feat(capture): Automatically capture traffic from/to new interfaces w…

…hen using `-i any` or `--netns any`
mozillazg · Oct 7, 2024 · 4a81cd4 · 4a81cd4
1 parent cdd4253
commit 4a81cd4
Show file tree

Hide file tree

Showing 35 changed files with 2,044 additions and 629 deletions.
diff --git a/Makefile b/Makefile
@@ -91,8 +91,8 @@ lint: deps fmt
 fmt:
 	go fmt ./...
 	clang-format -i bpf/ptcpdump.c
-	clang-format -i bpf/headers/custom.h
-	clang-format -i bpf/headers/gotls.h
+	clang-format -i bpf/*.h
+	clang-format -i bpf/headers/*.h
 
 .PHONY: vet
 vet:

diff --git a/bpf/bpf.go b/bpf/bpf.go
@@ -19,7 +19,7 @@ import (
 )
 
 // $TARGET is set by the Makefile
-//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -no-strip -target $TARGET -type gconfig_t -type packet_event_t -type exec_event_t -type exit_event_t -type flow_pid_key_t -type process_meta_t -type packet_event_meta_t -type go_keylog_event_t Bpf ./ptcpdump.c -- -I./headers -I./headers/$TARGET -I. -Wall
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -no-strip -target $TARGET -type gconfig_t -type packet_event_t -type exec_event_t -type exit_event_t -type flow_pid_key_t -type process_meta_t -type packet_event_meta_t -type go_keylog_event_t -type new_netdevice_event_t -type netdevice_change_event_t -type mount_event_t Bpf ./ptcpdump.c -- -I./headers -I./headers/$TARGET -I. -Wall
 
 const tcFilterName = "ptcpdump"
 const logSzie = ebpf.DefaultVerifierLogSize * 64
@@ -47,6 +47,8 @@ type Options struct {
 	pidnsIds       []uint32
 	netnsIds       []uint32
 	maxPayloadSize uint32
+	hookMount      bool
+	hookNetDev     bool
 	kernelTypes    *btf.Spec
 }
 
@@ -276,6 +278,39 @@ func (b *BPF) AttachKprobes() error {
 		b.links = append(b.links, lk)
 	}
 
+	if b.opts.hookNetDev {
+		lk, err = link.Kprobe("register_netdevice",
+			b.objs.KprobeRegisterNetdevice, &link.KprobeOptions{})
+		if err != nil {
+			return fmt.Errorf("attach kprobe/register_netdevice: %w", err)
+		}
+		b.links = append(b.links, lk)
+		lk, err = link.Kretprobe("register_netdevice",
+			b.objs.KretprobeRegisterNetdevice, &link.KprobeOptions{})
+		if err != nil {
+			return fmt.Errorf("attach kretprobe/register_netdevice: %w", err)
+		}
+		b.links = append(b.links, lk)
+		lk, err = link.Kretprobe("__dev_get_by_index",
+			b.objs.KretprobeDevGetByIndex, &link.KprobeOptions{})
+		if err != nil {
+			return fmt.Errorf("attach kretprobe/__dev_get_by_index: %w", err)
+		}
+		b.links = append(b.links, lk)
+		lk, err = link.Kprobe("__dev_change_net_namespace",
+			b.objs.KprobeDevChangeNetNamespace, &link.KprobeOptions{})
+		if err != nil {
+			return fmt.Errorf("attach kprobe/__dev_change_net_namespace: %w", err)
+		}
+		b.links = append(b.links, lk)
+		lk, err = link.Kretprobe("__dev_change_net_namespace",
+			b.objs.KretprobeDevChangeNetNamespace, &link.KprobeOptions{})
+		if err != nil {
+			return fmt.Errorf("attach kretprobe/__dev_change_net_namespace: %w", err)
+		}
+		b.links = append(b.links, lk)
+	}
+
 	return nil
 }
 
@@ -309,6 +344,19 @@ func (b *BPF) AttachTracepoints() error {
 		b.links = append(b.links, lk)
 	}
 
+	if b.opts.hookMount {
+		lk, err = link.Tracepoint("syscalls", "sys_enter_mount", b.objs.TracepointSyscallsSysEnterMount, &link.TracepointOptions{})
+		if err != nil {
+			return fmt.Errorf("attach tracepoint/syscalls/sys_enter_mount: %w", err)
+		}
+		b.links = append(b.links, lk)
+		lk, err = link.Tracepoint("syscalls", "sys_exit_mount", b.objs.TracepointSyscallsSysExitMount, &link.TracepointOptions{})
+		if err != nil {
+			return fmt.Errorf("attach tracepoint/syscalls/sys_exit_mount: %w", err)
+		}
+		b.links = append(b.links, lk)
+	}
+
 	return nil
 }
 
@@ -386,9 +434,9 @@ func attachTcHook(ifindex int, prog *ebpf.Program, ingress bool) (func(), error)
 				},
 			},
 		}
-		log.Infof("try to add tc filter with handle %d", hid)
+		log.Infof("try to add tc filter with handle %d to %d", hid, ifindex)
 		if err = tcnl.Filter().Add(filter); err != nil {
-			log.Infof("add tc filter: %s", err)
+			log.Infof("add tc filter: %+v", err)
 			if !errors.Is(err, unix.EEXIST) {
 				return closeFunc, fmt.Errorf("add tc filter: %w", err)
 			} else {
@@ -580,6 +628,16 @@ func (opts *Options) WithMaxPayloadSize(n uint32) *Options {
 	return opts
 }
 
+func (opts *Options) WithHookMount(v bool) *Options {
+	opts.hookMount = v
+	return opts
+}
+
+func (opts *Options) WithHookNetDev(v bool) *Options {
+	opts.hookNetDev = v
+	return opts
+}
+
 func (opts *Options) WithKernelTypes(spec *btf.Spec) *Options {
 	opts.kernelTypes = spec
 	return opts

diff --git a/bpf/bpf_arm64_bpfel.go b/bpf/bpf_arm64_bpfel.go
diff --git a/bpf/bpf_arm64_bpfel.o b/bpf/bpf_arm64_bpfel.o
diff --git a/bpf/bpf_legacy.go b/bpf/bpf_legacy.go
@@ -23,6 +23,13 @@ type BpfObjectsForLegacyKernel struct {
 	RawTracepointSchedProcessExec    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exec"`
 	RawTracepointSchedProcessExit    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exit"`
 	RawTracepointSchedProcessFork    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_fork"`
+	KprobeRegisterNetdevice          *ebpf.Program `ebpf:"kprobe__register_netdevice"`
+	KretprobeRegisterNetdevice       *ebpf.Program `ebpf:"kretprobe__register_netdevice"`
+	KprobeDevChangeNetNamespace      *ebpf.Program `ebpf:"kprobe__dev_change_net_namespace"`
+	KretprobeDevChangeNetNamespace   *ebpf.Program `ebpf:"kretprobe__dev_change_net_namespace"`
+	KretprobeDevGetByIndex           *ebpf.Program `ebpf:"kretprobe__dev_get_by_index"`
+	TracepointSyscallsSysEnterMount  *ebpf.Program `ebpf:"tracepoint__syscalls__sys_enter_mount"`
+	TracepointSyscallsSysExitMount   *ebpf.Program `ebpf:"tracepoint__syscalls__sys_exit_mount"`
 	TcEgress                         *ebpf.Program `ebpf:"tc_egress"`
 	TcIngress                        *ebpf.Program `ebpf:"tc_ingress"`
 	UprobeGoBuiltinTlsWriteKeyLog    *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log"`
@@ -41,6 +48,13 @@ func (b *BpfObjects) FromLegacy(o *BpfObjectsForLegacyKernel) {
 	b.RawTracepointSchedProcessExec = o.RawTracepointSchedProcessExec
 	b.RawTracepointSchedProcessExit = o.RawTracepointSchedProcessExit
 	b.RawTracepointSchedProcessFork = o.RawTracepointSchedProcessFork
+	b.KprobeRegisterNetdevice = o.KprobeRegisterNetdevice
+	b.KretprobeRegisterNetdevice = o.KretprobeRegisterNetdevice
+	b.KprobeDevChangeNetNamespace = o.KprobeDevChangeNetNamespace
+	b.KretprobeDevChangeNetNamespace = o.KretprobeDevChangeNetNamespace
+	b.KretprobeDevGetByIndex = o.KretprobeDevGetByIndex
+	b.TracepointSyscallsSysEnterMount = o.TracepointSyscallsSysEnterMount
+	b.TracepointSyscallsSysExitMount = o.TracepointSyscallsSysExitMount
 	b.TcEgress = o.TcEgress
 	b.TcIngress = o.TcIngress
 	b.UprobeGoBuiltinTlsWriteKeyLog = o.UprobeGoBuiltinTlsWriteKeyLog