ifr, void *useraddr)
+{
+    struct event ev = {};
+
+    ev.type = EVENT_TYPE_IOCTL;
+    ev.ethcmd = get_ethcmd(useraddr);
+
+    ev.pid = bpf_get_current_pid_tgid() >> 32;
+
+    bpf_probe_read_kernel_str(ev.ifname, sizeof(ev.ifname), ifr->ifr_ifrn.ifrn_name);
+    bpf_get_current_comm(ev.comm, sizeof(ev.comm));
+
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &ev, sizeof(ev));
+
+    return BPF_OK;
+}
+
+SEC("kprobe/dev_ethtool")
+int kp_dev_ethtool(struct pt_regs *ctx)
+{
+    struct net *net = (typeof(net))(void *)(u64) PT_REGS_PARM1(ctx);
+    struct ifreq *ifr = (typeof(ifr))(void *)(u64) PT_REGS_PARM2(ctx);
+    void *useraddr = (typeof(useraddr))(void *)(u64) PT_REGS_PARM3(ctx);
+    return __kp_dev_ethtool(ctx, net, ifr, useraddr);
+}
+
+static __always_inline void
+__get_dev_name(struct event *ev, struct ethnl_req_info *req)
+{
+    struct net_device *dev = BPF_CORE_READ(req, dev);
+
+    if (likely(dev))
+        bpf_probe_read_kernel_str(ev->ifname, sizeof(ev->ifname), dev->name);
+}
+
+SEC("kprobe/ethnl_default_doit")
+int kp_ethnl_doit(struct pt_regs *ctx)
+{
+    struct genl_info *info = (typeof(info))(void *)(u64) PT_REGS_PARM2(ctx);
+    u8 cmd = BPF_CORE_READ(info, genlhdr, cmd);
+    struct event *ev = __get_or_init_event();
+
+    if (unlikely(!ev))
+        return BPF_OK;
+
+    ev->type = EVENT_TYPE_GENL;
+    ev->genlhdr_cmd = cmd;
+    ev->req = NULL;
+
+    return BPF_OK;
+}
+
+SEC("kprobe/ethnl_parse_header_dev_get")
+int kp_ethnl_dev(struct pt_regs *ctx)
+{
+    struct ethnl_req_info *req = (typeof(req))(void *)(u64) PT_REGS_PARM1(ctx);
+    struct event *ev = __get_event();
+
+    if (unlikely(!ev))
+        return BPF_OK;
+
+    ev->req = req;
+
+    return BPF_OK;
+}
+
+SEC("kretprobe/ethnl_parse_header_dev_get")
+int krp_ethnl_dev(struct pt_regs *ctx)
+{
+    struct event *ev = __get_and_del_event();
+
+    if (unlikely(!ev))
+        return BPF_OK;
+
+    if (likely(ev->req))
+        __get_dev_name(ev, ev->req);
+
+    ev->pid = bpf_get_current_pid_tgid() >> 32;
+    bpf_get_current_comm(ev->comm, sizeof(ev->comm));
+
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, ev, SIZEOF_EVENT);
+
+    return BPF_OK;
+}
+
+char __license[] SEC("license") = "GPL";

bpf/ethtool.c

@@ -0,0 +1,87 @@
+#ifndef __BPF_COMPILER_H__
+#define __BPF_COMPILER_H__
+
+#include "vmlinux.h"
+
+#include "bpf_helpers.h"
+
+#ifndef barrier
+#define barrier() asm volatile("" \
+                               :  \
+                               :  \
+                               : "memory")
+#endif
+
+#ifndef barrier_data
+#define barrier_data(ptr) asm volatile(""         \
+                                       :          \
+                                       : "r"(ptr) \
+                                       : "memory")
+#endif
+
+static __always_inline void bpf_barrier(void)
+{
+    /* Workaround to avoid verifier complaint:
+     * "dereference of modified ctx ptr R5 off=48+0, ctx+const is allowed,
+     *        ctx+const+const is not"
+     */
+    barrier();
+}
+
+#ifndef ARRAY_SIZE
+#define ARRAY_SIZE(A) (sizeof(A) / sizeof((A)[0]))
+#endif
+
+#ifndef __READ_ONCE
+#define __READ_ONCE(X) (*(volatile typeof(X) *)&X)
+#endif
+
+#ifndef __WRITE_ONCE
+#define __WRITE_ONCE(X, V) (*(volatile typeof(X) *)&X) = (V)
+#endif
+
+/* {READ,WRITE}_ONCE() with verifier workaround via bpf_barrier(). */
+
+#ifndef READ_ONCE
+#define READ_ONCE(X) \
+    ({ typeof(X) __val = __READ_ONCE(X);	\
+			   bpf_barrier();			\
+			   __val; })
+#endif
+
+#ifndef WRITE_ONCE
+#define WRITE_ONCE(X, V) \
+    ({ typeof(X) __val = (V);	\
+				   __WRITE_ONCE(X, __val);	\
+				   bpf_barrier();		\
+				   __val; })
+#endif
+
+#ifndef __inline
+#define __inline inline __attribute__((always_inline))
+#endif
+
+#ifndef likely
+#define likely(x) __builtin_expect(!!(x), 1)
+#endif /* likely */
+
+#ifndef unlikely
+#define unlikely(x) __builtin_expect(!!(x), 0)
+#endif /* unlikely */
+
+#define _ntohl __builtin_bswap32
+#define _htonl __builtin_bswap32
+#define _htons __builtin_bswap16
+#define _ntohs __builtin_bswap16
+
+struct vxlan_hdr {
+
+    __be32 vx_flags;
+    __be32 vx_vni;
+
+} __attribute__((packed));
+
+#define IP_CSUM_OFF (ETH_HLEN + offsetof(struct iphdr, check))
+#define TOS_OFF (ETH_HLEN + offsetof(struct iphdr, tos))
+
+#endif /* __BPF_COMPILER_H__ */