Merge pull request #29 from perryan123/ipsec

nettrace commit: support ipsec analysis

Author: menglongdong

shared/bpf/skb_shared.h

@@ -40,6 +40,11 @@ typedef struct __attribute__((__packed__)) {
 		struct {
 			u16	op;
 		} arp_ext;
+		struct
+        	{
+                	u32 spi;
+                	u32 seq;
+        	} espheader;
 #define field_udp l4.udp
 	} l4;
 	u16 proto_l3;

shared/bpf/skb_utils.h

@@ -194,6 +194,12 @@ static try_inline bool ipv6_not_equel(u8 *src, u8 *target)
 #define ATTR_IPV6_CHECK()				\
 	(filter && ATTR_OPS(addr, ATTR_IPV6_OPS))
 
+struct ip_esp_hdr {
+	__be32 spi;
+	__be32 seq_no;		/* Sequence number */
+	__u8  enc_data[0];	/* Variable len but >=8. Mind the 64 bit alignment! */
+};
+
 static try_inline int probe_parse_ip(void *ip, parse_ctx_t *ctx)
 {
 	pkt_args_t *bpf_args = ctx->args;
@@ -285,6 +291,14 @@ static try_inline int probe_parse_ip(void *ip, parse_ctx_t *ctx)
 		pkt->l4.icmp.id = _(icmp->un.echo.id);
 		break;
 	}
+        case IPPROTO_ESP: {
+		struct ip_esp_hdr *esp_hdr = l4;
+		if (ATTR_ENABLE(port))
+			goto err;
+		pkt->l4.espheader.seq = _(esp_hdr->seq_no);
+		pkt->l4.espheader.spi = _(esp_hdr->spi);
+		break;
+	}
 	default:
 		if (ATTR_ENABLE(port))
 			goto err;

shared/pkt_utils.c

@@ -82,6 +82,7 @@ int ts_print_packet(char *buf, packet_t *pkt, char *minfo,
 			daddr, ntohs(pkt->l4.min.dport));
 		break;
 	case IPPROTO_ICMP:
+	case IPPROTO_ESP:
 		BUF_FMT("%s -> %s", saddr, daddr);
 		break;
 	default:
@@ -116,6 +117,9 @@ int ts_print_packet(char *buf, packet_t *pkt, char *minfo,
 		}
 		BUF_FMT("seq: %u", ntohs(pkt->l4.icmp.seq));
 		break;
+	case IPPROTO_ESP:
+		BUF_FMT(" spi:0x%x seq:0x%x", ntohl(pkt->l4.espheader.spi), ntohl(pkt->l4.espheader.seq));
+		break;
 	default:
 		break;
 	}

src/trace.yaml

@@ -229,6 +229,25 @@ children:
     - ip_finish_output_gso:2
     - ip_finish_output2:2
     - ip6_finish_output2:2
+    - xfrm4_output:2
+    - xfrm_output:1
+    - xfrm_output2:2
+    - xfrm_output_gso:2
+    - xfrm_output_resume:1
+    - xfrm4_transport_output:1
+    - xfrm4_prepare_output:1
+    - dst_output:2
+    - ah_output:1
+    - esp_output:1
+    - esp_output_tail:1
+    - xfrm4_rcv:0
+    - xfrm4_policy_check:2
+    - xfrm4_rcv:0
+    - xfrm_input:0
+    - ah_input:1
+    - esp_input:1
+    - xfrm4_transport_input:1
+    - xfrm4_rcv_encap_finish:2
   - name: ip-route
     desc: ip route for packet in and out
     visual: true