in bpf/accesslog/common/connection.h [169:281]
static __always_inline void submit_new_connection(void* ctx, bool success, __u32 func_name, __u32 tgid, __u32 fd, __u64 start_nacs,
struct sockaddr* addr, const struct socket* socket, struct connect_track_remote* conntrack, __u8 role) {
// send to the user-space the connection event
__u64 curr_nacs = bpf_ktime_get_ns();
struct socket_connect_event_t *event;
event = rover_reserve_buf(&socket_connection_event_queue, sizeof(*event));
if (event == NULL) {
return;
}
__u64 conid = gen_tgid_fd(tgid, fd);
__u64 random_id = bpf_get_prandom_u32();
event->conid = conid;
event->random_id = random_id;
event->start_time = start_nacs;
event->end_time = curr_nacs;
event->func_name = func_name;
if (func_name == SOCKET_OPTS_TYPE_CONNECT) {
role = CONNECTION_ROLE_TYPE_CLIENT;
} else if (func_name == SOCKET_OPTS_TYPE_ACCEPT) {
role = CONNECTION_ROLE_TYPE_SERVER;
}
event->role = role;
event->pid = tgid;
event->sockfd = fd;
// cleanup and fill the conntrack
event->conntrack_upstream_iph = 0;
event->conntrack_upstream_ipl = 0;
event->conntrack_upstream_port = 0;
if (conntrack != NULL) {
event->conntrack_upstream_iph = (__u64)conntrack->iph;
event->conntrack_upstream_ipl = (__u64)conntrack->ipl;
event->conntrack_upstream_port = conntrack->port;
}
event->success = success;
__u16 port;
__u8 socket_family;
event->local_port = 0;
event->remote_port = 0;
if (socket == NULL) {
struct task_struct* task_ptr = (struct task_struct*)bpf_get_current_task();
struct files_struct *files = _(task_ptr->files);
struct fdtable *fdtable = _(files->fdt);
struct file *fd_data;
struct file **fd_ptr;
bpf_probe_read_kernel(&fd_ptr, sizeof(fd_ptr), &fdtable->fd);
bpf_probe_read_kernel(&fd_data, sizeof(fd_data), &fd_ptr[fd]);
socket = _(fd_data->private_data);
}
if (socket != NULL) {
// only get from accept function(server side)
struct sock* s;
BPF_CORE_READ_INTO(&s, socket, sk);
short unsigned int skc_family;
BPF_CORE_READ_INTO(&skc_family, s, __sk_common.skc_family);
event->socket_family = skc_family;
socket_family = skc_family;
if (event->socket_family == AF_INET) {
BPF_CORE_READ_INTO(&port, s, __sk_common.skc_num);
event->local_port = port;
BPF_CORE_READ_INTO(&event->local_addr_v4, s, __sk_common.skc_rcv_saddr);
BPF_CORE_READ_INTO(&port, s, __sk_common.skc_dport);
event->remote_port = bpf_ntohs(port);
BPF_CORE_READ_INTO(&event->remote_addr_v4, s, __sk_common.skc_daddr);
} else if (event->socket_family == AF_INET6) {
BPF_CORE_READ_INTO(&port, s, __sk_common.skc_num);
event->local_port = port;
BPF_CORE_READ_INTO(&event->local_addr_v6, s, __sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
BPF_CORE_READ_INTO(&port, s, __sk_common.skc_dport);
event->remote_port = bpf_ntohs(port);
BPF_CORE_READ_INTO(&event->remote_addr_v6, s, __sk_common.skc_v6_daddr.in6_u.u6_addr8);
}
} else if (addr != NULL) {
event->socket_family = _(addr->sa_family);
socket_family = event->socket_family;
if (event->socket_family == AF_INET) {
struct sockaddr_in *daddr = (struct sockaddr_in *)addr;
bpf_probe_read(&event->remote_addr_v4, sizeof(event->remote_addr_v4), &daddr->sin_addr.s_addr);
bpf_probe_read(&port, sizeof(port), &daddr->sin_port);
event->remote_port = bpf_ntohs(port);
// cleanup the local address
event->local_addr_v4 = 0;
} else if (event->socket_family == AF_INET6) {
struct sockaddr_in6 *daddr = (struct sockaddr_in6 *)addr;
bpf_probe_read(&event->remote_addr_v6, sizeof(event->remote_addr_v6), &daddr->sin6_addr.s6_addr);
bpf_probe_read(&port, sizeof(port), &daddr->sin6_port);
event->remote_port = bpf_ntohs(port);
__builtin_memset(&event->local_addr_v6, 0, sizeof(event->local_addr_v6));
}
} else {
event->socket_family = AF_UNKNOWN;
socket_family = AF_UNKNOWN;
}
rover_submit_buf(ctx, &socket_connection_event_queue, event, sizeof(*event));
if (success == false) {
return;
}
// if connect success, then add the activate connection into the kernel
// active connection save
struct active_connection_t con = {};
con.random_id = random_id;
con.pid = tgid;
con.sockfd = fd;
con.role = role;
con.socket_family = socket_family;
bpf_map_update_elem(&active_connection_map, &conid, &con, 0);
}