New kernel 6.6 debug

.github/workflows/main.yml

@@ -41,6 +41,7 @@ jobs:
       run: |
         sudo env "PATH=$PATH" bash ./build.sh
 
+    # The kernel version of Ubuntu 22.04 is 6.8, so the access control check is enhanced by default.
     - name: Setup Enviroments
       run: |
         echo "PKG_CONFIG_PATH=$GITHUB_WORKSPACE/mk" >> $GITHUB_ENV
@@ -54,12 +55,12 @@ jobs:
     - name: golangci-lint
       uses: golangci/[email protected]
       with:
-        args: "--config=common/config/.golangci.yaml --out-format colored-line-number"
+        args: "--build-tags=enhanced --config=common/config/.golangci.yaml --out-format colored-line-number"
         skip-pkg-cache: true
 
     - name: Go Test
       run: |
-        sudo env LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:$GITHUB_WORKSPACE/api/v2-c:$GITHUB_WORKSPACE/bpf/deserialization_to_bpf_map PKG_CONFIG_PATH=$GITHUB_WORKSPACE/mk go test -race -v -vet=off -coverprofile=coverage.out ./pkg/...
+        sudo env LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:$GITHUB_WORKSPACE/api/v2-c:$GITHUB_WORKSPACE/bpf/deserialization_to_bpf_map PKG_CONFIG_PATH=$GITHUB_WORKSPACE/mk go test -tags=enhanced -race -v -vet=off -coverprofile=coverage.out ./pkg/...
 
     - name: Upload coverage reports to Codecov
       uses: codecov/codecov-action@v4

Makefile

@@ -82,8 +82,7 @@ ifeq ($(TAG),)
   $(error "TAG cannot be empty")
 endif
 
-TMP_FILES := bpf/kmesh/bpf2go/bpf2go.go \
-	config/kmesh_marcos_def.h \
+TMP_FILES := config/kmesh_marcos_def.h \
 	mk/api-v2-c.pc \
 	mk/bpf.pc \
 	bpf/include/bpf_helper_defs_ext.h \

bpf/include/bpf_common.h

@@ -223,4 +223,86 @@ static inline void *get_ptr_val_from_map(void *map, __u8 map_type, const void *p
         val_tmp;                                                                                                       \
     })
 
+static inline void record_kmesh_managed_ip(__u32 family, __u32 ip4, __u32 *ip6)
+{
+    int err;
+    __u32 value = 0;
+    struct manager_key key = {0};
+    if (family == AF_INET)
+        key.addr.ip4 = ip4;
+    if (family == AF_INET6 && ip6)
+        IP6_COPY(key.addr.ip6, ip6);
+
+    err = bpf_map_update_elem(&map_of_manager, &key, &value, BPF_ANY);
+    if (err)
+        BPF_LOG(ERR, KMESH, "record ip failed, err is %d\n", err);
+}
+
+static inline void remove_kmesh_managed_ip(__u32 family, __u32 ip4, __u32 *ip6)
+{
+    struct manager_key key = {0};
+    if (family == AF_INET)
+        key.addr.ip4 = ip4;
+    if (family == AF_INET6 && ip6)
+        IP6_COPY(key.addr.ip6, ip6);
+
+    int err = bpf_map_delete_elem(&map_of_manager, &key);
+    if (err && err != -ENOENT)
+        BPF_LOG(ERR, KMESH, "remove ip failed, err is %d\n", err);
+}
+
+static inline bool conn_from_sim(struct bpf_sock_ops *skops, __u32 ip, __u16 port)
+{
+    __u16 remote_port = GET_SKOPS_REMOTE_PORT(skops);
+    if (bpf_ntohs(remote_port) != port)
+        return false;
+
+    if (skops->family == AF_INET)
+        return (bpf_ntohl(skops->remote_ip4) == ip);
+
+    return (
+        skops->remote_ip6[0] == 0 && skops->remote_ip6[1] == 0 && skops->remote_ip6[2] == 0
+        && bpf_ntohl(skops->remote_ip6[3]) == ip);
+}
+
+static inline bool skops_conn_from_cni_sim_add(struct bpf_sock_ops *skops)
+{
+    // cni sim connect CONTROL_CMD_IP:929(0x3a1)
+    // 0x3a1 is the specific port handled by the cni to enable Kmesh
+    return conn_from_sim(skops, CONTROL_CMD_IP, ENABLE_KMESH_PORT);
+}
+
+static inline bool skops_conn_from_cni_sim_delete(struct bpf_sock_ops *skops)
+{
+    // cni sim connect CONTROL_CMD_IP:930(0x3a2)
+    // 0x3a2 is the specific port handled by the cni to disable Kmesh
+    return conn_from_sim(skops, CONTROL_CMD_IP, DISABLE_KMESH_PORT);
+}
+
+static inline void skops_handle_kmesh_managed_process(struct bpf_sock_ops *skops)
+{
+    if (skops_conn_from_cni_sim_add(skops))
+        record_kmesh_managed_ip(skops->family, skops->local_ip4, skops->local_ip6);
+    if (skops_conn_from_cni_sim_delete(skops))
+        remove_kmesh_managed_ip(skops->family, skops->local_ip4, skops->local_ip6);
+}
+
+static inline bool is_managed_by_kmesh(struct bpf_sock_ops *skops)
+{
+    struct manager_key key = {0};
+    if (skops->family == AF_INET)
+        key.addr.ip4 = skops->local_ip4;
+    if (skops->family == AF_INET6) {
+        if (is_ipv4_mapped_addr(skops->local_ip6))
+            key.addr.ip4 = skops->local_ip6[3];
+        else
+            IP6_COPY(key.addr.ip6, skops->local_ip6);
+    }
+
+    int *value = bpf_map_lookup_elem(&map_of_manager, &key);
+    if (!value)
+        return false;
+    return (*value == 0);
+}
+
 #endif

bpf/include/bpf_helper_defs_ext.h

@@ -10,9 +10,37 @@
  * By default, these IDs are in the 5.10 kernel with kmesh kernel patches.
  */
 
-static void *(*bpf_strncpy)(char *dst, __u32 dst_size, char *src) = (void *)171;
-static void *(*bpf_strnstr)(void *s1, void *s2, __u32 size) = (void *)172;
-static __u64 (*bpf_strnlen)(char *buff, __u32 size) = (void *)173;
-static __u64 (*bpf__strncmp)(const char *s1, __u32 s1_size, const char *s2) = (void *)174;
-static long (*bpf_parse_header_msg)(struct bpf_mem_ptr *msg) = (void *)175;
-static void *(*bpf_get_msg_header_element)(void *name) = (void *)176;
+/*
+ * Description
+ *      Look for the string corresponding to the key in the results of the
+ *      previous bpf_parse_header_msg parsing of the message header, and
+ *      Search for the target substring in the string.
+ * Return
+ *      If found, return 1; otherwise, return 0.
+ */
+static long (*bpf_km_header_strnstr)(
+    struct bpf_sock_addr *ctx, const char *key, int key_sz, const char *subptr, int subptr_sz) = (void *)163;
+
+/*
+ * Description
+ *      Look for the string corresponding to the key in the results of the
+ *      previous bpf_parse_header_msg parsing of the message header, and
+ *      compare it with the target string. Control whether it is an exact
+ *      match or a prefix match through the opt.
+ * Return
+ *      If the strings are same, return 0.
+ */
+static long (*bpf_km_header_strncmp)(const char *key, int key_sz, const char *target, int target_sz, int opt) =
+    (void *)164;
+
+/*
+ * Description
+ *      Get the memory pointer from ctx's t_ctx and parse the string information
+ *      stored within. In this use case, t_ctx must be the HTTP protocol message
+ *      header. After parsing, the message information will be stored in a
+ *      red-black tree for subsequent lookup.
+ * Return
+ *      A HTTP PROTO TYPE is returned on success.
+ *      **PROTO_UNKNOW** is returned if failure.
+ */
+static long (*bpf_parse_header_msg)(struct bpf_sock_addr *ctx) = (void *)165;

bpf/include/common.h

@@ -5,6 +5,7 @@
 #define _COMMON_H_
 
 #include "../../config/kmesh_marcos_def.h"
+#include <linux/in.h>
 #include <stddef.h>
 #include <stdbool.h>
 #include <stdint.h>
@@ -16,8 +17,60 @@
 
 #include "errno.h"
 
+struct bpf_mem_ptr {
+    void *ptr;
+    __u32 size;
+};
+
 #if ENHANCED_KERNEL
+#if KERNEL_KFUNC
+extern int bpf_parse_header_msg_func(void *src, int src__sz) __ksym;
+extern int bpf_km_header_strnstr_func(void *ctx, int ctx__sz, const char *key, int key__sz, const char *subptr) __ksym;
+extern int bpf_km_header_strncmp_func(const char *key, int key__sz, const char *target, int target__sz, int opt) __ksym;
+extern int bpf_setsockopt_func(void *bpf_mem, int bpf_mem__sz, int optname, const char *optval, int optval__sz) __ksym;
+extern int bpf_getsockopt_func(void *bpf_mem, int bpf_mem__sz, int optname, char *optval, int optval__sz) __ksym;
+
+#define bpf_km_header_strncmp bpf_km_header_strncmp_func
+
+int bpf_km_header_strnstr(void *ctx, const char *key, int key__sz, const char *subptr, int subptr__sz)
+{
+    struct bpf_mem_ptr msg_tmp = {.ptr = ctx, .size = sizeof(struct bpf_sock_addr)};
+    return bpf_km_header_strnstr_func(&msg_tmp, sizeof(struct bpf_mem_ptr), key, key__sz, subptr);
+}
+
+int bpf_parse_header_msg(struct bpf_sock_addr *ctx)
+{
+    struct bpf_mem_ptr msg_tmp = {.ptr = ctx, .size = sizeof(struct bpf_sock_addr)};
+    return bpf_parse_header_msg_func(&msg_tmp, sizeof(struct bpf_mem_ptr));
+}
+
+// Due to the limitation of bpf verifier, optval and optval__sz are required to correspond.
+// The strnlen function cannot be used here, so the string is redefined.
+int bpf_km_setsockopt(struct bpf_sock_addr *ctx, int level, int optname, const char *optval, int optval__sz)
+{
+    const char kmesh_module_name[] = "kmesh_defer";
+    if (level != IPPROTO_TCP || optval__sz != sizeof(kmesh_module_name))
+        return -1;
+
+    struct bpf_mem_ptr msg_tmp = {.ptr = ctx, .size = sizeof(struct bpf_sock_addr)};
+    return bpf_setsockopt_func(
+        &msg_tmp, sizeof(struct bpf_mem_ptr), optname, (void *)kmesh_module_name, sizeof(kmesh_module_name));
+}
+
+int bpf_km_getsockopt(struct bpf_sock_addr *ctx, int level, int optname, char *optval, int optval__sz)
+{
+    if (level != IPPROTO_TCP) {
+        return -1;
+    }
+    struct bpf_mem_ptr msg_tmp = {.ptr = ctx, .size = sizeof(struct bpf_sock_addr)};
+    return bpf_getsockopt_func(&msg_tmp, sizeof(struct bpf_mem_ptr), optname, (void *)optval, optval__sz);
+}
+
+#else
 #include <bpf_helper_defs_ext.h>
+#define bpf_km_setsockopt bpf_setsockopt
+#define bpf_km_getsockopt bpf_getsockopt
+#endif
 #endif
 
 #define bpf_unused __attribute__((__unused__))
@@ -121,14 +174,8 @@ static inline bool is_ipv4_mapped_addr(__u32 ip6[4])
         (dst)[3] = (src)[3];                                                                                           \
     } while (0)
 
-#if OE_23_03
-#define bpf__strncmp                  bpf_strncmp
-#define GET_SKOPS_REMOTE_PORT(sk_ops) (__u16)((sk_ops)->remote_port)
-#else
 #define GET_SKOPS_REMOTE_PORT(sk_ops) (__u16)((sk_ops)->remote_port >> 16)
-#endif
-
-#define GET_SKOPS_LOCAL_PORT(sk_ops) (__u16)((sk_ops)->local_port)
+#define GET_SKOPS_LOCAL_PORT(sk_ops)  (__u16)((sk_ops)->local_port)
 
 #define MAX_BUF_LEN 100
 #define MAX_IP4_LEN 16

bpf/include/inner_map_defs.h

@@ -33,4 +33,4 @@ typedef enum { MAP_TYPE_64, MAP_TYPE_192, MAP_TYPE_296, MAP_TYPE_1600, MAP_TYPE_
 
 #define FLIP_BIT(bitmap, n) ((bitmap)[(n) / 8] ^= (1U << ((n) % 8)))
 
-#endif // __INNER_MAP_H__
+#endif // __INNER_MAP_H__

bpf/kmesh/ads/cgroup_sock.c

@@ -12,15 +12,17 @@
 #include "cluster.h"
 #include "bpf_common.h"
 
+#if ENHANCED_KERNEL
+#include "route_config.h"
+#endif
 #if KMESH_ENABLE_IPV4
 #if KMESH_ENABLE_HTTP
 
 static const char kmesh_module_name[] = "kmesh_defer";
-
 static inline int sock4_traffic_control(struct bpf_sock_addr *ctx)
 {
     int ret;
-
+    char kmesh_module_name_get[KMESH_MODULE_NAME_LEN] = "";
     Listener__Listener *listener = NULL;
 
     if (ctx->protocol != IPPROTO_TCP)
@@ -39,18 +41,18 @@ static inline int sock4_traffic_control(struct bpf_sock_addr *ctx)
     BPF_LOG(DEBUG, KMESH, "bpf find listener addr=[%s:%u]\n", ip2str(&ip, 1), bpf_ntohs(ctx->user_port));
 
 #if ENHANCED_KERNEL
-    // todo build when kernel support http parse and route
-    // defer conn
-    ret = bpf_setsockopt(ctx, IPPROTO_TCP, TCP_ULP, (void *)kmesh_module_name, sizeof(kmesh_module_name));
-    if (ret)
-        BPF_LOG(ERR, KMESH, "bpf set sockopt failed! ret:%d\n", ret);
-#else  // KMESH_ENABLE_HTTP
+    ret = bpf_km_getsockopt(ctx, IPPROTO_TCP, TCP_ULP, kmesh_module_name_get, KMESH_MODULE_NAME_LEN);
+    if (CHECK_MODULE_NAME_NULL(ret) || bpf__strncmp(kmesh_module_name_get, KMESH_MODULE_NAME_LEN, kmesh_module_name)) {
+        ret = bpf_km_setsockopt(ctx, IPPROTO_TCP, TCP_ULP, kmesh_module_name, sizeof(kmesh_module_name));
+        if (ret)
+            BPF_LOG(ERR, KMESH, "bpf set sockopt failed! ret %d\n", ret);
+        return 0;
+    }
+#endif
     ret = listener_manager(ctx, listener, NULL);
     if (ret != 0) {
         BPF_LOG(ERR, KMESH, "listener_manager failed, ret %d\n", ret);
-        return ret;
     }
-#endif // KMESH_ENABLE_HTTP
 
     return 0;
 }

bpf/kmesh/ads/include/circuit_breaker.h

@@ -4,6 +4,7 @@
 #include "bpf_log.h"
 #include "kmesh_common.h"
 #include "bpf_common.h"
+#include "cluster/cluster.pb-c.h"
 
 #ifndef __KMESH_CIRCUIT_BREAKER_H__
 #define __KMESH_CIRCUIT_BREAKER_H__

bpf/kmesh/ads/include/ctx/sock_ops.h

@@ -22,16 +22,6 @@ typedef struct bpf_sock_ops ctx_buff_t;
     name.ipv4 = (ctx)->remote_ip4;                                                                                     \
     name.port = (ctx)->remote_port
 
-#if OE_23_03
-#define SET_CTX_ADDRESS(ctx, address)                                                                                  \
-    (ctx)->remote_ip4 = (address)->ipv4;                                                                               \
-    (ctx)->remote_port = (address)->port
-
-#define MARK_REJECTED(ctx)                                                                                             \
-    BPF_LOG(DEBUG, KMESH, "mark reject\n");                                                                            \
-    (ctx)->remote_ip4 = 0;                                                                                             \
-    (ctx)->remote_port = 0
-#else
 #define SET_CTX_ADDRESS(ctx, address)                                                                                  \
     (ctx)->replylong[2] = (address)->ipv4;                                                                             \
     (ctx)->replylong[3] = (address)->port
@@ -40,6 +30,5 @@ typedef struct bpf_sock_ops ctx_buff_t;
     BPF_LOG(DEBUG, KMESH, "mark reject\n");                                                                            \
     (ctx)->replylong[2] = 0;                                                                                           \
     (ctx)->replylong[3] = 0
-#endif
 
 #endif //__BPF_CTX_SOCK_OPS_H

bpf/kmesh/ads/include/filter.h

@@ -128,10 +128,10 @@ int filter_manager(ctx_buff_t *ctx)
     kmesh_tail_delete_ctx(&ctx_key);
 
     switch (filter->config_type_case) {
-#ifndef CGROUP_SOCK_MANAGE
+#if ENHANCED_KERNEL
     case LISTENER__FILTER__CONFIG_TYPE_HTTP_CONNECTION_MANAGER:
         http_conn = KMESH_GET_PTR_VAL(filter->http_connection_manager, Filter__HttpConnectionManager);
-        ret = bpf_parse_header_msg(ctx_val->msg);
+        ret = bpf_parse_header_msg(ctx);
         if (GET_RET_PROTO_TYPE(ret) != PROTO_HTTP_1_1) {
             BPF_LOG(DEBUG, FILTER, "http filter manager,only support http1.1 this version");
             break;