compatibility for iptables from 5.4 to 6.0 kernel version

menglongdong · menglongdong · commit 111ab202bc58 · 2022-10-21T21:54:40.000+08:00
Signed-off-by: Menglong Dong &lt;imagedong@tencent.com&gt;
diff --git a/common.mk b/common.mk
@@ -92,12 +92,12 @@ progs/%.o: progs/%.c kheaders.h
 	@file $@ | grep debug_info > /dev/null || (rm $@ && exit 1)
 
 %.skel.h: %.o
-	$(BPFTOOL) gen skeleton $< > $@
+	$(BPFTOOL) gen skeleton $< $(SKEL_FLAGS) > $@
 
 $(bpf_progs): %: %.skel.h
-	@echo "bpf compile success"
+	@:
 
-bpf: $(bpf_progs)
+bpf: $(bpf_progs) $(bpf_progs_ext)
 
 $(progs): %: %.c bpf
 	@if [ -n "$(prog-$@)" ]; then				\
diff --git a/component/sys_utils.c b/component/sys_utils.c
@@ -12,6 +12,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <sys/resource.h>
+#include <sys/utsname.h>
 
 #include "sys_utils.h"
 
@@ -68,3 +69,14 @@ bool fsearch(FILE *f, char *target)
 	}
 	return false;
 }
+
+int kernel_version()
+{
+	int major, minor, patch;
+	struct utsname buf;
+
+	uname(&buf);
+	sscanf(buf.release, "%d.%d.%d", &major, &minor, &patch);
+
+	return kv_to_num(major, minor, patch);
+}
diff --git a/component/sys_utils.h b/component/sys_utils.h
@@ -13,10 +13,11 @@
 
 extern int log_level;
 
-int execf(char *output, char *fmt, ...);
-int exec(char *cmd, char *output);
-int liberate_l();
-bool fsearch(FILE *f, char *target);
+int	execf(char *output, char *fmt, ...);
+int	exec(char *cmd, char *output);
+int	liberate_l();
+bool	fsearch(FILE *f, char *target);
+int	kernel_version();
 
 static inline int simple_exec(char *cmd)
 {
@@ -28,6 +29,17 @@ static inline bool file_exist(char *path)
 	return access(path, F_OK) == 0;
 }
 
+static inline int kv_to_num(int major, int minor, int patch)
+{
+	return (major << 16) + (minor << 8) + patch;
+}
+
+/* compare current kernel version with the provided one */
+static inline int kv_compare(int major, int minor, int patch)
+{
+	return kernel_version() - kv_to_num(major, minor, patch);
+}
+
 #define pr_level(level, target, fmt, args...)	\
 do {						\
 	if (level <= log_level)			\
diff --git a/shared/bpf/skb_utils.h b/shared/bpf/skb_utils.h
@@ -34,11 +34,19 @@ struct {
 	bpf_probe_read_kernel(&tmp, sizeof(src), &(src));	\
 	tmp;							\
 })
+
 #undef _C
 #ifdef COMPAT_MODE
 #define _C(src, a)	_(src->a)
+#define _CF(src, a)	_(src->a)
+#else
+#define _C(src, a, ...)		BPF_CORE_READ(src, a, ##__VA_ARGS__)
+#endif
+
+#ifdef CORE_FULL
+#define _CT(src, a, ...)	BPF_CORE_READ(src, a, ##__VA_ARGS__)
 #else
-#define _C(src, a, ...)	BPF_CORE_READ(src, a, ##__VA_ARGS__)
+#define _CT(src, a, ...)	_(src->a)
 #endif
 
 #ifdef COMPAT_MODE
diff --git a/src/Makefile b/src/Makefile
@@ -1,5 +1,6 @@
 ROOT		?= $(abspath ../)
-bpf_progs	:= progs/kprobe progs/tracing
+bpf_progs	:= progs/tracing
+bpf_progs_ext	:= progs/kprobe
 progs		:= nettrace
 prog-nettrace-origin = \
 		trace.c $(COMMON_SHARED) trace_probe.c trace_tracing.c \
@@ -19,6 +20,7 @@ COMPAT ?= $(if $(KERNEL),$(shell cat $(HEADERS)/Makefile | grep \
 
 ifneq ($(strip $(COMPAT)),)
 	CFLAGS += -DCOMPAT_MODE
+	COMPAT_MODE := 1
 endif
 
 NFT_HEADER	:= $(HEADERS)/include/net/netfilter/nf_tables.h
@@ -34,6 +36,21 @@ trace_group.c: trace.yaml
 
 progs/kprobe.c: progs/kprobe_trace.h
 
+kprobe_gen_cmd = @make BPF_CFLAGS="$(BPF_CFLAGS) $(1)" \
+		SKEL_FLAGS="name $(2)" \
+		progs/kprobe.skel.h; \
+		mv progs/kprobe.skel.h progs/$(2).skel.h
+
+ifndef COMPAT_MODE
+$(bpf_progs_ext):
+	rm -rf progs/kprobe*.skel.h
+	$(call kprobe_gen_cmd,-DCORE_FULL,kprobe_core)
+	make progs/kprobe.skel.h
+else
+$(bpf_progs_ext): %: %.skel.h
+	@:
+endif
+
 nettrace.c: $(prog-nettrace-origin)
 
 all: $(progs)
diff --git a/src/progs/kprobe.c b/src/progs/kprobe.c
@@ -244,10 +244,10 @@ DEFINE_KPROBE(ipt_do_table, 1)
 	struct xt_table *table = (void *)PT_REGS_PARM3(ctx);
 	nf_event_t e = {
 		.event = { .func = func, },
-		.hook = _(state->hook),
+		.hook = _C(state, hook),
 	};
 
-	bpf_probe_read(e.table, sizeof(e.table) - 1, table->name);
+	bpf_probe_read(e.table, sizeof(e.table) - 1, _C(table, name));
 	return handle_entry(ctx, skb, &e.event, sizeof(e), func);
 }
 
@@ -265,8 +265,8 @@ DEFINE_KPROBE(nf_hook_slow, 1)
 	if (handle_entry(ctx, skb, &e.event, 0, func))
 		return 0;
 
-	e.hook = _(state->hook);
-	e.pf = _(state->pf);
+	e.hook = _C(state, hook);
+	e.pf = _C(state, pf);
 	EVENT_OUTPUT(ctx, e);
 	return 0;
 
@@ -277,8 +277,8 @@ on_hooks:;
 	if (handle_entry(ctx, skb, &hooks_event.event, 0, func))
 		return 0;
 
-	hooks_event.hook = _(state->hook);
-	hooks_event.pf = _(state->pf);
+	hooks_event.hook = _C(state, hook);
+	hooks_event.pf = _C(state, pf);
 	num = _(entries->num_hook_entries);
 
 #define COPY_HOOK(i) do {					\
@@ -318,18 +318,20 @@ DEFINE_KPROBE_RAW(nft_do_chain, NULL)
 	if (handle_entry(ctx, skb, &e.event, 0, func))
 		return 0;
 
-#ifndef NFT_HIGH_VERSION
-	state = _(pkt->xt.state);
-#else
-	state = _(pkt->state);
-#endif
-	chain = (void *)PT_REGS_PARM2(ctx);
-	table = _(chain->table);
-	e.hook = _(state->hook);
-	e.pf = _(state->pf);
+	if (ARGS_GET_CONFIG(nft_high))
+		state = _(((struct _nft_pktinfo_new *)pkt)->state);
+	else
+		state = _(((struct _nft_pktinfo *)pkt)->xt.state);
+
+	chain	= (void *)PT_REGS_PARM2(ctx);
+	table	= _CT(chain, table);
+	e.hook	= _C(state, hook);
+	e.pf	= _C(state, pf);
 
-	bpf_probe_read_kernel_str(e.chain, sizeof(e.chain), _(chain->name));
-	bpf_probe_read_kernel_str(e.table, sizeof(e.table), _(table->name));
+	bpf_probe_read_kernel_str(e.chain, sizeof(e.chain),
+				  _CT(chain, name));
+	bpf_probe_read_kernel_str(e.table, sizeof(e.table),
+				  _CT(table, name));
 
 	EVENT_OUTPUT(ctx, e);
 	return 0;
diff --git a/src/progs/shared.h b/src/progs/shared.h
@@ -9,7 +9,8 @@
 	bool drop_reason;	\
 	bool detail;		\
 	bool hooks;		\
-	bool ready;
+	bool ready;		\
+	bool nft_high;
 
 #include <skb_shared.h>
 
@@ -81,4 +82,22 @@ typedef enum trace_mode {
 #define TRACE_MODE_INETL_MASK		(1 << TRACE_MODE_INETL)
 #define TRACE_MODE_DROP_MASK		(1 << TRACE_MODE_DROP)
 
+struct _xt_action_param {
+	void *arg1;
+	void *arg2;
+	void *state;
+};
+
+struct _nft_pktinfo {
+	void			*skb;
+	bool			tprot_set;
+	u8			tprot;
+	struct _xt_action_param	xt;
+};
+
+struct _nft_pktinfo_new {
+	void	*skb;
+	void	*state;
+};
+
 #endif
diff --git a/src/trace.c b/src/trace.c
@@ -245,11 +245,9 @@ static int trace_prepare_args()
 		break;
 	case TRACE_MODE_BASIC:
 	case TRACE_MODE_DROP:
-		if (!trace_ctx.drop_reason) {
-			pr_err("skb drop reason is not support by your kernel"
-			       ", please upgrade your kernel to 5.18+\n");
-			goto err;
-		}
+		if (!trace_ctx.drop_reason)
+			pr_warn("skb drop reason is not support by your kernel"
+				", drop reason will not be printed\n");
 		break;
 	default:
 		goto err;
@@ -273,6 +271,9 @@ static int trace_prepare_args()
 
 	trace_ctx.bpf_args.trace_mode = 1 << trace_ctx.mode;
 	trace_ctx.detail = trace_ctx.bpf_args.detail;
+	/* from v5.14, the struct of nft_pktinfo changed */
+	trace_ctx.bpf_args.nft_high = kv_compare(5, 14, 0) >= 0;
+	pr_debug("nft high version: %d\n", trace_ctx.bpf_args.nft_high);
 
 	return 0;
 err:
diff --git a/src/trace_probe.c b/src/trace_probe.c
@@ -1,5 +1,8 @@
 #include "trace.h"
 #include "progs/kprobe.skel.h"
+#ifndef COMPAT_MODE
+#include "progs/kprobe_core.skel.h"
+#endif
 #include "analysis.h"
 #include "nettrace.h"
 #include "analysis.h"
@@ -94,22 +97,26 @@ static int probe_trace_load(trace_t *trace)
 	return -1;
 }
 
+#define LOAD_SKEL(name)					\
+	skel = (void *) name##__open();			\
+	if (skel && !name##__load((void *)skel))	\
+		goto load_success;			\
+	pr_debug("failed to load skel: " #name "\n")
+
 static struct kprobe *skel;
 static int probe_trace_open()
 {
 	int i = 0;
 
-	skel = kprobe__open();
-	if (!skel) {
-		pr_err("failed to open kprobe-based eBPF\n");
-		goto err;
-	}
+#ifndef COMPAT_MODE
+	LOAD_SKEL(kprobe_core);
+#endif
+	LOAD_SKEL(kprobe);
 
-	if (kprobe__load(skel)) {
-		pr_err("failed to load kprobe-based eBPF\n");
-		goto err;
-	}
+	pr_err("failed to load kprobe-based eBPF\n");
+	goto err;
 
+load_success:
 	bpf_set_config(skel, bss, trace_ctx.bpf_args);
 	trace_ctx.obj = skel->obj;
 
