mozillazg's Bloghttps://mozillazg.com/2025-11-29T00:00:00+00:00ptcpdump v0.33 ~ v0.37 的主要变更内容2025-11-29T00:00:00+00:002025-11-29T00:00:00+00:00mozillazgtag:mozillazg.com,2025-11-29:2025/11/whats-new-ptcpdump-v0.33-v0.37.html<div class="section" id="section-1">
<h2 id="hidsection-1">前言<a class="headerlink" href="#hidsection-1" title="Permalink to this headline">¶</a></h2>
<p>本文将按变更顺序介绍一下 <a class="reference external" href="https://github.com/mozillazg/ptcpdump">ptcpdump</a>
从上次的 <a class="reference external" href="https://mozillazg.com/2025/01/whats-new-ptcpdump-v0.27-v0.32.html">v0.32</a>
之后的 v0.33 版本到最新的 v0.37 版本期间所发布的主要变更内容。</p>
</div>
<div class="section" id="section-2">
<h2 id="hidsection-2">主要变更内容<a class="headerlink" href="#hidsection-2" title="Permalink to this headline">¶</a></h2>
<div class="section" id="bpf-ringbuf-bpf-perfbuf">
<h3 id="hidbpf-ringbuf-bpf-perfbuf">优先使用 BPF ringbuf 代替 BPF perfbuf<a class="headerlink" href="#hidbpf-ringbuf-bpf-perfbuf" title="Permalink to this headline">¶</a></h3>
<p>如果当前系统使用的 Linux 内核支持 BPF ringbuf 的话,
ptcpdump 将优先使用 BPF ringbuf 技术优化程序性能。
关于 BPF ringbuf 的更多信息,详见 <a class="reference external" href="https://nakryiko.com/posts/bpf-ringbuf/">BPF ring buffer</a> 。</p>
</div>
<div class="section" id="cgroup-skb">
<h3 id="hidcgroup-skb">修复使用 cgroup-skb 后端时按进程过滤数据包功能失效的问题<a class="headerlink" href="#hidcgroup-skb" title="Permalink to this headline">¶</a></h3>
<p>修复之前的版本中,通过 <tt class="docutils literal"><span class="pre">--backend=cgroup-skb</span></tt> 参数指定使用 <tt class="docutils literal"><span class="pre">cgroup-skb</span></tt> 后端时,
<tt class="docutils literal"><span class="pre">--pid</span></tt> 或 <tt class="docutils literal"><span class="pre">--pname</span></tt> 参数对应的功能失效的问题。</p>
</div>
<div class="section" id="pcapng">
<h3 id="hidpcapng">支持从标准输入中读取 PcapNG 格式的数据<a class="headerlink" href="#hidpcapng" title="Permalink to this headline">¶</a></h3>
<p>现已支持通过 <tt class="docutils literal"><span class="pre">-r</span> -</tt> 从标准输入中读取 PcapNG 格式的数据:</p>
<pre class="literal-block">
$ cat data.pcapng | ptcpdump -r -
$ ptcpdump -r - < data.pcapng
</pre>
</div>
<div class="section" id="c-w">
<h3 id="hidc-w">支持 -C 和 -W 参数实现文件轮转功能<a class="headerlink" href="#hidc-w" title="Permalink to this headline">¶</a></h3>
<p>现已支持在使用 <tt class="docutils literal"><span class="pre">-w</span></tt> 保存数据到文件中时,使用 <tt class="docutils literal"><span class="pre">-C</span></tt> 或 <tt class="docutils literal"><span class="pre">-W</span></tt> 参数实现文件轮转功能:</p>
<pre class="literal-block">
sudo ptcpdump -i any -w data.pcapng -C 1mb
sudo ptcpdump -i any -w data.pcapng -C 1mb -W 5
</pre>
<p>其中:</p>
<ul class="simple">
<li><tt class="docutils literal"><span class="pre">-C</span></tt> 指定文件的最大大小,当超过该大小时,将在旧的文件名后面追加数字(比如 <tt class="docutils literal">data.pcapng1</tt> ),来保存历史数据。</li>
<li><tt class="docutils literal"><span class="pre">-W</span></tt> 自定保存的文件数量,需要与 <tt class="docutils literal"><span class="pre">-C</span></tt> 一起使用,用于限制文件数量。</li>
</ul>
</div>
<div class="section" id="f-expression-file-pcap-fitler">
<h3 id="hidf-expression-file-pcap-fitler">支持 -F/--expression-file 参数实现从文件中读取 pcap fitler 表达式<a class="headerlink" href="#hidf-expression-file-pcap-fitler" title="Permalink to this headline">¶</a></h3>
<p>现已支持使用 <tt class="docutils literal"><span class="pre">-F</span></tt> 或者 <tt class="docutils literal"><span class="pre">--expression-file</span></tt> 参数从文件中读取 pcap filter 包过滤表达式:</p>
<pre class="literal-block">
sudo ptcpdump -i any -c 10 -F filter.txt
sudo ptcpdump -i any -c 10 --expression-file filter.txt
</pre>
</div>
<div class="section" id="tt-ttt-tttt-ttttt">
<h3 id="hidtt-ttt-tttt-ttttt">支持 -tt, -ttt, -tttt, -ttttt 参数实现指定输出的时间格式<a class="headerlink" href="#hidtt-ttt-tttt-ttttt" title="Permalink to this headline">¶</a></h3>
<p>现已支持使用 <tt class="docutils literal"><span class="pre">-tt</span></tt>, <tt class="docutils literal"><span class="pre">-ttt</span></tt>, <tt class="docutils literal"><span class="pre">-tttt</span></tt>, <tt class="docutils literal"><span class="pre">-ttttt</span></tt> 指定输出包信息时的时间信息格式。</p>
<ul class="simple">
<li><tt class="docutils literal"><span class="pre">-tt</span></tt> : 显示时间戳格式,比如 <tt class="docutils literal">1764417816.346098 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > <span class="pre">xx.xx.xx.xx.64755:...</span></tt></li>
<li><tt class="docutils literal"><span class="pre">-ttt</span></tt> : 显示两条记录的时间间隔, 比如 <tt class="docutils literal">00:00:00.000265 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > <span class="pre">xx.xx.xx.xx.64755:...</span></tt></li>
<li><tt class="docutils literal"><span class="pre">-tttt</span></tt> : 显示日期和时间,比如 <tt class="docutils literal"><span class="pre">2025-11-29</span> 20:03:36.346098 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > <span class="pre">xx.xx.xx.xx.64755:...</span></tt></li>
<li><tt class="docutils literal"><span class="pre">-ttttt</span></tt> : 显示距离第一条记录的时间间隔,比如 <tt class="docutils literal">00:00:00.002708 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > <span class="pre">xx.xx.xx.xx.64755:...</span></tt></li>
</ul>
</div>
<div class="section" id="libpcap">
<h3 id="hidlibpcap">支持通过动态链接的方式使用系统安装的 libpcap<a class="headerlink" href="#hidlibpcap" title="Permalink to this headline">¶</a></h3>
<p>之前的版本只支持以静态链接的方式编译依赖的 libpcap 库,
现已支持通过动态链接的方式使用系统安装的 libpcap 库,满足简化系统库管理的需求。</p>
<p>可以通过下面任一编译方式使用动态链接库:</p>
<pre class="literal-block">
$ CGO_ENABLED=1 go build -tags dynamic
$ make build-dynamic-link
</pre>
</div>
<div class="section" id="s-0">
<h3 id="hids-0">修复 -s 0 参数会导致程序崩溃的问题<a class="headerlink" href="#hids-0" title="Permalink to this headline">¶</a></h3>
<p>在之前的版本中,如果使用 <tt class="docutils literal"><span class="pre">-s</span> 0</tt> 参数会导致 ptcpdump 程序崩溃,这个问题现已修复。</p>
</div>
<div class="section" id="section-3">
<h3 id="hidsection-3">修复终端输出中的时间信息不准确的问题<a class="headerlink" href="#hidsection-3" title="Permalink to this headline">¶</a></h3>
<p>在之前的版本中,终端输出的包信息的时间信息随着时间的推移会与实践的事件时间差距越来越大,
这个问题现已修复。</p>
</div>
<div class="section" id="armv7-cpu">
<h3 id="hidarmv7-cpu">实验性支持 armv7 CPU 架构<a class="headerlink" href="#hidarmv7-cpu" title="Permalink to this headline">¶</a></h3>
<p>在新版本中已实验性支持 armv7 CPU 架构。
因为缺少支持 armv7 架构的 CI 环境, 因此只能作为实验性支持,
没法保证未来版本的兼容性。如果某个版本不再支持 armv7 了,
欢迎反馈。</p>
</div>
<div class="section" id="tp-btf">
<h3 id="hidtp-btf">新增 tp-btf 后端<a class="headerlink" href="#hidtp-btf" title="Permalink to this headline">¶</a></h3>
<p>新版本增加了一个新的后端 <tt class="docutils literal"><span class="pre">tp-btf</span></tt> ,
当指定使用该后端时,ptcpdump 将使用 <tt class="docutils literal">BPF_PROG_TYPE_TRACING</tt> 类型的 eBPF 程序来捕获数据包。
该后端与 <tt class="docutils literal">tc</tt> 后端的主要区别是:<tt class="docutils literal"><span class="pre">tp-btf</span></tt> 默认将能捕获所有网络命名空间下的数据,
而 <tt class="docutils literal">tc</tt> 后端默认只捕获当前网络命名空间下的数据(可以通过 <tt class="docutils literal"><span class="pre">--netns</span></tt> 命令指定捕获特定网络命名空间下的数据)。
关于该后端与其他后端的区别,详见 <a class="reference external" href="https://github.com/mozillazg/ptcpdump?tab=readme-ov-file#backend">Backend</a> 。</p>
<p>可以通过 <tt class="docutils literal"><span class="pre">--backend</span> <span class="pre">tp-btf</span></tt> 使用新增的 <tt class="docutils literal"><span class="pre">tp-btf</span></tt> 后端。</p>
</div>
<div class="section" id="socket-filter">
<h3 id="hidsocket-filter">新增 socket-filter 后端<a class="headerlink" href="#hidsocket-filter" title="Permalink to this headline">¶</a></h3>
<p>新版本增加了另一个新的后端 <tt class="docutils literal"><span class="pre">socket-filter</span></tt> ,
当指定使用该后端时,ptcpdump 将使用 <tt class="docutils literal">BPF_PROG_TYPE_SOCKET_FILTER</tt> 类型的 eBPF 程序来捕获数据包。
使用该后端时,ptcpdump 的输出结果将更接近 tcpdump 的输出结果,因为此时它们两个捕获数据包的时机会更接近。
关于该后端与其他后端的区别,详见 <a class="reference external" href="https://github.com/mozillazg/ptcpdump?tab=readme-ov-file#backend">Backend</a> 。</p>
<p>可以通过 <tt class="docutils literal"><span class="pre">--backend</span> <span class="pre">socket-filter</span></tt> 使用新增的 <tt class="docutils literal"><span class="pre">socket-filter</span></tt> 后端。</p>
</div>
<div class="section" id="inode-id">
<h3 id="hidinode-id">在跨网络命名空间的数据结果中显示 inode ID 信息<a class="headerlink" href="#hidinode-id" title="Permalink to this headline">¶</a></h3>
<p>从新版本开始,当输出结果中包含非当前网络命名空间的数据时,程序将会尝试在输出网络接口信息时,显示对应网络命名空间的 inode ID 信息:</p>
<pre class="literal-block">
12:20:31.336316 eth0@4026533097 curl.405939 Out IP 172.17.0.4.38670 > 1.1.1.1.80: Flags [S], seq 3064539219, win 64240, options [mss 1460,sackOK,TS val 1731159046 ecr 0,nop,wscale 7], length 0, ParentProc [bash.405653]
12:20:31.336382 veth1d387b0 curl.405939 In IP 172.17.0.4.38670 > 1.1.1.1.80: Flags [S], seq 3064539219, win 64240, options [mss 1460,sackOK,TS val 1731159046 ecr 0,nop,wscale 7], length 0, ParentProc [bash.405653]
</pre>
</div>
<div class="section" id="v-ip-options">
<h3 id="hidv-ip-options">-v 的输出中增加 IP Options 信息<a class="headerlink" href="#hidv-ip-options" title="Permalink to this headline">¶</a></h3>
<p>新版本在使用 <tt class="docutils literal"><span class="pre">-v</span></tt> 参数输出详情时,将输出 IP Options 信息:</p>
<pre class="literal-block">
09:48:31.908813 IP (tos 0x0, ttl 64, id 39183, offset 0, flags [none], proto TCP (6), length 80, options (RR 1.2.3.4, 1.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0,EOL))
${IP}.1373 > 1.1.1.1.80: Flags [S], cksum 0xbfb4, seq 122218745, win 512, length 0
</pre>
</div>
<div class="section" id="http">
<h3 id="hidhttp">新增输出 HTTP 信息<a class="headerlink" href="#hidhttp" title="Permalink to this headline">¶</a></h3>
<p>如果某一行的数据包是 HTTP 数据,新版本将默认输出基本的 HTTP 信息:</p>
<pre class="literal-block">
13:27:02.285015 IP ${IP}.57166 > ${IP}.80: Flags [P.], ..., length 73: HTTP: GET / HTTP/1.1
13:27:02.516911 IP ${IP}.80 > ${IP}.57166: Flags [P.], ..., length 349: HTTP: HTTP/1.1 301 Moved Permanently
</pre>
<p>如果使用 <tt class="docutils literal"><span class="pre">-v</span></tt> 参数输出详情,则会包含详细的 HTTP 信息:</p>
<pre class="literal-block">
13:27:02.285015 IP (tos 0x0, ttl 64, id 8683, offset 0, flags [DF], proto TCP (6), length 113)
..., length 73: HTTP: GET / HTTP/1.1
GET / HTTP/1.1
Host: kernel.org
User-Agent: curl/8.5.0
Accept: */*
13:27:02.516911 IP (tos 0x0, ttl 128, id 62994, offset 0, flags [none], proto TCP (6), length 389)
..., length 349: HTTP: HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 05 Jul 2025 13:27:02 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://kernel.org/
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
</pre>
</div>
<div class="section" id="tls">
<h3 id="hidtls">新增输出 TLS 信息<a class="headerlink" href="#hidtls" title="Permalink to this headline">¶</a></h3>
<p>如果某一行的数据包是 TLS 数据,新版本将默认输出 TLS Client Hello 或 Server Hello 信息:</p>
<pre class="literal-block">
13:48:40.371849 IP ${IP}.47812 > ${IP}.443: Flags [P.], ..., length 517: TLSv1.0: Client Hello (SNI=kernel.org)
13:48:40.606677 IP ${IP}.443 > ${IP}.47812: Flags [P.], ..., length 1412: TLSv1.3: Server Hello
</pre>
</div>
<div class="section" id="l3">
<h3 id="hidl3">新增支持对 L3 网络接口设备抓包<a class="headerlink" href="#hidl3" title="Permalink to this headline">¶</a></h3>
<p>之前的版本只支持对 L2 网络接口设备抓包,新版本已增加对 L3 网络接口(比如 TUN 设备)的支持。</p>
</div>
<div class="section" id="tcp">
<h3 id="hidtcp">改为默认以相对数字显示 TCP 序列号<a class="headerlink" href="#hidtcp" title="Permalink to this headline">¶</a></h3>
<p>在之前的版本中,默认会显示 TCP 序列号的原始数字,比较难阅读:</p>
<pre class="literal-block">
20:03:36.346098 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857145:1457857369, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
20:03:36.346909 ens33 sshd.183127 In IP ${IP}.64755 > ${IP}.22: Flags [.], seq 1966040526, ack 1457857369, win 64240, length 0, ParentProc [sshd.16678]
20:03:36.348807 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857369:1457857593, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
</pre>
<p>新版本将默认以相对数字的形式显示 TCP 序列号信息:</p>
<pre class="literal-block">
20:03:36.346098 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857145:1457857369, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
20:03:36.346909 ens33 sshd.183127 In IP ${IP}.64755 > ${IP}.22: Flags [.], ack 224, win 64240, length 0, ParentProc [sshd.16678]
20:03:36.348807 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 224:448, ack 0, win 65535, length 224, ParentProc [sshd.16678]
</pre>
<p>同时新增 <tt class="docutils literal"><span class="pre">-S</span></tt> 和 <tt class="docutils literal"><span class="pre">--absolute-tcp-sequence-numbers</span></tt> 参数用于控制恢复之前的显示原始数字的模式。</p>
<p>如果你对 ptcpdump 有额外的改进或新功能建议,欢迎在评论区或项目 issues 中留言。</p>
</div>
</div>
Major Changes in ptcpdump versions 0.33 to 0.372025-11-29T00:00:00+00:002025-11-29T00:00:00+00:00mozillazgtag:mozillazg.com,2025-11-29:2025/11/whats-new-ptcpdump-v0.33-v0.37-en.html<div class="section" id="preface">
<h2 id="hidpreface">Preface<a class="headerlink" href="#hidpreface" title="Permalink to this headline">¶</a></h2>
<p>This article introduces the main changes in <a class="reference external" href="https://github.com/mozillazg/ptcpdump">ptcpdump</a>
from v0.33 (after <a class="reference external" href="https://mozillazg.com/2025/01/whats-new-ptcpdump-v0.27-v0.32-en.html">v0.32</a> )
to the latest v0.37, in chronological order.</p>
</div>
<div class="section" id="main-changes">
<h2 id="hidmain-changes">Main changes<a class="headerlink" href="#hidmain-changes" title="Permalink to this headline">¶</a></h2>
<div class="section" id="prefer-using-bpf-ringbuf-instead-of-bpf-perfbuf">
<h3 id="hidprefer-using-bpf-ringbuf-instead-of-bpf-perfbuf">Prefer using BPF ringbuf instead of BPF perfbuf<a class="headerlink" href="#hidprefer-using-bpf-ringbuf-instead-of-bpf-perfbuf" title="Permalink to this headline">¶</a></h3>
<p>If the Linux kernel on the current system supports BPF ringbuf,
ptcpdump will prioritize using BPF ringbuf to optimize program performance.
For more information about BPF ringbuf, please refer to
<a class="reference external" href="https://nakryiko.com/posts/bpf-ringbuf/">BPF ring buffer</a> .</p>
</div>
<div class="section" id="fix-the-issue-where-packet-filtering-by-process-failed-when-using-the-cgroup-skb-backend">
<h3 id="hidfix-the-issue-where-packet-filtering-by-process-failed-when-using-the-cgroup-skb-backend">Fix the issue where packet filtering by process failed when using the cgroup-skb backend<a class="headerlink" href="#hidfix-the-issue-where-packet-filtering-by-process-failed-when-using-the-cgroup-skb-backend" title="Permalink to this headline">¶</a></h3>
<p>Fixed an issue in previous versions where the features corresponding to
the <tt class="docutils literal"><span class="pre">--pid</span></tt> or <tt class="docutils literal"><span class="pre">--pname</span></tt> parameters failed when the <tt class="docutils literal"><span class="pre">cgroup-skb</span></tt> backend
was specified via <tt class="docutils literal"><span class="pre">--backend=cgroup-skb</span></tt>.</p>
</div>
<div class="section" id="support-reading-pcapng-format-data-from-standard-input">
<h3 id="hidsupport-reading-pcapng-format-data-from-standard-input">Support reading PcapNG format data from standard input<a class="headerlink" href="#hidsupport-reading-pcapng-format-data-from-standard-input" title="Permalink to this headline">¶</a></h3>
<p>It now supports reading PcapNG format data from standard input using <tt class="docutils literal"><span class="pre">-r</span> -</tt>:</p>
<pre class="literal-block">
$ cat data.pcapng | ptcpdump -r -
$ ptcpdump -r - < data.pcapng
</pre>
</div>
<div class="section" id="support-file-rotation-using-c-and-w-options">
<h3 id="hidsupport-file-rotation-using-c-and-w-options">Support file rotation using -C and -W options<a class="headerlink" href="#hidsupport-file-rotation-using-c-and-w-options" title="Permalink to this headline">¶</a></h3>
<p>It now supports file rotation when saving data to a file using <tt class="docutils literal"><span class="pre">-w</span></tt>,
by using the <tt class="docutils literal"><span class="pre">-C</span></tt> or <tt class="docutils literal"><span class="pre">-W</span></tt> options:</p>
<pre class="literal-block">
sudo ptcpdump -i any -w data.pcapng -C 1mb
sudo ptcpdump -i any -w data.pcapng -C 1mb -W 5
</pre>
<p>Where:</p>
<ul class="simple">
<li><tt class="docutils literal"><span class="pre">-C</span></tt> specifies the maximum file size. When this size is exceeded, a number will be
appended to the old filename (e.g., <tt class="docutils literal">data.pcapng1</tt>) to save historical data.</li>
<li><tt class="docutils literal"><span class="pre">-W</span></tt> specifies the number of files to keep. It must be used with <tt class="docutils literal"><span class="pre">-C</span></tt> to limit the number of files.</li>
</ul>
</div>
<div class="section" id="support-reading-pcap-filter-expressions-from-a-file-using-f-expression-file">
<h3 id="hidsupport-reading-pcap-filter-expressions-from-a-file-using-f-expression-file">Support reading pcap filter expressions from a file using -F/--expression-file<a class="headerlink" href="#hidsupport-reading-pcap-filter-expressions-from-a-file-using-f-expression-file" title="Permalink to this headline">¶</a></h3>
<p>It now supports reading pcap filter expressions from a file using the <tt class="docutils literal"><span class="pre">-F</span></tt> or <tt class="docutils literal"><span class="pre">--expression-file</span></tt> option:</p>
<pre class="literal-block">
sudo ptcpdump -i any -c 10 -F filter.txt
sudo ptcpdump -i any -c 10 --expression-file filter.txt
</pre>
</div>
<div class="section" id="support-specifying-output-time-format-using-tt-ttt-tttt-ttttt">
<h3 id="hidsupport-specifying-output-time-format-using-tt-ttt-tttt-ttttt">Support specifying output time format using -tt, -ttt, -tttt, -ttttt<a class="headerlink" href="#hidsupport-specifying-output-time-format-using-tt-ttt-tttt-ttttt" title="Permalink to this headline">¶</a></h3>
<p>It now supports using <tt class="docutils literal"><span class="pre">-tt</span></tt>, <tt class="docutils literal"><span class="pre">-ttt</span></tt>, <tt class="docutils literal"><span class="pre">-tttt</span></tt>, and <tt class="docutils literal"><span class="pre">-ttttt</span></tt> to
specify the time format when outputting packet information.</p>
<ul class="simple">
<li><tt class="docutils literal"><span class="pre">-tt</span></tt> : Displays timestamp format, e.g., <tt class="docutils literal">1764417816.346098 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > <span class="pre">xx.xx.xx.xx.64755:...</span></tt></li>
<li><tt class="docutils literal"><span class="pre">-ttt</span></tt> : Displays the time interval between two records, e.g., <tt class="docutils literal">00:00:00.000265 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > <span class="pre">xx.xx.xx.xx.64755:...</span></tt></li>
<li><tt class="docutils literal"><span class="pre">-tttt</span></tt> : Displays date and time, e.g., <tt class="docutils literal"><span class="pre">2025-11-29</span> 20:03:36.346098 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > <span class="pre">xx.xx.xx.xx.64755:...</span></tt></li>
<li><tt class="docutils literal"><span class="pre">-ttttt</span></tt> : Displays the time interval since the first record, e.g., <tt class="docutils literal">00:00:00.002708 ens33 sshd.183127 Out IP xx.xx.xx.xx.22 > <span class="pre">xx.xx.xx.xx.64755:...</span></tt></li>
</ul>
</div>
<div class="section" id="support-using-system-installed-libpcap-via-dynamic-linking">
<h3 id="hidsupport-using-system-installed-libpcap-via-dynamic-linking">Support using system-installed libpcap via dynamic linking<a class="headerlink" href="#hidsupport-using-system-installed-libpcap-via-dynamic-linking" title="Permalink to this headline">¶</a></h3>
<p>Previous versions only supported compiling the dependent libpcap library via static linking.
It now supports using the system-installed libpcap library via dynamic linking to
meet the needs of simplified system library management.</p>
<p>You can use the dynamic link library through either of the following compilation methods:</p>
<pre class="literal-block">
$ CGO_ENABLED=1 go build -tags dynamic
$ make build-dynamic-link
</pre>
</div>
<div class="section" id="fix-the-issue-where-using-s-0-caused-the-program-to-crash">
<h3 id="hidfix-the-issue-where-using-s-0-caused-the-program-to-crash">Fix the issue where using -s 0 caused the program to crash<a class="headerlink" href="#hidfix-the-issue-where-using-s-0-caused-the-program-to-crash" title="Permalink to this headline">¶</a></h3>
<p>In previous versions, using the <tt class="docutils literal"><span class="pre">-s</span> 0</tt> option caused the ptcpdump program to crash. This issue is now fixed.</p>
</div>
<div class="section" id="fix-the-issue-of-inaccurate-timestamps-in-terminal-output">
<h3 id="hidfix-the-issue-of-inaccurate-timestamps-in-terminal-output">Fix the issue of inaccurate timestamps in terminal output<a class="headerlink" href="#hidfix-the-issue-of-inaccurate-timestamps-in-terminal-output" title="Permalink to this headline">¶</a></h3>
<p>In previous versions, the timestamps of packet information in the terminal
output drifted further from the actual event time over time.
This issue is now fixed.</p>
</div>
<div class="section" id="experimental-support-for-armv7-cpu-architecture">
<h3 id="hidexperimental-support-for-armv7-cpu-architecture">Experimental support for armv7 CPU architecture<a class="headerlink" href="#hidexperimental-support-for-armv7-cpu-architecture" title="Permalink to this headline">¶</a></h3>
<p>Experimental support for the armv7 CPU architecture has been added in the new version.
Since there is no CI environment supporting the armv7 architecture, this is only experimental support,
and compatibility in future versions cannot be guaranteed. If a version no longer supports armv7,
feedback is welcome.</p>
</div>
<div class="section" id="add-tp-btf-backend">
<h3 id="hidadd-tp-btf-backend">Add tp-btf backend<a class="headerlink" href="#hidadd-tp-btf-backend" title="Permalink to this headline">¶</a></h3>
<p>A new backend <tt class="docutils literal"><span class="pre">tp-btf</span></tt> has been added.
When this backend is used, ptcpdump uses <tt class="docutils literal">BPF_PROG_TYPE_TRACING</tt> eBPF programs to capture packets.
The main difference from the <tt class="docutils literal">tc</tt> backend is that <tt class="docutils literal"><span class="pre">tp-btf</span></tt> captures data from all network namespaces by default,
while the <tt class="docutils literal">tc</tt> backend defaults to capturing data only from the current
network namespace (use <tt class="docutils literal"><span class="pre">--netns</span></tt> to specify a specific network namespace).
For differences between backends, see <a class="reference external" href="https://github.com/mozillazg/ptcpdump?tab=readme-ov-file#backend">Backend</a> .</p>
<p>You can use the new <tt class="docutils literal"><span class="pre">tp-btf</span></tt> backend via <tt class="docutils literal"><span class="pre">--backend</span> <span class="pre">tp-btf</span></tt>.</p>
</div>
<div class="section" id="add-socket-filter-backend">
<h3 id="hidadd-socket-filter-backend">Add socket-filter backend<a class="headerlink" href="#hidadd-socket-filter-backend" title="Permalink to this headline">¶</a></h3>
<p>Another new backend <tt class="docutils literal"><span class="pre">socket-filter</span></tt> has been added.
When this backend is used, ptcpdump uses <tt class="docutils literal">BPF_PROG_TYPE_SOCKET_FILTER</tt> eBPF programs to capture packets.
When using this backend, the output of ptcpdump is closer to the output
of tcpdump because the packet capture timing is more similar.
For differences between backends, see <a class="reference external" href="https://github.com/mozillazg/ptcpdump?tab=readme-ov-file#backend">Backend</a> .</p>
<p>You can use the new <tt class="docutils literal"><span class="pre">socket-filter</span></tt> backend via <tt class="docutils literal"><span class="pre">--backend</span> <span class="pre">socket-filter</span></tt>.</p>
</div>
<div class="section" id="display-inode-id-in-cross-network-namespace-results">
<h3 id="hiddisplay-inode-id-in-cross-network-namespace-results">Display inode ID in cross-network namespace results<a class="headerlink" href="#hiddisplay-inode-id-in-cross-network-namespace-results" title="Permalink to this headline">¶</a></h3>
<p>Starting from the new version, when the output contains data from a non-current network namespace,
the program will attempt to display the inode ID of that network
namespace when showing network interface information:</p>
<pre class="literal-block">
12:20:31.336316 eth0@4026533097 curl.405939 Out IP 172.17.0.4.38670 > 1.1.1.1.80: Flags [S], seq 3064539219, win 64240, options [mss 1460,sackOK,TS val 1731159046 ecr 0,nop,wscale 7], length 0, ParentProc [bash.405653]
12:20:31.336382 veth1d387b0 curl.405939 In IP 172.17.0.4.38670 > 1.1.1.1.80: Flags [S], seq 3064539219, win 64240, options [mss 1460,sackOK,TS val 1731159046 ecr 0,nop,wscale 7], length 0, ParentProc [bash.405653]
</pre>
</div>
<div class="section" id="add-ip-options-information-to-v-output">
<h3 id="hidadd-ip-options-information-to-v-output">Add IP Options information to -v output<a class="headerlink" href="#hidadd-ip-options-information-to-v-output" title="Permalink to this headline">¶</a></h3>
<p>The new version will output IP Options information when using the <tt class="docutils literal"><span class="pre">-v</span></tt> option for details:</p>
<pre class="literal-block">
09:48:31.908813 IP (tos 0x0, ttl 64, id 39183, offset 0, flags [none], proto TCP (6), length 80, options (RR 1.2.3.4, 1.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0,EOL))
${IP}.1373 > 1.1.1.1.80: Flags [S], cksum 0xbfb4, seq 122218745, win 512, length 0
</pre>
</div>
<div class="section" id="add-output-for-http-information">
<h3 id="hidadd-output-for-http-information">Add output for HTTP information<a class="headerlink" href="#hidadd-output-for-http-information" title="Permalink to this headline">¶</a></h3>
<p>If a packet contains HTTP data, the new version will output basic HTTP information by default:</p>
<pre class="literal-block">
13:27:02.285015 IP ${IP}.57166 > ${IP}.80: Flags [P.], ..., length 73: HTTP: GET / HTTP/1.1
13:27:02.516911 IP ${IP}.80 > ${IP}.57166: Flags [P.], ..., length 349: HTTP: HTTP/1.1 301 Moved Permanently
</pre>
<p>If <tt class="docutils literal"><span class="pre">-v</span></tt> is used for detailed output, detailed HTTP information will be included:</p>
<pre class="literal-block">
13:27:02.285015 IP (tos 0x0, ttl 64, id 8683, offset 0, flags [DF], proto TCP (6), length 113)
..., length 73: HTTP: GET / HTTP/1.1
GET / HTTP/1.1
Host: kernel.org
User-Agent: curl/8.5.0
Accept: */*
13:27:02.516911 IP (tos 0x0, ttl 128, id 62994, offset 0, flags [none], proto TCP (6), length 389)
..., length 349: HTTP: HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 05 Jul 2025 13:27:02 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://kernel.org/
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
</pre>
</div>
<div class="section" id="add-output-for-tls-information">
<h3 id="hidadd-output-for-tls-information">Add output for TLS information<a class="headerlink" href="#hidadd-output-for-tls-information" title="Permalink to this headline">¶</a></h3>
<p>If a packet contains TLS data, the new version will output TLS Client Hello
or Server Hello information by default:</p>
<pre class="literal-block">
13:48:40.371849 IP ${IP}.47812 > ${IP}.443: Flags [P.], ..., length 517: TLSv1.0: Client Hello (SNI=kernel.org)
13:48:40.606677 IP ${IP}.443 > ${IP}.47812: Flags [P.], ..., length 1412: TLSv1.3: Server Hello
</pre>
</div>
<div class="section" id="add-support-for-capturing-on-l3-network-interface-devices">
<h3 id="hidadd-support-for-capturing-on-l3-network-interface-devices">Add support for capturing on L3 network interface devices<a class="headerlink" href="#hidadd-support-for-capturing-on-l3-network-interface-devices" title="Permalink to this headline">¶</a></h3>
<p>Previous versions only supported capturing on L2 network interface devices.
The new version adds support for L3 network interfaces (such as TUN devices).</p>
</div>
<div class="section" id="change-to-display-tcp-sequence-numbers-as-relative-numbers-by-default">
<h3 id="hidchange-to-display-tcp-sequence-numbers-as-relative-numbers-by-default">Change to display TCP sequence numbers as relative numbers by default<a class="headerlink" href="#hidchange-to-display-tcp-sequence-numbers-as-relative-numbers-by-default" title="Permalink to this headline">¶</a></h3>
<p>In previous versions, raw TCP sequence numbers were displayed by default, which was hard to read:</p>
<pre class="literal-block">
20:03:36.346098 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857145:1457857369, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
20:03:36.346909 ens33 sshd.183127 In IP ${IP}.64755 > ${IP}.22: Flags [.], seq 1966040526, ack 1457857369, win 64240, length 0, ParentProc [sshd.16678]
20:03:36.348807 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857369:1457857593, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
</pre>
<p>The new version displays TCP sequence numbers as relative numbers by default:</p>
<pre class="literal-block">
20:03:36.346098 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 1457857145:1457857369, ack 1966040526, win 65535, length 224, ParentProc [sshd.16678]
20:03:36.346909 ens33 sshd.183127 In IP ${IP}.64755 > ${IP}.22: Flags [.], ack 224, win 64240, length 0, ParentProc [sshd.16678]
20:03:36.348807 ens33 sshd.183127 Out IP ${IP}.22 > ${IP}.64755: Flags [P.], seq 224:448, ack 0, win 65535, length 224, ParentProc [sshd.16678]
</pre>
<p>It also adds the <tt class="docutils literal"><span class="pre">-S</span></tt> and <tt class="docutils literal"><span class="pre">--absolute-tcp-sequence-numbers</span></tt> options to
switch back to displaying raw numbers.</p>
<p>If you have any additional improvements or new feature suggestions for ptcpdump,
feel free to leave a comment in the comments section or project issues.</p>
</div>
</div>
使用 elibpcap 为网络相关 eBPF 程序实现 pcap-filter 包过滤语法支持2025-05-03T00:00:00+00:002025-05-03T00:00:00+00:00mozillazgtag:mozillazg.com,2025-05-03:2025/05/ebpf-let-any-network-ebpf-programs-to-support-pcap-filter-with-elibpcap.html<div class="section" id="section-1">
<h2 id="hidsection-1">前言<a class="headerlink" href="#hidsection-1" title="Permalink to this headline">¶</a></h2>
<p>我们常用的 tcpdump 抓包工具的一个核心能力是支持使用
<a class="reference external" href="https://www.tcpdump.org/manpages/pcap-filter.7.html">pcap-filter</a>
包过滤语法对流量进行过滤,只对符合条件的特定流量进行抓包。</p>
<p>当我们使用 eBPF 技术开发网络相关的工具的时候,如果也能支持 pcap-filter 包过滤语法的话,
想必会极大的提升用户体验。
因此,我开发的 <a class="reference external" href="https://github.com/mozillazg/ptcpdump">ptcpdump</a> 工具也内置了对 pcap-filter 包过滤语法的支持。</p>
<p>使用常规方法为 eBPF 程序增加 pcap-filter 支持会需要实现复杂的逻辑。
但是,如果你的项目正在使用 <a class="reference external" href="https://github.com/cilium/ebpf">cilium/ebpf</a> 作为 eBPF Loader,
通过使用本文介绍的 elibpcap 这个 Go package ,
你只需要增加几行代码就能为你的项目内置支持 pcap-filter 包过滤语法的能力。</p>
</div>
<div class="section" id="section-2">
<h2 id="hidsection-2">项目介绍<a class="headerlink" href="#hidsection-2" title="Permalink to this headline">¶</a></h2>
<p>如前面所说,通过使用 elibpcap,只需几行代码就可以为 eBPF 项目增加支持 pcap-filter 的能力。</p>
<p>下面是 <a class="reference external" href="https://deepwiki.com/jschwinger233/elibpcap">AI</a> 总结的项目介绍:</p>
<blockquote>
elibpcap 是一个 Go 语言包,它提供的功能是:将 pcap 过滤表达式编译为 eBPF 字节码,
并将这些过滤器注入到现有的 eBPF 程序中。它将人类可读的 pcap 过滤表达式
(例如 tcpdump 等工具中使用的那些表达式)的世界与在 Linux 内核中运行的 eBPF 程序的强大能力和高效率连接了起来。</blockquote>
</div>
<div class="section" id="section-3">
<h2 id="hidsection-3">项目地址<a class="headerlink" href="#hidsection-3" title="Permalink to this headline">¶</a></h2>
<p><a class="reference external" href="https://github.com/jschwinger233/elibpcap">https://github.com/jschwinger233/elibpcap</a></p>
</div>
<div class="section" id="section-4">
<h2 id="hidsection-4">使用示例<a class="headerlink" href="#hidsection-4" title="Permalink to this headline">¶</a></h2>
<div class="section" id="section-5">
<h3 id="hidsection-5">使用模式<a class="headerlink" href="#hidsection-5" title="Permalink to this headline">¶</a></h3>
<p>为了使用 elibpcap ,我们需要做三方面的修改:</p>
<ol class="arabic simple">
<li>一个是,需要修改 eBPF 程序,在需要实现数据包过滤的位置增加类似如下的 placeholder 逻辑:</li>
</ol>
<div class="highlight"><pre><span></span><span class="c1">// add this</span>
<span class="k">static</span><span class="w"> </span><span class="n">__noinline</span><span class="w"> </span><span class="kt">bool</span><span class="w"> </span><span class="n">pcap_filter</span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">_skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">__skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">___skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">data</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">data_end</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">_skb</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">__skb</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">__skb</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">___skb</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">SEC</span><span class="p">(</span><span class="s">"tc"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">__sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="c1">// add this</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">bpf_printk</span><span class="p">(</span><span class="s">"pcap_filter not match"</span><span class="p">);</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>另一个是,需要修改 Go 程序,调用 elibpcap package 增加集成 pcap-filter 包过滤能力的逻辑:</li>
</ol>
<div class="highlight"><pre><span></span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Direct</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="p">})</span>
<span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="p">}</span>
<span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
</pre></div>
<p>其中:</p>
<ul class="simple">
<li><tt class="docutils literal">AtBpf2Bpf</tt> 用于指定是我们在 eBPF 程序中定义的 <tt class="docutils literal">static __noinline bool <span class="pre">pcap_filter(...)</span></tt> 函数的名称。</li>
<li><tt class="docutils literal">PacketAccessMode</tt> 用于指定 elibpcap 在生成的字节码时,应当使用哪种方式读取我们在 eBPF 程序中向 <tt class="docutils literal">pcap_filter</tt> 函数所传入的 skb 数据。
取值如下:<ul>
<li><tt class="docutils literal">elibpcap.Direct</tt> :使用 <a class="reference external" href="https://docs.kernel.org/bpf/verifier.html#direct-packet-access">direct access</a>
的方式读取数据,即,直接通过指针操作读取数据。</li>
<li><tt class="docutils literal">elibpcap.BpfProbeReadKernel</tt> :使用辅助函数 <tt class="docutils literal">bpf_probe_read_kernel</tt> 读取数据。</li>
<li><tt class="docutils literal">elibpcap.BpfSkbLoadBytes</tt> :使用辅助函数 <tt class="docutils literal">bpf_skb_load_bytes</tt> 读取数据。</li>
</ul>
</li>
<li><tt class="docutils literal">L2Skb</tt> 用于指定我们的 eBPF 程序中 <tt class="docutils literal">pcap_filter</tt> 函数传入的 skb 数据是否包含 L2(链路层) 相关的数据。</li>
</ul>
<ol class="arabic" start="3">
<li><p class="first">最后是,因为 elibpcap 依赖了 libpcap ,因此需要在编译时启用 CGO:</p>
<ul>
<li><p class="first">静态链接编译示例:</p>
<pre class="literal-block">
CGO_CFLAGS="-I/path/to/libpcap/include" \
CGO_LDFLAGS="-L/path/to/libpcap/lib -lpcap /path/to/libpcap.a" \
CGO_ENABLED=1 go build -o main \
-tags static -ldflags "-linkmode 'external' -extldflags '-static'"
</pre>
</li>
<li><p class="first">动态链接编译示例:</p>
<pre class="literal-block">
CGO_ENABLED=1 go build -o main -tags dynamic
</pre>
</li>
</ul>
</li>
</ol>
<p>下面将以常见的不同 eBPF 程序类型为例介绍如何集成 elibpcap。</p>
</div>
<div class="section" id="tc-tcx">
<h3 id="hidtc-tcx">tc/tcx<a class="headerlink" href="#hidtc-tcx" title="Permalink to this headline">¶</a></h3>
<p>下面是 tc eBPF 程序中需要做的修改:</p>
<div class="highlight"><pre><span></span><span class="c1">// add this</span>
<span class="k">static</span><span class="w"> </span><span class="n">__noinline</span><span class="w"> </span><span class="kt">bool</span><span class="w"> </span><span class="n">pcap_filter</span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">_skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">__skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">___skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">data</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">data_end</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">_skb</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">__skb</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">__skb</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">___skb</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">SEC</span><span class="p">(</span><span class="s">"tc"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">__sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="n">bpf_skb_pull_data</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="o">-></span><span class="n">data</span><span class="p">;</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="o">-></span><span class="n">data_end</span><span class="p">;</span>
<span class="w"> </span><span class="c1">// add this</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">bpf_printk</span><span class="p">(</span><span class="s">"pcap_filter not match"</span><span class="p">);</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">bpf_printk</span><span class="p">(</span><span class="s">"Hello from tc after pcap filter"</span><span class="p">);</span>
<span class="nl">out</span><span class="p">:</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">TC_ACT_UNSPEC</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
<p>可以看到主要的修改点是:</p>
<ol class="arabic simple">
<li>新增了一个 <tt class="docutils literal">pcap_filter</tt> 函数。</li>
<li>新增了一个 <tt class="docutils literal">if <span class="pre">(!pcap_filter((void</span> *)skb, (void *)skb, (void *)skb, data, data_end))</tt> 的判断。</li>
</ol>
<p>下面是对应的 Go 程序所需要做的修改:</p>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">""</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Printf</span><span class="p">(</span><span class="s">"inject pcap filter: %s"</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="p">)</span>
<span class="w"> </span><span class="c1">// add this</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Direct</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="c1">// end</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
<span class="c1">// add this</span>
<span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="p">);</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Fatal</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span>
<span class="p">}</span>
<span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">LoadAndAssign</span><span class="p">(</span><span class="o">&</span><span class="nx">objs</span><span class="p">,</span><span class="w"> </span><span class="kc">nil</span><span class="p">);</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<p>完整的示例程序详见:<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/tc">tc</a></p>
</div>
<div class="section" id="xdp">
<h3 id="hidxdp">xdp<a class="headerlink" href="#hidxdp" title="Permalink to this headline">¶</a></h3>
<p>xdp 程序集成 pcap-filter 能力所需要做的修改与 tc/tcx 程序基本一致。</p>
<ol class="arabic simple">
<li>c 程序:</li>
</ol>
<div class="highlight"><pre><span></span><span class="n">SEC</span><span class="p">(</span><span class="s">"xdp"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">xdp_md</span><span class="w"> </span><span class="o">*</span><span class="n">ctx</span><span class="p">){</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">ctx</span><span class="o">-></span><span class="n">data</span><span class="p">;</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">ctx</span><span class="o">-></span><span class="n">data_end</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">ctx</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">ctx</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">ctx</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">bpf_printk</span><span class="p">(</span><span class="s">"pcap_filter not match"</span><span class="p">);</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>go 程序:</li>
</ol>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Direct</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
<span class="c1">// ...</span>
</pre></div>
<p>完整的示例程序详见:<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/xdp">xdp</a></p>
</div>
<div class="section" id="cgroup-skb">
<h3 id="hidcgroup-skb">cgroup-skb<a class="headerlink" href="#hidcgroup-skb" title="Permalink to this headline">¶</a></h3>
<p>cgroup-skb 程序与前面 tc/tcx/xdp 程序所需要做的修改也是基本一致。</p>
<ol class="arabic simple">
<li>c 程序:</li>
</ol>
<div class="highlight"><pre><span></span><span class="n">SEC</span><span class="p">(</span><span class="s">"cgroup_skb/egress"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">__sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="o">-></span><span class="n">data</span><span class="p">;</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="o">-></span><span class="n">data_end</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>go 程序:</li>
</ol>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Direct</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
</pre></div>
<p>这里有一个需要注意的点: 因为 cgroup-skb 程序中 skb 的数据里未包含 L2 的数据,因此这里需要设置 <tt class="docutils literal">L2Skb: false</tt> 。</p>
<p>完整的示例程序详见:<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/cgroup-skb">cgroup-skb</a></p>
</div>
<div class="section" id="kprobe-fentry-tracepoint">
<h3 id="hidkprobe-fentry-tracepoint">kprobe/fentry/tracepoint<a class="headerlink" href="#hidkprobe-fentry-tracepoint" title="Permalink to this headline">¶</a></h3>
<p>elibpcap 帮助我们屏蔽了 kprobe/fentry/tracepoint 程序与前面的 tc/tcx/xdp 程序
在数据读取方面的差异,让我们可以以基本一致的方式进行集成。</p>
<ol class="arabic simple">
<li>c 程序:</li>
</ol>
<div class="highlight"><pre><span></span><span class="n">SEC</span><span class="p">(</span><span class="s">"kprobe/__dev_queue_xmit"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">BPF_KPROBE</span><span class="p">(</span><span class="n">sample_prog</span><span class="p">,</span><span class="w"> </span><span class="k">struct</span><span class="w"> </span><span class="nc">sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">skb_head</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">head</span><span class="p">);</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">skb_head</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">network_header</span><span class="p">);</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">skb_head</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">tail</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>go 程序:</li>
</ol>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">BpfProbeReadKernel</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
<span class="c1">// ...</span>
</pre></div>
<p>这里有两个需要注意的点:</p>
<ol class="arabic simple">
<li>因为在 kprobe 程序中无法通过 “direct packet access“ 的方式读取 skb 中的包数据,
因此我们选择设置 <tt class="docutils literal">PacketAccessMode: elibpcap.BpfProbeReadKernel</tt> 使用 <tt class="docutils literal">bpf_probe_read_kernel</tt> 读取数据。</li>
<li>因为我们的 kprobe 程序中检查的是 L3 的数据,因此这里需要设置 <tt class="docutils literal">L2Skb: false</tt> 。</li>
</ol>
<p>完整的示例程序详见:
<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/kprobe">kprobe</a> ,
<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/fentry">fentry</a> ,
<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/tracepoint">tracepoint</a></p>
</div>
<div class="section" id="socket-filter">
<h3 id="hidsocket-filter">socket filter<a class="headerlink" href="#hidsocket-filter" title="Permalink to this headline">¶</a></h3>
<p>socket filter 程序的一个限制是无法使用 direct access 或 bpf_probe_read_kernel 的方式读取数据包,
只能使用类似 bpf_skb_load_bytes 的方式读取数据包。</p>
<p>下面是使用 socket filter 程序集成 elibpcap 的示例代码:</p>
<ol class="arabic simple">
<li>c 程序:</li>
</ol>
<div class="highlight"><pre><span></span><span class="n">SEC</span><span class="p">(</span><span class="s">"socket"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">__sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="p">;</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">dummy</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span>
<span class="w"> </span><span class="n">bpf_skb_load_bytes</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="o">&</span><span class="n">dummy</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">dummy</span><span class="p">));</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">dummy</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>go 程序:</li>
</ol>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">BpfSkbLoadBytes</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
<span class="c1">// ...</span>
</pre></div>
<p>这里有三个需要注意的点:</p>
<ol class="arabic simple">
<li>我们需要使用 <tt class="docutils literal">bpf_skb_load_bytes</tt> 读取数据,因此 <tt class="docutils literal">PacketAccessMode</tt> 被设置为 <tt class="docutils literal">elibpcap.BpfSkbLoadBytes</tt> 。</li>
<li>在 socket filter 程序中,我们是直接从 skb 而不是从 skb->data 中读取的数据,因此 data 被设置为 skb。</li>
<li>在 socket filter 程序中,我们无法直接获取 skb->data_end,
并且 pcap_filter 中的 data_end 在使用 <tt class="docutils literal">BpfSkbLoadBytes</tt> 访问方式时只是一个用于申请一个栈变量的 placeholder 变量,
因此我们可以直接使用一个 dummy 变量作为 date_end。</li>
</ol>
<p>完整的示例程序详见:
<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/socket-filter">socket-filter</a> 。</p>
</div>
</div>
<div class="section" id="section-6">
<h2 id="hidsection-6">结束语<a class="headerlink" href="#hidsection-6" title="Permalink to this headline">¶</a></h2>
<p>如果你的使用 Go 和 eBPF 技术开发的网络项目想要集成 pcap-filter 的能力,但却苦于无从下手,
推荐尝试集成 elibpcap 这个巧妙而强大的项目。</p>
</div>
<div class="section" id="section-7">
<h2 id="hidsection-7">参考资料<a class="headerlink" href="#hidsection-7" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><a class="reference external" href="https://github.com/jschwinger233/elibpcap">jschwinger233/elibpcap</a></li>
<li><a class="reference external" href="https://github.com/mozillazg/ptcpdump">mozillazg/ptcpdump: Process-aware, eBPF-based tcpdump</a></li>
<li><a class="reference external" href="https://github.com/mozillazg/elibpcap-examples">mozillazg/elibpcap-examples: usage of github.com/jschwinger233/elibpcap</a></li>
<li><a class="reference external" href="https://github.com/jschwinger233/ktcpdump">jschwinger233/ktcpdump</a></li>
</ul>
</div>
Implement pcap-filter syntax support for network eBPF programs using elibpcap2025-05-03T00:00:00+00:002025-05-03T00:00:00+00:00mozillazgtag:mozillazg.com,2025-05-03:2025/05/ebpf-let-any-network-ebpf-programs-to-support-pcap-filter-with-elibpcap-en.html<div class="section" id="preface">
<h2 id="hidpreface">Preface<a class="headerlink" href="#hidpreface" title="Permalink to this headline">¶</a></h2>
<p>A core feature of the common <tt class="docutils literal">tcpdump</tt> packet capture tool is its support for the
<a class="reference external" href="https://www.tcpdump.org/manpages/pcap-filter.7.html">pcap-filter</a>
syntax. This lets it filter traffic and capture only specific packets matching the filter.</p>
<p>When developing network-related tools with eBPF, supporting the pcap-filter syntax
would greatly improve user experience.
That's why the <a class="reference external" href="https://github.com/mozillazg/ptcpdump">ptcpdump</a> tool I developed
includes built-in support for the pcap-filter syntax.</p>
<p>Adding pcap-filter support to eBPF programs the usual way involves complex logic.
However, if your project uses <a class="reference external" href="https://github.com/cilium/ebpf">cilium/ebpf</a> as its eBPF loader,
you can use the elibpcap Go package introduced in this article.
This lets you add built-in pcap-filter syntax support to your project with just a few lines of code.</p>
</div>
<div class="section" id="project-introduction">
<h2 id="hidproject-introduction">Project Introduction<a class="headerlink" href="#hidproject-introduction" title="Permalink to this headline">¶</a></h2>
<p>As mentioned before, using elibpcap allows you to add pcap-filter support to an eBPF project with just a few lines of code.</p>
<p>Here is a project introduction summarized by <a class="reference external" href="https://deepwiki.com/jschwinger233/elibpcap">AI</a>:</p>
<blockquote>
elibpcap is a Go package that provides functionality for compiling pcap filter expressions into
eBPF bytecode and injecting these filters into existing eBPF programs.
It bridges the world of human-readable pcap filter expressions
(like those used in tools such as tcpdump) with the power and efficiency
of eBPF programs running in the Linux kernel.</blockquote>
</div>
<div class="section" id="project-repository">
<h2 id="hidproject-repository">Project Repository<a class="headerlink" href="#hidproject-repository" title="Permalink to this headline">¶</a></h2>
<p><a class="reference external" href="https://github.com/jschwinger233/elibpcap">https://github.com/jschwinger233/elibpcap</a></p>
</div>
<div class="section" id="usage-example">
<h2 id="hidusage-example">Usage Example<a class="headerlink" href="#hidusage-example" title="Permalink to this headline">¶</a></h2>
<div class="section" id="usage-pattern">
<h3 id="hidusage-pattern">Usage Pattern<a class="headerlink" href="#hidusage-pattern" title="Permalink to this headline">¶</a></h3>
<p>To use elibpcap, we need to make changes in three areas:</p>
<ol class="arabic simple">
<li>First, modify the eBPF program. Add placeholder logic like the following where packet filtering is needed:</li>
</ol>
<div class="highlight"><pre><span></span><span class="c1">// add this</span>
<span class="k">static</span><span class="w"> </span><span class="n">__noinline</span><span class="w"> </span><span class="kt">bool</span><span class="w"> </span><span class="n">pcap_filter</span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">_skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">__skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">___skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">data</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">data_end</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">_skb</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">__skb</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">__skb</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">___skb</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">SEC</span><span class="p">(</span><span class="s">"tc"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">__sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="c1">// add this</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">bpf_printk</span><span class="p">(</span><span class="s">"pcap_filter not match"</span><span class="p">);</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>Second, modify the Go program. Call the elibpcap package to add the logic for integrating pcap-filter capability:</li>
</ol>
<div class="highlight"><pre><span></span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Direct</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="p">})</span>
<span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="p">}</span>
<span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
</pre></div>
<p>Where:</p>
<ul class="simple">
<li><tt class="docutils literal">AtBpf2Bpf</tt> specifies the name of the <tt class="docutils literal">static __noinline bool <span class="pre">pcap_filter(...)</span></tt> function defined in our eBPF program.</li>
<li><tt class="docutils literal">PacketAccessMode</tt> specifies how elibpcap should read the skb data passed to the <tt class="docutils literal">pcap_filter</tt> function in our eBPF program when generating bytecode.
Values are:<ul>
<li><tt class="docutils literal">elibpcap.Direct</tt>: Uses <a class="reference external" href="https://docs.kernel.org/bpf/verifier.html#direct-packet-access">direct access</a>
to read data, i.e., direct pointer operations.</li>
<li><tt class="docutils literal">elibpcap.BpfProbeReadKernel</tt>: Uses the helper function <tt class="docutils literal">bpf_probe_read_kernel</tt> to read data.</li>
<li><tt class="docutils literal">elibpcap.BpfSkbLoadBytes</tt>: Uses the helper function <tt class="docutils literal">bpf_skb_load_bytes</tt> to read data.</li>
</ul>
</li>
<li><tt class="docutils literal">L2Skb</tt> specifies if the skb data passed to the <tt class="docutils literal">pcap_filter</tt> function in our eBPF program includes L2 (link layer) related data.</li>
</ul>
<ol class="arabic" start="3">
<li><p class="first">Finally, because elibpcap depends on libpcap, you need to enable CGO during compilation:</p>
<ul>
<li><p class="first">Static linking example:</p>
<pre class="literal-block">
CGO_CFLAGS="-I/path/to/libpcap/include" \
CGO_LDFLAGS="-L/path/to/libpcap/lib -lpcap /path/to/libpcap.a" \
CGO_ENABLED=1 go build -o main \
-tags static -ldflags "-linkmode 'external' -extldflags '-static'"
</pre>
</li>
<li><p class="first">Dynamic linking example:</p>
<pre class="literal-block">
CGO_ENABLED=1 go build -o main -tags dynamic
</pre>
</li>
</ul>
</li>
</ol>
<p>The following sections will show how to integrate elibpcap with examples for different common eBPF program types.</p>
</div>
<div class="section" id="tc-tcx">
<h3 id="hidtc-tcx">tc/tcx<a class="headerlink" href="#hidtc-tcx" title="Permalink to this headline">¶</a></h3>
<p>Below are the changes required in the tc eBPF program:</p>
<div class="highlight"><pre><span></span><span class="c1">// add this</span>
<span class="k">static</span><span class="w"> </span><span class="n">__noinline</span><span class="w"> </span><span class="kt">bool</span><span class="w"> </span><span class="n">pcap_filter</span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">_skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">__skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">___skb</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">data</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">data_end</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">_skb</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">__skb</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">__skb</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">___skb</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">SEC</span><span class="p">(</span><span class="s">"tc"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">__sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="n">bpf_skb_pull_data</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="o">-></span><span class="n">data</span><span class="p">;</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="o">-></span><span class="n">data_end</span><span class="p">;</span>
<span class="w"> </span><span class="c1">// add this</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">bpf_printk</span><span class="p">(</span><span class="s">"pcap_filter not match"</span><span class="p">);</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">bpf_printk</span><span class="p">(</span><span class="s">"Hello from tc after pcap filter"</span><span class="p">);</span>
<span class="nl">out</span><span class="p">:</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">TC_ACT_UNSPEC</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
<p>The main changes are:</p>
<ol class="arabic simple">
<li>Added a <tt class="docutils literal">pcap_filter</tt> function.</li>
<li>Added an <tt class="docutils literal">if <span class="pre">(!pcap_filter((void</span> *)skb, (void *)skb, (void *)skb, data, data_end))</tt> check.</li>
</ol>
<p>Below are the corresponding changes required in the Go program:</p>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">""</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Printf</span><span class="p">(</span><span class="s">"inject pcap filter: %s"</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="p">)</span>
<span class="w"> </span><span class="c1">// add this</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Direct</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="c1">// end</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
<span class="c1">// add this</span>
<span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="p">);</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Fatal</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span>
<span class="p">}</span>
<span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">LoadAndAssign</span><span class="p">(</span><span class="o">&</span><span class="nx">objs</span><span class="p">,</span><span class="w"> </span><span class="kc">nil</span><span class="p">);</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<p>See the complete example program: <a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/tc">tc</a></p>
</div>
<div class="section" id="xdp">
<h3 id="hidxdp">xdp<a class="headerlink" href="#hidxdp" title="Permalink to this headline">¶</a></h3>
<p>The modifications needed to integrate pcap-filter capability into XDP programs are basically the same as for tc/tcx programs.</p>
<ol class="arabic simple">
<li>c program:</li>
</ol>
<div class="highlight"><pre><span></span><span class="n">SEC</span><span class="p">(</span><span class="s">"xdp"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">xdp_md</span><span class="w"> </span><span class="o">*</span><span class="n">ctx</span><span class="p">){</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">ctx</span><span class="o">-></span><span class="n">data</span><span class="p">;</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">ctx</span><span class="o">-></span><span class="n">data_end</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">ctx</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">ctx</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">ctx</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">bpf_printk</span><span class="p">(</span><span class="s">"pcap_filter not match"</span><span class="p">);</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>go program:</li>
</ol>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Direct</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
<span class="c1">// ...</span>
</pre></div>
<p>See the complete example program: <a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/xdp">xdp</a></p>
</div>
<div class="section" id="cgroup-skb">
<h3 id="hidcgroup-skb">cgroup-skb<a class="headerlink" href="#hidcgroup-skb" title="Permalink to this headline">¶</a></h3>
<p>The modifications needed for cgroup-skb programs are also basically the same as those for the previous tc/tcx/xdp programs.</p>
<ol class="arabic simple">
<li>c program:</li>
</ol>
<div class="highlight"><pre><span></span><span class="n">SEC</span><span class="p">(</span><span class="s">"cgroup_skb/egress"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">__sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="o">-></span><span class="n">data</span><span class="p">;</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="o">-></span><span class="n">data_end</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>go program:</li>
</ol>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Direct</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
</pre></div>
<p>One point to note: Because the skb data in cgroup-skb programs does not contain L2 data, set <tt class="docutils literal">L2Skb: false</tt> here.</p>
<p>See the complete example program: <a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/cgroup-skb">cgroup-skb</a></p>
</div>
<div class="section" id="kprobe-fentry-tracepoint">
<h3 id="hidkprobe-fentry-tracepoint">kprobe/fentry/tracepoint<a class="headerlink" href="#hidkprobe-fentry-tracepoint" title="Permalink to this headline">¶</a></h3>
<p>elibpcap hides the data reading differences between kprobe/fentry/tracepoint programs and
the tc/tcx/xdp programs mentioned earlier. This allows us to integrate them in a mostly consistent way.</p>
<ol class="arabic simple">
<li>c program:</li>
</ol>
<div class="highlight"><pre><span></span><span class="n">SEC</span><span class="p">(</span><span class="s">"kprobe/__dev_queue_xmit"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">BPF_KPROBE</span><span class="p">(</span><span class="n">sample_prog</span><span class="p">,</span><span class="w"> </span><span class="k">struct</span><span class="w"> </span><span class="nc">sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">skb_head</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">head</span><span class="p">);</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">skb_head</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">network_header</span><span class="p">);</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data_end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">skb_head</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">tail</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">data_end</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>go program:</li>
</ol>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">BpfProbeReadKernel</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
<span class="c1">// ...</span>
</pre></div>
<p>Here are two things to note:</p>
<ol class="arabic simple">
<li>Because kprobe programs cannot read packet data from <cite>skb</cite> using "direct packet access",
So we set <tt class="docutils literal">PacketAccessMode: elibpcap.BpfProbeReadKernel</tt> to read data using <tt class="docutils literal">bpf_probe_read_kernel</tt>.</li>
<li>Because our kprobe program checks L3 data,
we need to set <tt class="docutils literal">L2Skb: false</tt> here.</li>
</ol>
<p>See the complete example program:
<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/kprobe">kprobe</a> ,
<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/fentry">fentry</a> ,
<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/tracepoint">tracepoint</a></p>
</div>
<div class="section" id="socket-filter">
<h3 id="hidsocket-filter">socket filter<a class="headerlink" href="#hidsocket-filter" title="Permalink to this headline">¶</a></h3>
<p>A limitation of socket filter programs is they cannot read packets using direct access or bpf_probe_read_kernel.
They can only read packets using methods similar to bpf_skb_load_bytes.</p>
<p>Below is example code for integrating elibpcap with socket filter programs:</p>
<ol class="arabic simple">
<li>c program:</li>
</ol>
<div class="highlight"><pre><span></span><span class="n">SEC</span><span class="p">(</span><span class="s">"socket"</span><span class="p">)</span>
<span class="kt">int</span><span class="w"> </span><span class="n">sample_prog</span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">__sk_buff</span><span class="w"> </span><span class="o">*</span><span class="n">skb</span><span class="p">){</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="kt">long</span><span class="p">)</span><span class="n">skb</span><span class="p">;</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">dummy</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span>
<span class="w"> </span><span class="n">bpf_skb_load_bytes</span><span class="p">(</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="o">&</span><span class="n">dummy</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">dummy</span><span class="p">));</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">pcap_filter</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">skb</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">dummy</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
<ol class="arabic simple" start="2">
<li>go program:</li>
</ol>
<div class="highlight"><pre><span></span><span class="kd">func</span><span class="w"> </span><span class="nx">injectFilter</span><span class="p">(</span><span class="nx">spec</span><span class="w"> </span><span class="o">*</span><span class="nx">ebpf</span><span class="p">.</span><span class="nx">CollectionSpec</span><span class="p">,</span><span class="w"> </span><span class="nx">expr</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="nx">oldInsts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span>
<span class="w"> </span><span class="nx">newInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Inject</span><span class="p">(</span><span class="nx">expr</span><span class="p">,</span><span class="w"> </span><span class="nx">oldInsts</span><span class="p">,</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">Options</span><span class="p">{</span>
<span class="w"> </span><span class="nx">AtBpf2Bpf</span><span class="p">:</span><span class="w"> </span><span class="s">"pcap_filter"</span><span class="p">,</span>
<span class="w"> </span><span class="nx">PacketAccessMode</span><span class="p">:</span><span class="w"> </span><span class="nx">elibpcap</span><span class="p">.</span><span class="nx">BpfSkbLoadBytes</span><span class="p">,</span>
<span class="w"> </span><span class="nx">L2Skb</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">spec</span><span class="p">.</span><span class="nx">Programs</span><span class="p">[</span><span class="s">"sample_prog"</span><span class="p">].</span><span class="nx">Instructions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">newInsts</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span>
<span class="p">}</span>
<span class="c1">// ...</span>
</pre></div>
<p>Here are three points to note:</p>
<ol class="arabic simple">
<li>We need to use <tt class="docutils literal">bpf_skb_load_bytes</tt> to read data, so <tt class="docutils literal">PacketAccessMode</tt> is set to <tt class="docutils literal">elibpcap.BpfSkbLoadBytes</tt>.</li>
<li>In socket filter programs, we read data directly from skb, not from skb->data. So, data is set to skb.</li>
<li>In socket filter programs, we cannot directly get skb->data_end.
Also, data_end in pcap_filter is just a placeholder variable for allocating a stack variable
when using the <tt class="docutils literal">BpfSkbLoadBytes</tt> access mode.
So, we can directly use a dummy variable as data_end.</li>
</ol>
<p>See the complete example program:
<a class="reference external" href="https://github.com/mozillazg/elibpcap-examples/tree/master/socket-filter">socket-filter</a>.</p>
</div>
</div>
<div class="section" id="conclusion">
<h2 id="hidconclusion">Conclusion<a class="headerlink" href="#hidconclusion" title="Permalink to this headline">¶</a></h2>
<p>If you want to add pcap-filter support to your Go and eBPF network project but don't know where to start,
try integrating the clever and powerful elibpcap project.</p>
</div>
<div class="section" id="references">
<h2 id="hidreferences">References<a class="headerlink" href="#hidreferences" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><a class="reference external" href="https://github.com/jschwinger233/elibpcap">jschwinger233/elibpcap</a></li>
<li><a class="reference external" href="https://github.com/mozillazg/ptcpdump">mozillazg/ptcpdump: Process-aware, eBPF-based tcpdump</a></li>
<li><a class="reference external" href="https://github.com/mozillazg/elibpcap-examples">mozillazg/elibpcap-examples: usage of github.com/jschwinger233/elibpcap</a></li>
<li><a class="reference external" href="https://github.com/jschwinger233/ktcpdump">jschwinger233/ktcpdump</a></li>
</ul>
</div>
ptcpdump v0.27 ~ v0.32 的主要变更内容2025-01-25T00:00:00+00:002025-01-25T00:00:00+00:00mozillazgtag:mozillazg.com,2025-01-25:2025/01/whats-new-ptcpdump-v0.27-v0.32.html<div class="section" id="section-1">
<h2 id="hidsection-1">前言<a class="headerlink" href="#hidsection-1" title="Permalink to this headline">¶</a></h2>
<p>本文将按变更顺序介绍一下 <a class="reference external" href="https://github.com/mozillazg/ptcpdump">ptcpdump</a>
从上次的 <a class="reference external" href="https://mozillazg.com/2024/11/whats-new-ptcpdump-v1.16-v1.26.html">v0.26</a>
之后的 v0.27 版本到最新的 v0.32 版本期间所发布的主要变更内容。</p>
</div>
<div class="section" id="section-2">
<h2 id="hidsection-2">主要变更内容<a class="headerlink" href="#hidsection-2" title="Permalink to this headline">¶</a></h2>
<div class="section" id="q-quiet">
<h3 id="hidq-quiet">新增 -q/--quiet 参数<a class="headerlink" href="#hidq-quiet" title="Permalink to this headline">¶</a></h3>
<p>新增 <tt class="docutils literal"><span class="pre">-q/--quiet</span></tt> 参数用于精简输出内容:</p>
<pre class="literal-block">
13:50:35.524360 lo curl.345650 Out IP 127.0.0.1.58694 > 127.0.0.1.8000: tcp 0, ParentProc [bash.345626]
</pre>
</div>
<div class="section" id="context">
<h3 id="hidcontext">新增 --context 参数<a class="headerlink" href="#hidcontext" title="Permalink to this headline">¶</a></h3>
<p>新增 <tt class="docutils literal"><span class="pre">--context</span></tt> 参数用于指定输出中包含的上下文信息,可以通过这个参数控制只显示特定的上下文信息。</p>
<ul>
<li><p class="first">通过 <tt class="docutils literal"><span class="pre">--context=process</span></tt> 限制只输出进程信息:</p>
<pre class="literal-block">
# --context=process
09:32:09.718892 vethee2a302f wget.3553008 In IP 10.244.0.2.33426 > 139.178.84.217.80: Flags [S], seq 4113492822, win 64240, length 0
# -v --context=process
13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)
139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0
Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)
</pre>
</li>
<li><p class="first">该参数既支持通过英文逗号分割多个值,也支持多次指定参数的方式指定多个值:</p>
<pre class="literal-block">
# -v --context=process,parentproc
# -v --context=process --context=parentproc
13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)
139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0
Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)
ParentProc (pid 553296, cmd /bin/sh, args sh)
# -v --context=process,parentproc,container
# -v --context=process --context=parentproc --context=container
13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)
139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0
Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)
ParentProc (pid 553296, cmd /bin/sh, args sh)
Container (name test, id d9028334568bf75a5a084963a8f98f78c56bba7f45f823b3780a135b71b91e95, image docker.io/library/alpine:3.18, labels {"io.cri-containerd.kind":"container","io.kubernetes.container.name":"test","io.kubernetes.pod.name":"test","io.kubernetes.pod.namespace":"default","io.kubernetes.pod.uid":"9e4bc54b-de48-4b1c-8b9e-54709f67ed0c"})
</pre>
</li>
</ul>
</div>
<div class="section" id="fentry-btf-raw-tracepoint-tcx-ebpf">
<h3 id="hidfentry-btf-raw-tracepoint-tcx-ebpf">在高版本内核中使用 fentry, btf raw tracepoint 以及 tcx ebpf 特性<a class="headerlink" href="#hidfentry-btf-raw-tracepoint-tcx-ebpf" title="Permalink to this headline">¶</a></h3>
<p>当在高版本内核中执行 ptcpdump 程序时,程序将自动使用 fentry 代替 kprobe,
使用 btf raw tracepoint 代替 raw tracepoint, 使用 tcx 代替 tc,
通过使用这些新的 ebpf 特性,优化程序在高版本内核下的性能。</p>
</div>
<div class="section" id="backend">
<h3 id="hidbackend">新增 --backend 参数<a class="headerlink" href="#hidbackend" title="Permalink to this headline">¶</a></h3>
<p>新增 <tt class="docutils literal"><span class="pre">--backend</span></tt> 参数用于指定抓包时使用的技术,默认是使用的 tc/tcx 技术。</p>
</div>
<div class="section" id="backend-cgroup-skb">
<h3 id="hidbackend-cgroup-skb">支持 --backend=cgroup-skb<a class="headerlink" href="#hidbackend-cgroup-skb" title="Permalink to this headline">¶</a></h3>
<p>支持通过 <tt class="docutils literal"><span class="pre">--backend=cgroup-skb</span></tt> 参数指定使用 cgroup-skb ebpf 程序进行抓包。
使用该方式抓取的流量将不包含链路层信息,ptcpdump 输出中的链路层信息将是一个固定的 fake 数据。</p>
</div>
<div class="section" id="openwrt-24-10-x86-64">
<h3 id="hidopenwrt-24-10-x86-64">支持 OpenWrt 24.10 x86-64 系统<a class="headerlink" href="#hidopenwrt-24-10-x86-64" title="Permalink to this headline">¶</a></h3>
<p>根据用户的需求反馈,提升程序兼容性,支持在 OpenWrt 24.10 x86-64 系统中使用 ptcpdump (前提是系统内核在编译时启用 ebpf 和 BTF 相关参数)。</p>
</div>
<div class="section" id="section-3">
<h3 id="hidsection-3">支持在输出中显示线程信息<a class="headerlink" href="#hidsection-3" title="Permalink to this headline">¶</a></h3>
<p>当通过 <tt class="docutils literal"><span class="pre">--backend=cgroup-skb</span></tt> 进行抓包时,新增在输出中显示线程信息:</p>
<pre class="literal-block">
$ sudo ptcpdump -i any --backend cgroup-skb -v port 80
10:18:26.846884 ens33 Out IP (tos 0x0, ttl 64, id 57734, offset 0, flags [DF], proto TCP (6), length 478)
xxx.xxx.xxx.35102 > xxx.xxx.xxx.80: Flags [P.], cksum 0x3381, seq xx:xx, ack xx, win 64240, length 438
Process (pid 113278, cmd /snap/firefox/5437/usr/lib/firefox/firefox, args /snap/firefox/5437/usr/lib/firefox/firefox)
Thread (tid 113438, name Socket Thread)
ParentProc (pid 49607, cmd /usr/bin/xfce4-panel, args xfce4-panel --display :0.0 --sm-client-id xxxx)
</pre>
</div>
<div class="section" id="uid-uid">
<h3 id="hiduid-uid">支持在输出中显示 uid 以及按 uid 抓包<a class="headerlink" href="#hiduid-uid" title="Permalink to this headline">¶</a></h3>
<p>新增在输出中显示 uid 信息:</p>
<pre class="literal-block">
12:37:40.051539 ens33 Out IP (tos 0x0, ttl 64, id 48697, offset 0, flags [DF], proto TCP (6), length 60)
10.0.x.x.42906 > 139.x.x.x.443: Flags [S], cksum 0xecc8, seq 940329637, win 64240, options [mss 1460,sackOK,TS val 3421262256 ecr 0,nop,wscale 7], length 0
Process (pid 99722, cmd /usr/bin/curl, args curl https://kernel.org)
User (uid 1000)
ParentProc (pid 18840, cmd /usr/bin/bash, args -bash)
</pre>
<p>新增支持指定 uid 进行抓包:</p>
<pre class="literal-block">
$ sudo ptcpdump -i any --uid 100 -v port 80
</pre>
<p>如果你对 ptcpdump 有额外的改进或新功能建议,欢迎在评论区或项目 issues 中留言。</p>
</div>
</div>
ptcpdump v0.27 ~ v0.32 的主要变更内容2025-01-25T00:00:00+00:002025-01-25T00:00:00+00:00mozillazgtag:mozillazg.com,2025-01-25:2025/01/whats-new-ptcpdump-v0.27-v0.32-en.html<div class="section" id="introduction">
<h2 id="hidintroduction">Introduction<a class="headerlink" href="#hidintroduction" title="Permalink to this headline">¶</a></h2>
<p>This article introduces the main changes in <a class="reference external" href="https://github.com/mozillazg/ptcpdump">ptcpdump</a>
from v0.27 (after <a class="reference external" href="https://mozillazg.com/2024/11/whats-new-ptcpdump-v1.16-v1.26-en.html">v0.26</a>)
to the latest v0.32, in chronological order.</p>
</div>
<div class="section" id="main-changes">
<h2 id="hidmain-changes">Main Changes<a class="headerlink" href="#hidmain-changes" title="Permalink to this headline">¶</a></h2>
<div class="section" id="add-q-quiet-option">
<h3 id="hidadd-q-quiet-option">Add -q/--quiet option<a class="headerlink" href="#hidadd-q-quiet-option" title="Permalink to this headline">¶</a></h3>
<p>Added the <tt class="docutils literal"><span class="pre">-q/--quiet</span></tt> option to simplify the output:</p>
<pre class="literal-block">
13:50:35.524360 lo curl.345650 Out IP 127.0.0.1.58694 > 127.0.0.1.8000: tcp 0, ParentProc [bash.345626]
</pre>
</div>
<div class="section" id="add-context-option">
<h3 id="hidadd-context-option">Add --context option<a class="headerlink" href="#hidadd-context-option" title="Permalink to this headline">¶</a></h3>
<p>Added the <tt class="docutils literal"><span class="pre">--context</span></tt> option to specify the context information included in the output. This option controls showing only specific context information.</p>
<ul>
<li><p class="first">Use <tt class="docutils literal"><span class="pre">--context=process</span></tt> to restrict output to process information only:</p>
<pre class="literal-block">
# --context=process
09:32:09.718892 vethee2a302f wget.3553008 In IP 10.244.0.2.33426 > 139.178.84.217.80: Flags [S], seq 4113492822, win 64240, length 0
# -v --context=process
13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)
139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0
Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)
</pre>
</li>
<li><p class="first">This option supports specifying multiple values either by separating them with commas or by specifying the option multiple times:</p>
<pre class="literal-block">
# -v --context=process,parentproc
# -v --context=process --context=parentproc
13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)
139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0
Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)
ParentProc (pid 553296, cmd /bin/sh, args sh)
# -v --context=process,parentproc,container
# -v --context=process --context=parentproc --context=container
13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52)
139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0
Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)
ParentProc (pid 553296, cmd /bin/sh, args sh)
Container (name test, id d9028334568bf75a5a084963a8f98f78c56bba7f45f823b3780a135b71b91e95, image docker.io/library/alpine:3.18, labels {"io.cri-containerd.kind":"container","io.kubernetes.container.name":"test","io.kubernetes.pod.name":"test","io.kubernetes.pod.namespace":"default","io.kubernetes.pod.uid":"9e4bc54b-de48-4b1c-8b9e-54709f67ed0c"})
</pre>
</li>
</ul>
</div>
<div class="section" id="use-fentry-btf-raw-tracepoint-and-tcx-ebpf-features-on-newer-kernels">
<h3 id="hiduse-fentry-btf-raw-tracepoint-and-tcx-ebpf-features-on-newer-kernels">Use fentry, btf raw tracepoint, and tcx ebpf features on newer kernels<a class="headerlink" href="#hiduse-fentry-btf-raw-tracepoint-and-tcx-ebpf-features-on-newer-kernels" title="Permalink to this headline">¶</a></h3>
<p>When running ptcpdump on newer kernels, the program will automatically use fentry instead of kprobe,
btf raw tracepoint instead of raw tracepoint, and tcx instead of tc.
Using these new ebpf features optimizes performance on newer kernels.</p>
</div>
<div class="section" id="add-backend-option">
<h3 id="hidadd-backend-option">Add --backend option<a class="headerlink" href="#hidadd-backend-option" title="Permalink to this headline">¶</a></h3>
<p>Added the <tt class="docutils literal"><span class="pre">--backend</span></tt> option to specify the technology used for packet capturing. The default is tc/tcx.</p>
</div>
<div class="section" id="support-backend-cgroup-skb">
<h3 id="hidsupport-backend-cgroup-skb">Support --backend=cgroup-skb<a class="headerlink" href="#hidsupport-backend-cgroup-skb" title="Permalink to this headline">¶</a></h3>
<p>It now supports using <tt class="docutils literal"><span class="pre">--backend=cgroup-skb</span></tt> to capture packets using cgroup-skb ebpf programs.
Traffic captured this way will not contain link-layer information; the link-layer information in ptcpdump output will be fixed fake data.</p>
</div>
<div class="section" id="support-openwrt-24-10-x86-64-system">
<h3 id="hidsupport-openwrt-24-10-x86-64-system">Support OpenWrt 24.10 x86-64 system<a class="headerlink" href="#hidsupport-openwrt-24-10-x86-64-system" title="Permalink to this headline">¶</a></h3>
<p>Based on user feedback, program compatibility has been improved to support using ptcpdump on OpenWrt 24.10 x86-64 systems (provided the system kernel was compiled with ebpf and BTF parameters enabled).</p>
</div>
<div class="section" id="support-displaying-thread-information-in-output">
<h3 id="hidsupport-displaying-thread-information-in-output">Support displaying thread information in output<a class="headerlink" href="#hidsupport-displaying-thread-information-in-output" title="Permalink to this headline">¶</a></h3>
<p>When capturing packets using <tt class="docutils literal"><span class="pre">--backend=cgroup-skb</span></tt>, thread information is now displayed in the output:</p>
<pre class="literal-block">
$ sudo ptcpdump -i any --backend cgroup-skb -v port 80
10:18:26.846884 ens33 Out IP (tos 0x0, ttl 64, id 57734, offset 0, flags [DF], proto TCP (6), length 478)
xxx.xxx.xxx.35102 > xxx.xxx.xxx.80: Flags [P.], cksum 0x3381, seq xx:xx, ack xx, win 64240, length 438
Process (pid 113278, cmd /snap/firefox/5437/usr/lib/firefox/firefox, args /snap/firefox/5437/usr/lib/firefox/firefox)
Thread (tid 113438, name Socket Thread)
ParentProc (pid 49607, cmd /usr/bin/xfce4-panel, args xfce4-panel --display :0.0 --sm-client-id xxxx)
</pre>
</div>
<div class="section" id="support-displaying-uid-in-output-and-capturing-by-uid">
<h3 id="hidsupport-displaying-uid-in-output-and-capturing-by-uid">Support displaying UID in output and capturing by UID<a class="headerlink" href="#hidsupport-displaying-uid-in-output-and-capturing-by-uid" title="Permalink to this headline">¶</a></h3>
<p>It now supports displaying UID information in the output:</p>
<pre class="literal-block">
12:37:40.051539 ens33 Out IP (tos 0x0, ttl 64, id 48697, offset 0, flags [DF], proto TCP (6), length 60)
10.0.x.x.42906 > 139.x.x.x.443: Flags [S], cksum 0xecc8, seq 940329637, win 64240, options [mss 1460,sackOK,TS val 3421262256 ecr 0,nop,wscale 7], length 0
Process (pid 99722, cmd /usr/bin/curl, args curl https://kernel.org)
User (uid 1000)
ParentProc (pid 18840, cmd /usr/bin/bash, args -bash)
</pre>
<p>It now supports specifying a UID for packet capturing:</p>
<pre class="literal-block">
$ sudo ptcpdump -i any --uid 100 -v port 80
</pre>
<p>If you have additional improvements or new feature suggestions for ptcpdump,
feel free to leave a message in the comments or project issues.</p>
</div>
</div>
Workload Identity Federation for GKE 特性探索2025-01-05T00:00:00+00:002025-01-05T00:00:00+00:00mozillazgtag:mozillazg.com,2025-01-05:2025/01/security-deep-dive-into-gcp-workload-identity-federation-for-gke-feature.html<p>本文将简单探索一下前段时间 GKE 官宣的名为 <a class="reference external" href="https://cloud.google.com/blog/products/identity-security/make-iam-for-gke-easier-to-use-with-workload-identity-federation">Workload Identity Federation for GKE</a> 的特性。</p>
<div class="section" id="section-1">
<h2 id="hidsection-1">功能介绍<a class="headerlink" href="#hidsection-1" title="Permalink to this headline">¶</a></h2>
<p>Workload Identity Federation for GKE 是原有的 GKE Workload Identity 特性的改进版本,
核心的改进是减少了需要配置的信息,提升了用户体验。</p>
</div>
<div class="section" id="section-2">
<h2 id="hidsection-2">使用方法<a class="headerlink" href="#hidsection-2" title="Permalink to this headline">¶</a></h2>
<p>可以通过下面几个步骤体验该特性:</p>
<ol class="arabic">
<li><p class="first">创建一个启用 Workload Identity Federation for GKE 特性的 GKE 集群。具体启用位置是:创建集群 - 安全 - 启用 Workload Identity。</p>
</li>
<li><p class="first">为测试应用使用的 service account 关联 iam 角色,一个 service account 可以关联多个角色。比如:</p>
<pre class="literal-block">
$ kubectl create ns demo-ns
$ kubectl -n demo-ns create serviceaccount demo-sa
$ gcloud projects add-iam-policy-binding projects/test-gke-XXX \
--role=roles/container.clusterViewer \
--member=principal://iam.googleapis.com/projects/23182XXXXXXX/locations/global/workloadIdentityPools/test-gke-XXXXXX.svc.id.goog/subject/ns/<namespace-name>/sa/<service-account-name> \
--condition=None
$ gcloud storage buckets add-iam-policy-binding gs://<bucket-name> \
--role=roles/storage.objectViewer \
--member=principal://iam.googleapis.com/projects/23182XXXXXXX/locations/global/workloadIdentityPools/test-gke-XXXXXX.svc.id.goog/subject/ns/<namespace-name>/sa/<service-account-name> \
--condition=None
</pre>
</li>
<li><p class="first">部署测试应用,测试应用的 pod 需要使用第 2 步对应的 namespace 和 service account 以及增加 nodeSelector 确保调度到启用了 Workload Identity Federation for GKE 特性的节点上:</p>
<pre class="literal-block">
apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: demo-ns
spec:
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
serviceAccountName: demo-sa
containers:
- name: test-pod
image: google/cloud-sdk:slim
command: ["sleep","infinity"]
</pre>
</li>
<li><p class="first">待 pod running 后, 进入 test-pod 容器内,访问实例元数据服务获取 sts token,实际的业务应用使用的官方 SDK 也将使用类似的方式访问实例元数据服务获取用于请求云产品 API 的 sts token。</p>
</li>
</ol>
<div class="highlight"><pre><span></span>$<span class="w"> </span>gcloud<span class="w"> </span>auth<span class="w"> </span>print-access-token
<span class="w"> </span>ya29.d.XXX
$<span class="w"> </span>curl<span class="w"> </span>-H<span class="w"> </span><span class="s2">"Metadata-Flavor: Google"</span><span class="w"> </span>http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
<span class="w"> </span><span class="o">{</span><span class="s2">"access_token"</span>:<span class="s2">"ya29.d.XXX"</span>,<span class="s2">"expires_in"</span>:3423,<span class="s2">"token_type"</span>:<span class="s2">"Bearer"</span><span class="o">}</span>
</pre></div>
<ol class="arabic simple" start="5">
<li>获取的 sts token 将具有前面第 2 步所关联的所有角色的权限.</li>
</ol>
<div class="highlight"><pre><span></span>$<span class="w"> </span>gcloud<span class="w"> </span>container<span class="w"> </span>node-pools<span class="w"> </span>list<span class="w"> </span>--zone<span class="w"> </span>us-central1<span class="w"> </span>--cluster<span class="w"> </span><span class="nb">test</span>
<span class="w"> </span>NAME<span class="w"> </span>MACHINE_TYPE<span class="w"> </span>DISK_SIZE_GB<span class="w"> </span>NODE_VERSION
<span class="w"> </span>default-pool<span class="w"> </span>e2-medium<span class="w"> </span><span class="m">100</span><span class="w"> </span><span class="m">1</span>.30.6-gke.1125000
$<span class="w"> </span>curl<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span>-H<span class="w"> </span><span class="s2">"Authorization: Bearer </span><span class="k">$(</span>gcloud<span class="w"> </span>auth<span class="w"> </span>print-access-token<span class="k">)</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span><span class="s2">"https://storage.googleapis.com/storage/v1/b/demo-gke-workload-identity-federation/o"</span>
<span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="s2">"kind"</span>:<span class="w"> </span><span class="s2">"storage#objects"</span>
<span class="w"> </span><span class="o">}</span>
</pre></div>
</div>
<div class="section" id="section-3">
<h2 id="hidsection-3">工作流程<a class="headerlink" href="#hidsection-3" title="Permalink to this headline">¶</a></h2>
<p>Workload Identity Federation for GKE 特性的工作流程如下:</p>
<p><img alt="image" src="/static/images/security/gke-workload-identity-federation-for-gke.png" /></p>
<ol class="arabic simple">
<li>当应用 Pod 容器内的程序请求实例元数据服务(访问 <tt class="docutils literal"><span class="pre">http://metadata.google.internal</span></tt> ,实际是访问 <tt class="docutils literal"><span class="pre">http://169.254.169.254:80</span></tt> )
获取 sts token 时, 该请求将被重定向到 169.254.169.252:988。
169.254.169.252:988 是节点上部署的 gke-metadata-server 服务所监听的端口。</li>
<li>gke-metadata-server 服务在收到请求后,将根据请求的 client ip 确定请求来自哪个 Pod,
然后再请求 apiserver 生成一个该 Pod 所使用的 service account 对应的 token。</li>
<li>gke-metadata-server 将使用获取的 service account token 访问 GCP 的
<a class="reference external" href="https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token">STS API</a> 获取一个 sts token,
最后 gke-metadata-server 将获取到的 sts token 返回给客户端。</li>
</ol>
<p>这个流程中有几个关键的组件和信息需要重点关注,下面将逐个说明。</p>
</div>
<div class="section" id="gke-metadata-server">
<h2 id="hidgke-metadata-server">gke-metadata-server<a class="headerlink" href="#hidgke-metadata-server" title="Permalink to this headline">¶</a></h2>
<p>当在集群维度或节点池维度启用 Workload Identity Federation for GKE 特性时,集群内将自动部署一个名为 gke-metadata-server 的组件。
该组件的工作负载 YAML 如下:</p>
<pre class="literal-block">
apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
deprecated.daemonset.template.generation: "1"
labels:
addonmanager.kubernetes.io/mode: Reconcile
k8s-app: gke-metadata-server
name: gke-metadata-server
namespace: kube-system
spec:
minReadySeconds: 90
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: gke-metadata-server
template:
metadata:
annotations:
components.gke.io/component-name: gke-metadata-server
components.gke.io/component-version: 0.4.301
monitoring.gke.io/path: /metricz
creationTimestamp: null
labels:
addonmanager.kubernetes.io/mode: Reconcile
k8s-app: gke-metadata-server
spec:
containers:
- command:
- /gke-metadata-server
- --logtostderr
- --token-exchange-endpoint=https://securetoken.googleapis.com/v1/identitybindingtoken
- --workload-pool=test-gke-XXXXXX.svc.id.goog
- --alts-service-suffixes-using-node-identity=storage.googleapis.com,bigtable.googleapis.com,bigtable2.googleapis.com,bigtablerls.googleapis.com,spanner.googleapis.com,spanner2.googleapis.com,spanner-rls.googleapis.com,grpclb.directpath.google.internal,grpclb-dualstack.directpath.google.internal,staging-wrenchworks.sandbox.googleapis.com,preprod-spanner.sandbox.googleapis.com,wrenchworks-loadtest.googleapis.com,wrenchworks-nonprod.googleapis.com
- --identity-provider=https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test
- --passthrough-ksa-list=anthos-identity-service:gke-oidc-envoy-sa,anthos-identity-service:gke-oidc-service-sa,gke-managed-dpv2-observability:hubble-relay,kube-system:antrea-controller,kube-system:container-watcher-pod-reader,kube-system:coredns,kube-system:egress-nat-controller,kube-system:event-exporter-sa,kube-system:fluentd-gcp-scaler,kube-system:gke-metrics-agent,kube-system:gke-spiffe-node-agent,kube-system:heapster,kube-system:konnectivity-agent,kube-system:kube-dns,kube-system:maintenance-handler,kube-system:metadata-agent,kube-system:network-metering-agent,kube-system:node-local-dns,kube-system:pkgextract-service,kube-system:pkgextract-cleanup-service,kube-system:securityprofile-controller,istio-system:istio-ingressgateway-service-account,istio-system:cluster-local-gateway-service-account,csm:csm-sync-agent,knative-serving:controller,kube-system:pdcsi-node-sa,kube-system:gcsfusecsi-node-sa,gmp-system:collector,gke-gmp-system:collector,gke-managed-cim:kube-state-metrics
- --attributes=cluster-name=test,cluster-uid=392f63049deXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,cluster-location=us-central1
- --cluster-uid=392f63049ded410XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- --sts-endpoint=https://sts.googleapis.com
- --token-exchange-mode=sts
- --cloud-monitoring-endpoint=monitoring.googleapis.com:443
- --iam-cred-service-endpoint=https://iamcredentials.googleapis.com
- --cluster-project-number=2318XXXXXXXX
- --cluster-location=us-central1
- --cluster-name=test
- --component-version=0.4.301
- --ksa-cache-mode=watchchecker
- --kcp-allow-watch-checker=true
- --enable-mds-csi-driver=true
- --csi-socket=/csi/csi.sock
- --volumes-db=/var/run/gkemds.gke.io/csi/volumes.boltdb
env:
- name: GOMEMLIMIT
value: "94371840"
image: us-central1-artifactregistry.gcr.io/gke-release/gke-release/gke-metadata-server:gke_metadata_server_20240702.00_p0@sha256:aea9cc887c91b9a05e5bb4bb604180772594a01f0828bbfacf30c77562ac7205
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
host: 127.0.0.1
path: /healthz
port: 989
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 3
name: gke-metadata-server
ports:
- containerPort: 987
name: alts
protocol: TCP
- containerPort: 988
name: metadata-server
protocol: TCP
- containerPort: 989
name: debug-port
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
host: 127.0.0.1
path: /healthz
port: 989
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/lib/kubelet/kubeconfig
name: kubelet-credentials
readOnly: true
- mountPath: /var/lib/kubelet/pki/
name: kubelet-certs
readOnly: true
- mountPath: /var/run/
name: container-runtime-interface
- mountPath: /etc/srv/kubernetes/pki
name: kubelet-pki
readOnly: true
- mountPath: /etc/ssl/certs/
name: ca-certificates
readOnly: true
- mountPath: /home/kubernetes/bin/gke-exec-auth-plugin
name: gke-exec-auth-plugin
readOnly: true
- mountPath: /sys/firmware/efi/efivars/
name: efivars
readOnly: true
- mountPath: /dev/tpm0
name: vtpm
readOnly: true
- mountPath: /csi
name: csi-socket-dir
- mountPath: /var/run/gkemds.gke.io/csi
name: state-dir
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: pods-dir
- mountPath: /registration
name: kubelet-registration-dir
dnsPolicy: Default
hostNetwork: true
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
kubernetes.io/os: linux
priorityClassName: system-node-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: gke-metadata-server
serviceAccountName: gke-metadata-server
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
- key: components.gke.io/gke-managed-components
operator: Exists
volumes:
- hostPath:
path: /var/lib/kubelet/pki/
type: Directory
name: kubelet-certs
- hostPath:
path: /var/lib/kubelet/kubeconfig
type: File
name: kubelet-credentials
- hostPath:
path: /var/run/
type: Directory
name: container-runtime-interface
- hostPath:
path: /etc/srv/kubernetes/pki/
type: Directory
name: kubelet-pki
- hostPath:
path: /etc/ssl/certs/
type: Directory
name: ca-certificates
- hostPath:
path: /home/kubernetes/bin/gke-exec-auth-plugin
type: File
name: gke-exec-auth-plugin
- hostPath:
path: /sys/firmware/efi/efivars/
type: Directory
name: efivars
- hostPath:
path: /dev/tpm0
type: CharDevice
name: vtpm
- hostPath:
path: /var/lib/kubelet/plugins/gkemds.gke.io
type: DirectoryOrCreate
name: csi-socket-dir
- hostPath:
path: /var/lib/kubelet/pods
type: Directory
name: pods-dir
- hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
name: kubelet-registration-dir
- hostPath:
path: /var/lib/kubelet/plugins
type: Directory
name: kubelet-plugins-dir
- hostPath:
path: /var/run/gkemds.gke.io/csi
type: DirectoryOrCreate
name: state-dir
</pre>
<p>gke-metadata-server 组件具有如下特点:</p>
<ul>
<li><p class="first">组件的工作负载是一个 DaemonSet。</p>
</li>
<li><p class="first">组件 Pod 使用 <tt class="docutils literal">hostNetwork: true</tt> 以及 <tt class="docutils literal">privileged: true</tt> 。</p>
</li>
<li><p class="first">组件内的服务将监听 987, 988 以及 989 端口, 其中 988 端口将用于接收重定向过来的访问实例元数据服务的请求:</p>
<pre class="literal-block">
$ ss -atnlp |grep gke
LISTEN 0 1024 *:987 *:* users:(("gke-metadata-se",pid=183706,fd=10))
LISTEN 0 1024 *:989 *:* users:(("gke-metadata-se",pid=183706,fd=12))
LISTEN 0 1024 *:988 *:* users:(("gke-metadata-se",pid=183706,fd=15))
</pre>
</li>
<li><p class="first">前面所说的 169.254.169.252 这个 IP 是本机 lo 的 IP 地址,所以 gke-metadata-server 监听的 988 端口
就包含了前面所说的 <tt class="docutils literal">169.254.169.252:988</tt> 端口:</p>
<pre class="literal-block">
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 169.254.169.252/32 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
</pre>
</li>
<li><p class="first">所有启用了 Workload Identity Federation for GKE 特性的节点在初始化的时候都会配置如下 nftables 规则,
确保从业务容器内发起的请求元数据服务 (<tt class="docutils literal"><span class="pre">http://metadata.google.internal</span></tt> , 169.254.169.254:80)
的流量都会被重定向到组件所监听的 <tt class="docutils literal">169.254.169.252:988</tt> 端口:</p>
<pre class="literal-block">
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 2143 bytes 169432 jump KUBE-SERVICES
iifname != "eth0" meta l4proto tcp ip daddr 169.254.169.254 tcp dport 8080 counter packets 0 bytes 0 dnat to 169.254.169.252:987
iifname != "eth0" meta l4proto tcp ip daddr 169.254.169.254 tcp dport 80 counter packets 181 bytes 10860 dnat to 169.254.169.252:988
}
}
</pre>
</li>
<li><p class="first">前面说到组件将通过 client ip 确定请求的来源 pod 以及会请求 apiserver 获取 service account,这里就涉及到组件是使用的什么凭证来访问 apiserver。
组件使用的是节点上 kubelet 的凭证来访问的 apiserver(前面的组件 YAML 中包含了挂载 kubelet kubeconfig 的配置)。
同时在部署组件时,将额外为 kubelet 的凭证授予 pods 和 serviceaccounts 的 get/list/watch RBAC 权限,
用于获取当前节点的 pod 以及 service account 信息:</p>
<pre class="literal-block">
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
components.gke.io/component-name: gke-metadata-server
components.gke.io/component-version: 0.4.301
labels:
addonmanager.kubernetes.io/mode: Reconcile
name: gce:gke-metadata-server-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gce:gke-metadata-server-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
components.gke.io/component-name: gke-metadata-server
components.gke.io/component-version: 0.4.301
labels:
addonmanager.kubernetes.io/mode: Reconcile
name: gce:gke-metadata-server-reader
rules:
- apiGroups:
- ""
resources:
- pods
- serviceaccounts
verbs:
- get
- watch
- list
</pre>
</li>
<li><p class="first">如果 pod 使用的 service account 没有绑定 IAM 角色,pod 内应用访问元数据服务获取的 sts token 将会是节点默认的 google serivce account 的 sts token。</p>
</li>
</ul>
</div>
<div class="section" id="service-account-token">
<h2 id="hidservice-account-token">service account token<a class="headerlink" href="#hidservice-account-token" title="Permalink to this headline">¶</a></h2>
<p>对于每个 pod 内程序发起的请求,gke-metadata-server 组件不是直接使用 pod 容器所挂载 service account token,
而是请求 apiserver 生成了一份新的 service account token。</p>
<p>容器所挂载的 service account token 的 payload 示例如下:</p>
<pre class="literal-block">
{
"aud": [
"https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test"
],
"exp": ...,
"iat": ...,
"iss": "https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test",
"jti": "...",
"kubernetes.io": {...},
"nbf": ...,
"sub": "system:serviceaccount:demo-ns:demo-sa"
}
</pre>
<p>组件请求 apiserver 所生成的 service account token 的 payload 示例如下:</p>
<pre class="literal-block">
{
"aud": [
"test-gke-XXXXXX.svc.id.goog"
],
"exp": ...,
"iat": ...,
"iss": "https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test",
"jti": "...",
"kubernetes.io": {...},
"nbf": ...,
"sub": "system:serviceaccount:demo-ns:demo-sa"
}
</pre>
<p>可以看到,主要的区别是 aud 的内容不一样。</p>
</div>
<div class="section" id="sts-token">
<h2 id="hidsts-token">sts token<a class="headerlink" href="#hidsts-token" title="Permalink to this headline">¶</a></h2>
<p>gke-metadata-server 组件将使用获取到的 service account token 访问 STS 的
<a class="reference external" href="https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token">token API</a> 获取一份 sts token。</p>
<p>对应的请求示例如下:</p>
<pre class="literal-block">
:authority: sts.googleapis.com
:method: POST
:path: /v1/token?alt=json&prettyPrint=false
:scheme: https
x-goog-api-client: gl-go/1.23.0--20240626-RC01 cl/646990413 +5a18e79687 X:fieldtrack,boringcrypto gdcl/0.177.0
user-agent: google-api-go-client/0.5 gke-metadata-server
content-type: application/json
content-length: 1673
accept-encoding: gzip
{"audience":"identitynamespace:test-gke-XXXXXX.svc.id.goog:https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test","grantType":"urn:ietf:params:oauth:grant-type:token-exchange","requestedTokenType":"urn:ietf:params:oauth:token-type:access_token","scope":"https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email","subjectToken":"XXX.XXX.XXX","subjectTokenType":"urn:ietf:params:oauth:token-type:jwt"}
:status: 200
content-type: application/json; charset=UTF-8
vary: Origin
vary: X-Origin
vary: Referer
content-encoding: gzip
date: ...
server: scaffolding on HTTPServer2
content-length: 1061
x-xss-protection: 0
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
{"access_token":"ya29.d.XXX","issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer","expires_in":3599}
</pre>
<p>其中请求 body 格式化后的内容如下:</p>
<pre class="literal-block">
{
"audience": "identitynamespace:test-gke-XXXXXX.svc.id.goog:https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test",
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
"scope": "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email",
"subjectToken": "XXX.XXX.XXX",
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt"
}
</pre>
<p>响应 body 格式化后的内容如下:</p>
<pre class="literal-block">
{
"access_token": "ya29.d.XXX",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"token_type": "Bearer",
"expires_in": 3599
}
</pre>
</div>
<div class="section" id="gke-workload-identity">
<h2 id="hidgke-workload-identity">与 GKE Workload Identity 的区别<a class="headerlink" href="#hidgke-workload-identity" title="Permalink to this headline">¶</a></h2>
<p>Workload Identity Federation for GKE 与 GKE Workload Identity 特性(又叫 link Kubernetes ServiceAccounts to IAM)的区别如下:</p>
<table border="1" class="docutils">
<colgroup>
<col width="29%" />
<col width="26%" />
<col width="45%" />
</colgroup>
<thead valign="bottom">
<tr><th class="head">比较项</th>
<th class="head">GKE Workload Identity</th>
<th class="head">Workload Identity Federation for GKE</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>需要创建 Google service account (GSA)</td>
<td>需要</td>
<td><strong>不需要</strong></td>
</tr>
<tr><td>需要配置 GSA 绑定的 IAM 角色</td>
<td>需要</td>
<td>需要配置 k8s service account (KSA) 绑定的角色</td>
</tr>
<tr><td>需要配置允许使用 KSA 扮演 GSA</td>
<td>需要</td>
<td><strong>不需要</strong></td>
</tr>
<tr><td>需要在集群内配置 KSA 的 GSA 信息</td>
<td>需要</td>
<td><strong>不需要</strong></td>
</tr>
<tr><td>绑定角色时支持指定多个 KSA/GSA</td>
<td>不支持</td>
<td><strong>支持</strong> 指定多个,比如某个命名空间下的所有SA, 某个集群内的所有SA</td>
</tr>
<tr><td>支持 project + namespace + KSA 维度授权</td>
<td>支持</td>
<td>支持</td>
</tr>
<tr><td>支持 cluster + namespace + KSA 维度授权</td>
<td>不支持</td>
<td>不支持</td>
</tr>
<tr><td>支持使用 hostNetwork 的应用</td>
<td>不支持</td>
<td>不支持</td>
</tr>
<tr><td>依赖部署 gke-metadata-server 组件</td>
<td>依赖</td>
<td>依赖</td>
</tr>
<tr><td>云产品API对获取的 sts token 的支持情况</td>
<td>几乎所有云产品 API 都支持</td>
<td>大部分云产品API都支持,部分云产品有限支持,少量云产品不支持</td>
</tr>
</tbody>
</table>
<p>BTW, 虽然 Workload Identity Federation for GKE 方案的官方教程和文档中都是说的需要依赖 gke-metadata-server 这个组件,
但是从前面的内容中我们也可以看到:我们其实也可以在不安装 gke-metadata-server 组件的情况下,使用该方案。
具体来说就是,我们可以通过为应用 Pod 挂载所需的 service account token 然后在应用程序内直接访问
STS 提供的 Token API 的方式来解除对该组件的依赖。</p>
</div>
<div class="section" id="section-4">
<h2 id="hidsection-4">参考资料<a class="headerlink" href="#hidsection-4" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><a class="reference external" href="https://cloud.google.com/blog/products/identity-security/make-iam-for-gke-easier-to-use-with-workload-identity-federation">Make IAM for GKE easier to use with Workload Identity Federation | Google Cloud Blog</a></li>
<li><a class="reference external" href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Authenticate to Google Cloud APIs from GKE workloads | Google Kubernetes Engine (GKE)</a></li>
<li><a class="reference external" href="https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity">About Workload Identity Federation for GKE | Google Kubernetes Engine (GKE) | Google Cloud</a></li>
<li><a class="reference external" href="https://cloud.google.com/iam/docs/federated-identity-supported-services">Identity federation: products and limitations | IAM Documentation | Google Cloud</a></li>
<li><a class="reference external" href="https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token">Method: token | IAM Documentation | Google Cloud</a></li>
<li><a class="reference external" href="https://cloud.google.com/compute/docs/metadata/overview">About VM metadata | Compute Engine Documentation | Google Cloud</a></li>
</ul>
</div>
Exploring Workload Identity Federation for GKE2025-01-05T00:00:00+00:002025-01-05T00:00:00+00:00mozillazgtag:mozillazg.com,2025-01-05:2025/01/security-deep-dive-into-gcp-workload-identity-federation-for-gke-feature-en.html<p>In this article, we will briefly explore a feature called "<a class="reference external" href="https://cloud.google.com/blog/products/identity-security/make-iam-for-gke-easier-to-use-with-workload-identity-federation">Workload Identity Federation for GKE</a>"
that was recently announced by GKE in their official blog.</p>
<div class="section" id="features-overview">
<h2 id="hidfeatures-overview">Features Overview<a class="headerlink" href="#hidfeatures-overview" title="Permalink to this headline">¶</a></h2>
<p>Workload Identity Federation for GKE is an improved version of the original GKE Workload Identity feature.
The main improvement is that it needs less configuration and offers better user experience.</p>
</div>
<div class="section" id="how-to-use">
<h2 id="hidhow-to-use">How to Use<a class="headerlink" href="#hidhow-to-use" title="Permalink to this headline">¶</a></h2>
<p>Follow these steps to try this feature:</p>
<ol class="arabic">
<li><p class="first">Create a GKE cluster with Workload Identity Federation for GKE enabled. You can find this option at:
Create Cluster - Security - Enable Workload Identity.</p>
</li>
<li><p class="first">Link IAM roles to the service account used by your test application. One service account can have multiple roles.
For example:</p>
<pre class="literal-block">
$ kubectl create ns demo-ns
$ kubectl -n demo-ns create serviceaccount demo-sa
$ gcloud projects add-iam-policy-binding projects/test-gke-XXX \
--role=roles/container.clusterViewer \
--member=principal://iam.googleapis.com/projects/23182XXXXXXX/locations/global/workloadIdentityPools/test-gke-XXXXXX.svc.id.goog/subject/ns/<namespace-name>/sa/<service-account-name> \
--condition=None
$ gcloud storage buckets add-iam-policy-binding gs://<bucket-name> \
--role=roles/storage.objectViewer \
--member=principal://iam.googleapis.com/projects/23182XXXXXXX/locations/global/workloadIdentityPools/test-gke-XXXXXX.svc.id.goog/subject/ns/<namespace-name>/sa/<service-account-name> \
--condition=None
</pre>
</li>
<li><p class="first">Deploy the test application. The application pod needs to use the namespace and service account from step 2,
and add nodeSelector to ensure scheduling on nodes with the Workload Identity Federation for GKE feature enabled</p>
<pre class="literal-block">
apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: demo-ns
spec:
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
serviceAccountName: demo-sa
containers:
- name: test-pod
image: google/cloud-sdk:slim
command: ["sleep","infinity"]
</pre>
</li>
<li><p class="first">After the pod is running, enter the test-pod container and access the instance metadata service to obtain the STS token.
The official SDK used by actual business applications will use a similar method to access the instance metadata service to
obtain STS tokens for requesting cloud product APIs.</p>
</li>
</ol>
<div class="highlight"><pre><span></span>$<span class="w"> </span>gcloud<span class="w"> </span>auth<span class="w"> </span>print-access-token
<span class="w"> </span>ya29.d.XXX
$<span class="w"> </span>curl<span class="w"> </span>-H<span class="w"> </span><span class="s2">"Metadata-Flavor: Google"</span><span class="w"> </span>http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
<span class="w"> </span><span class="o">{</span><span class="s2">"access_token"</span>:<span class="s2">"ya29.d.XXX"</span>,<span class="s2">"expires_in"</span>:3423,<span class="s2">"token_type"</span>:<span class="s2">"Bearer"</span><span class="o">}</span>
</pre></div>
<ol class="arabic simple" start="5">
<li>The obtained STS token will have all the permissions of the roles associated in step 2.</li>
</ol>
<div class="highlight"><pre><span></span>$<span class="w"> </span>gcloud<span class="w"> </span>container<span class="w"> </span>node-pools<span class="w"> </span>list<span class="w"> </span>--zone<span class="w"> </span>us-central1<span class="w"> </span>--cluster<span class="w"> </span><span class="nb">test</span>
<span class="w"> </span>NAME<span class="w"> </span>MACHINE_TYPE<span class="w"> </span>DISK_SIZE_GB<span class="w"> </span>NODE_VERSION
<span class="w"> </span>default-pool<span class="w"> </span>e2-medium<span class="w"> </span><span class="m">100</span><span class="w"> </span><span class="m">1</span>.30.6-gke.1125000
$<span class="w"> </span>curl<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span>-H<span class="w"> </span><span class="s2">"Authorization: Bearer </span><span class="k">$(</span>gcloud<span class="w"> </span>auth<span class="w"> </span>print-access-token<span class="k">)</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span><span class="s2">"https://storage.googleapis.com/storage/v1/b/demo-gke-workload-identity-federation/o"</span>
<span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="s2">"kind"</span>:<span class="w"> </span><span class="s2">"storage#objects"</span>
<span class="w"> </span><span class="o">}</span>
</pre></div>
</div>
<div class="section" id="workflow-explained">
<h2 id="hidworkflow-explained">Workflow Explained<a class="headerlink" href="#hidworkflow-explained" title="Permalink to this headline">¶</a></h2>
<p>The workflow of Workload Identity Federation for GKE feature is as follows:</p>
<p><img alt="image" src="/static/images/security/gke-workload-identity-federation-for-gke-en.png" /></p>
<ol class="arabic simple">
<li>When a program in the application Pod container requests the instance metadata service
(accessing <tt class="docutils literal"><span class="pre">http://metadata.google.internal</span></tt>, which actually accesses <tt class="docutils literal"><span class="pre">http://169.254.169.254:80</span></tt>)
to get an STS token, the request will be redirected to 169.254.169.252:988.
169.254.169.252:988 is the port listened to by the gke-metadata-server service deployed on the node.</li>
<li>When the gke-metadata-server service receives the request, it will determine which Pod the request came from based on the client IP,
then request the apiserver to generate a token corresponding to the service account used by that Pod.</li>
<li>gke-metadata-server will use the obtained service account token to access GCP's
<a class="reference external" href="https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token">STS API</a> to get an STS token,
finally gke-metadata-server returns the obtained STS token to the client.</li>
</ol>
<p>There are several key components and information that need special attention in this workflow, which will be explained one by one below.</p>
</div>
<div class="section" id="gke-metadata-server">
<h2 id="hidgke-metadata-server">gke-metadata-server<a class="headerlink" href="#hidgke-metadata-server" title="Permalink to this headline">¶</a></h2>
<p>When enabling the Workload Identity Federation for GKE feature at the cluster or node pool level,
a component named gke-metadata-server will be automatically deployed in the cluster.
The workload YAML for this component is as follows:</p>
<pre class="literal-block">
apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
deprecated.daemonset.template.generation: "1"
labels:
addonmanager.kubernetes.io/mode: Reconcile
k8s-app: gke-metadata-server
name: gke-metadata-server
namespace: kube-system
spec:
minReadySeconds: 90
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: gke-metadata-server
template:
metadata:
annotations:
components.gke.io/component-name: gke-metadata-server
components.gke.io/component-version: 0.4.301
monitoring.gke.io/path: /metricz
creationTimestamp: null
labels:
addonmanager.kubernetes.io/mode: Reconcile
k8s-app: gke-metadata-server
spec:
containers:
- command:
- /gke-metadata-server
- --logtostderr
- --token-exchange-endpoint=https://securetoken.googleapis.com/v1/identitybindingtoken
- --workload-pool=test-gke-XXXXXX.svc.id.goog
- --alts-service-suffixes-using-node-identity=storage.googleapis.com,bigtable.googleapis.com,bigtable2.googleapis.com,bigtablerls.googleapis.com,spanner.googleapis.com,spanner2.googleapis.com,spanner-rls.googleapis.com,grpclb.directpath.google.internal,grpclb-dualstack.directpath.google.internal,staging-wrenchworks.sandbox.googleapis.com,preprod-spanner.sandbox.googleapis.com,wrenchworks-loadtest.googleapis.com,wrenchworks-nonprod.googleapis.com
- --identity-provider=https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test
- --passthrough-ksa-list=anthos-identity-service:gke-oidc-envoy-sa,anthos-identity-service:gke-oidc-service-sa,gke-managed-dpv2-observability:hubble-relay,kube-system:antrea-controller,kube-system:container-watcher-pod-reader,kube-system:coredns,kube-system:egress-nat-controller,kube-system:event-exporter-sa,kube-system:fluentd-gcp-scaler,kube-system:gke-metrics-agent,kube-system:gke-spiffe-node-agent,kube-system:heapster,kube-system:konnectivity-agent,kube-system:kube-dns,kube-system:maintenance-handler,kube-system:metadata-agent,kube-system:network-metering-agent,kube-system:node-local-dns,kube-system:pkgextract-service,kube-system:pkgextract-cleanup-service,kube-system:securityprofile-controller,istio-system:istio-ingressgateway-service-account,istio-system:cluster-local-gateway-service-account,csm:csm-sync-agent,knative-serving:controller,kube-system:pdcsi-node-sa,kube-system:gcsfusecsi-node-sa,gmp-system:collector,gke-gmp-system:collector,gke-managed-cim:kube-state-metrics
- --attributes=cluster-name=test,cluster-uid=392f63049deXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,cluster-location=us-central1
- --cluster-uid=392f63049ded410XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- --sts-endpoint=https://sts.googleapis.com
- --token-exchange-mode=sts
- --cloud-monitoring-endpoint=monitoring.googleapis.com:443
- --iam-cred-service-endpoint=https://iamcredentials.googleapis.com
- --cluster-project-number=2318XXXXXXXX
- --cluster-location=us-central1
- --cluster-name=test
- --component-version=0.4.301
- --ksa-cache-mode=watchchecker
- --kcp-allow-watch-checker=true
- --enable-mds-csi-driver=true
- --csi-socket=/csi/csi.sock
- --volumes-db=/var/run/gkemds.gke.io/csi/volumes.boltdb
env:
- name: GOMEMLIMIT
value: "94371840"
image: us-central1-artifactregistry.gcr.io/gke-release/gke-release/gke-metadata-server:gke_metadata_server_20240702.00_p0@sha256:aea9cc887c91b9a05e5bb4bb604180772594a01f0828bbfacf30c77562ac7205
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
host: 127.0.0.1
path: /healthz
port: 989
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 3
name: gke-metadata-server
ports:
- containerPort: 987
name: alts
protocol: TCP
- containerPort: 988
name: metadata-server
protocol: TCP
- containerPort: 989
name: debug-port
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
host: 127.0.0.1
path: /healthz
port: 989
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/lib/kubelet/kubeconfig
name: kubelet-credentials
readOnly: true
- mountPath: /var/lib/kubelet/pki/
name: kubelet-certs
readOnly: true
- mountPath: /var/run/
name: container-runtime-interface
- mountPath: /etc/srv/kubernetes/pki
name: kubelet-pki
readOnly: true
- mountPath: /etc/ssl/certs/
name: ca-certificates
readOnly: true
- mountPath: /home/kubernetes/bin/gke-exec-auth-plugin
name: gke-exec-auth-plugin
readOnly: true
- mountPath: /sys/firmware/efi/efivars/
name: efivars
readOnly: true
- mountPath: /dev/tpm0
name: vtpm
readOnly: true
- mountPath: /csi
name: csi-socket-dir
- mountPath: /var/run/gkemds.gke.io/csi
name: state-dir
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: pods-dir
- mountPath: /registration
name: kubelet-registration-dir
dnsPolicy: Default
hostNetwork: true
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
kubernetes.io/os: linux
priorityClassName: system-node-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: gke-metadata-server
serviceAccountName: gke-metadata-server
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
- key: components.gke.io/gke-managed-components
operator: Exists
volumes:
- hostPath:
path: /var/lib/kubelet/pki/
type: Directory
name: kubelet-certs
- hostPath:
path: /var/lib/kubelet/kubeconfig
type: File
name: kubelet-credentials
- hostPath:
path: /var/run/
type: Directory
name: container-runtime-interface
- hostPath:
path: /etc/srv/kubernetes/pki/
type: Directory
name: kubelet-pki
- hostPath:
path: /etc/ssl/certs/
type: Directory
name: ca-certificates
- hostPath:
path: /home/kubernetes/bin/gke-exec-auth-plugin
type: File
name: gke-exec-auth-plugin
- hostPath:
path: /sys/firmware/efi/efivars/
type: Directory
name: efivars
- hostPath:
path: /dev/tpm0
type: CharDevice
name: vtpm
- hostPath:
path: /var/lib/kubelet/plugins/gkemds.gke.io
type: DirectoryOrCreate
name: csi-socket-dir
- hostPath:
path: /var/lib/kubelet/pods
type: Directory
name: pods-dir
- hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
name: kubelet-registration-dir
- hostPath:
path: /var/lib/kubelet/plugins
type: Directory
name: kubelet-plugins-dir
- hostPath:
path: /var/run/gkemds.gke.io/csi
type: DirectoryOrCreate
name: state-dir
</pre>
<p>The gke-metadata-server component has the following characteristics:</p>
<ul>
<li><p class="first">The component's workload is a DaemonSet.</p>
</li>
<li><p class="first">The component Pod uses <tt class="docutils literal">hostNetwork: true</tt> and <tt class="docutils literal">privileged: true</tt>.</p>
</li>
<li><p class="first">The service inside the component will listen on ports 987, 988, and 989, where port 988 will be used to
receive redirected requests for accessing the instance metadata service:</p>
<pre class="literal-block">
$ ss -atnlp |grep gke
LISTEN 0 1024 *:987 *:* users:(("gke-metadata-se",pid=183706,fd=10))
LISTEN 0 1024 *:989 *:* users:(("gke-metadata-se",pid=183706,fd=12))
LISTEN 0 1024 *:988 *:* users:(("gke-metadata-se",pid=183706,fd=15))
</pre>
</li>
<li><p class="first">The previously mentioned IP 169.254.169.252 is the local loopback (lo) IP address,
so the port 988 listened to by gke-metadata-server
includes the previously mentioned <tt class="docutils literal">169.254.169.252:988</tt> port:</p>
<pre class="literal-block">
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 169.254.169.252/32 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
</pre>
</li>
<li><p class="first">All nodes with the Workload Identity Federation for GKE feature enabled will be configured with the following
nftables rules during initialization, ensuring that traffic from business containers requesting
the metadata service (<tt class="docutils literal"><span class="pre">http://metadata.google.internal</span></tt>, 169.254.169.254:80)
will be redirected to the <tt class="docutils literal">169.254.169.252:988</tt> port listened to by the component:</p>
<pre class="literal-block">
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 2143 bytes 169432 jump KUBE-SERVICES
iifname != "eth0" meta l4proto tcp ip daddr 169.254.169.254 tcp dport 8080 counter packets 0 bytes 0 dnat to 169.254.169.252:987
iifname != "eth0" meta l4proto tcp ip daddr 169.254.169.254 tcp dport 80 counter packets 181 bytes 10860 dnat to 169.254.169.252:988
}
}
</pre>
</li>
<li><p class="first">As mentioned earlier, the component will determine the source pod through the client IP
and request the apiserver to get the service account. This involves what credentials the component uses to access the apiserver.
The component uses the kubelet's credentials on the node to access the apiserver
(the component YAML shown earlier includes the configuration for mounting kubelet kubeconfig).
Additionally, when deploying the component, extra RBAC permissions for get/list/watch on pods
and serviceaccounts will be granted to the kubelet's credentials,
used for obtaining information about pods and service accounts on the current node:</p>
<pre class="literal-block">
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
components.gke.io/component-name: gke-metadata-server
components.gke.io/component-version: 0.4.301
labels:
addonmanager.kubernetes.io/mode: Reconcile
name: gce:gke-metadata-server-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gce:gke-metadata-server-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
components.gke.io/component-name: gke-metadata-server
components.gke.io/component-version: 0.4.301
labels:
addonmanager.kubernetes.io/mode: Reconcile
name: gce:gke-metadata-server-reader
rules:
- apiGroups:
- ""
resources:
- pods
- serviceaccounts
verbs:
- get
- watch
- list
</pre>
</li>
<li><p class="first">If the service account used by the pod is not bound to any IAM role,
the STS token obtained by the application in the pod when accessing the metadata service will
be the STS token of the node's default Google service account.</p>
</li>
</ul>
</div>
<div class="section" id="service-account-token">
<h2 id="hidservice-account-token">service account token<a class="headerlink" href="#hidservice-account-token" title="Permalink to this headline">¶</a></h2>
<p>For requests initiated by programs within each pod, the gke-metadata-server component
doesn't directly use the service account token mounted in the pod container,
but instead requests the apiserver to generate a new service account token.</p>
<p>Here's an example of the payload for a service account token mounted in the container:</p>
<pre class="literal-block">
{
"aud": [
"https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test"
],
"exp": ...,
"iat": ...,
"iss": "https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test",
"jti": "...",
"kubernetes.io": {...},
"nbf": ...,
"sub": "system:serviceaccount:demo-ns:demo-sa"
}
</pre>
<p>Here's an example of the payload for a service account token generated by the apiserver when requested by the component:</p>
<pre class="literal-block">
{
"aud": [
"test-gke-XXXXXX.svc.id.goog"
],
"exp": ...,
"iat": ...,
"iss": "https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test",
"jti": "...",
"kubernetes.io": {...},
"nbf": ...,
"sub": "system:serviceaccount:demo-ns:demo-sa"
}
</pre>
<p>As we can see, the main difference is in the content of the <tt class="docutils literal">aud</tt> field.</p>
</div>
<div class="section" id="sts-token">
<h2 id="hidsts-token">sts token<a class="headerlink" href="#hidsts-token" title="Permalink to this headline">¶</a></h2>
<p>The gke-metadata-server component will use the obtained service account token to access the STS
<a class="reference external" href="https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token">token API</a> to get an STS token.</p>
<p>Here's an example of the corresponding request:</p>
<pre class="literal-block">
:authority: sts.googleapis.com
:method: POST
:path: /v1/token?alt=json&prettyPrint=false
:scheme: https
x-goog-api-client: gl-go/1.23.0--20240626-RC01 cl/646990413 +5a18e79687 X:fieldtrack,boringcrypto gdcl/0.177.0
user-agent: google-api-go-client/0.5 gke-metadata-server
content-type: application/json
content-length: 1673
accept-encoding: gzip
{"audience":"identitynamespace:test-gke-XXXXXX.svc.id.goog:https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test","grantType":"urn:ietf:params:oauth:grant-type:token-exchange","requestedTokenType":"urn:ietf:params:oauth:token-type:access_token","scope":"https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email","subjectToken":"XXX.XXX.XXX","subjectTokenType":"urn:ietf:params:oauth:token-type:jwt"}
:status: 200
content-type: application/json; charset=UTF-8
vary: Origin
vary: X-Origin
vary: Referer
content-encoding: gzip
date: ...
server: scaffolding on HTTPServer2
content-length: 1061
x-xss-protection: 0
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
{"access_token":"ya29.d.XXX","issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer","expires_in":3599}
</pre>
<p>The formatted content of the request body is as follows:</p>
<pre class="literal-block">
{
"audience": "identitynamespace:test-gke-XXXXXX.svc.id.goog:https://container.googleapis.com/v1/projects/test-gke-XXXXXX/locations/us-central1/clusters/test",
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
"scope": "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email",
"subjectToken": "XXX.XXX.XXX",
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt"
}
</pre>
<p>The formatted content of the response body is as follows:</p>
<pre class="literal-block">
{
"access_token": "ya29.d.XXX",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"token_type": "Bearer",
"expires_in": 3599
}
</pre>
</div>
<div class="section" id="differences-from-gke-workload-identity">
<h2 id="hiddifferences-from-gke-workload-identity">Differences from GKE Workload Identity<a class="headerlink" href="#hiddifferences-from-gke-workload-identity" title="Permalink to this headline">¶</a></h2>
<p>Here are the differences between Workload Identity Federation for GKE and GKE Workload Identity feature
(also known as linking Kubernetes ServiceAccounts to IAM):</p>
<table border="1" class="docutils">
<colgroup>
<col width="29%" />
<col width="26%" />
<col width="45%" />
</colgroup>
<thead valign="bottom">
<tr><th class="head">Comparison Item</th>
<th class="head">GKE Workload Identity</th>
<th class="head">Workload Identity Federation for GKE</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>Requires Google service account (GSA)</td>
<td>Required</td>
<td><strong>Not Required</strong></td>
</tr>
<tr><td>IAM role binding configuration</td>
<td>Requires GSA role binding</td>
<td>Requires k8s service account (KSA) role binding</td>
</tr>
<tr><td>KSA impersonating GSA configuration</td>
<td>Required</td>
<td><strong>Not Required</strong></td>
</tr>
<tr><td>GSA info configuration for KSA in cluster</td>
<td>Required</td>
<td><strong>Not Required</strong></td>
</tr>
<tr><td>Multiple KSA/GSA binding support</td>
<td>Not supported</td>
<td><strong>Supported</strong> (e.g., all SAs in namespace, all SAs in cluster)</td>
</tr>
<tr><td>Authorization at project + namespace + KSA</td>
<td>Supported</td>
<td>Supported</td>
</tr>
<tr><td>Authorization at cluster + namespace + KSA</td>
<td>Not supported</td>
<td>Not supported</td>
</tr>
<tr><td>Support for hostNetwork applications</td>
<td>Not supported</td>
<td>Not supported</td>
</tr>
<tr><td>Depends on gke-metadata-server component</td>
<td>Required</td>
<td>Required</td>
</tr>
<tr><td>Cloud API support for obtained STS token</td>
<td>Almost all cloud product APIs</td>
<td>Most cloud APIs supported, some limited support, few unsupported</td>
</tr>
</tbody>
</table>
<p>By the way, although the official tutorials and documentation for Workload Identity Federation for GKE mention that it requires the gke-metadata-server component,
from what we discussed earlier, we can see that: we can actually use this solution without installing the gke-metadata-server component.
Specifically, we can remove the dependency on this component by mounting the required service account token to the application Pod and then directly accessing
the Token API provided by STS within our applications.</p>
</div>
<div class="section" id="references">
<h2 id="hidreferences">References<a class="headerlink" href="#hidreferences" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><a class="reference external" href="https://cloud.google.com/blog/products/identity-security/make-iam-for-gke-easier-to-use-with-workload-identity-federation">Make IAM for GKE easier to use with Workload Identity Federation | Google Cloud Blog</a></li>
<li><a class="reference external" href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Authenticate to Google Cloud APIs from GKE workloads | Google Kubernetes Engine (GKE)</a></li>
<li><a class="reference external" href="https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity">About Workload Identity Federation for GKE | Google Kubernetes Engine (GKE) | Google Cloud</a></li>
<li><a class="reference external" href="https://cloud.google.com/iam/docs/federated-identity-supported-services">Identity federation: products and limitations | IAM Documentation | Google Cloud</a></li>
<li><a class="reference external" href="https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token">Method: token | IAM Documentation | Google Cloud</a></li>
<li><a class="reference external" href="https://cloud.google.com/compute/docs/metadata/overview">About VM metadata | Compute Engine Documentation | Google Cloud</a></li>
</ul>
</div>