lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1491444056-4312-3-git-send-email-chenbofeng.kernel@gmail.com>
Date:   Wed,  5 Apr 2017 19:00:56 -0700
From:   Chenbo Feng <chenbofeng.kernel@...il.com>
To:     netdev@...r.kernel.org
Cc:     Lorenzo Colitti <lorenzo@...gle.com>,
        Willem de Bruijn <willemb@...gle.com>,
        Chenbo Feng <fengc@...gle.com>
Subject: [PATCH net-next 2/2] Sample program using SO_COOKIE

From: Chenbo Feng <fengc@...gle.com>

Added a per socket traffic monitoring option to illustrate the usage
of new getsockopt SO_COOKIE. The program is based on the socket traffic
monitoring program using xt_eBPF and in the new option the data entry
can be directly accessed using socket cookie. The cookie retrieved
allow us to lookup an element in the eBPF for a specific socket.

Signed-off-by: Chenbo Feng <fengc@...gle.com>
---
 samples/bpf/cookie_uid_helper_example.c      | 146 +++++++++++++++++++++++----
 samples/bpf/run_cookie_uid_helper_example.sh |   4 +-
 2 files changed, 127 insertions(+), 23 deletions(-)
 mode change 100644 => 100755 samples/bpf/run_cookie_uid_helper_example.sh

diff --git a/samples/bpf/cookie_uid_helper_example.c b/samples/bpf/cookie_uid_helper_example.c
index f6e5e58..ad5afed 100644
--- a/samples/bpf/cookie_uid_helper_example.c
+++ b/samples/bpf/cookie_uid_helper_example.c
@@ -4,10 +4,11 @@
  * program into the xt_bpf match.
  *
  * TEST:
- * ./run_cookie_uid_helper_example.sh
- * Then generate some traffic in variate ways. ping 0 -c 10 would work
- * but the cookie and uid in this case could both be 0. A sample output
- * with some traffic generated by web browser is shown below:
+ * ./run_cookie_uid_helper_example.sh -option
+ * option:
+ *	-t: do traffic monitoring test, the program will continuously
+ * print out network traffic happens after program started A sample
+ * output is shown below:
  *
  * cookie: 877, uid: 0x3e8, Pakcet Count: 20, Bytes Count: 11058
  * cookie: 132, uid: 0x0, Pakcet Count: 2, Bytes Count: 286
@@ -18,6 +19,10 @@
  * cookie: 0, uid: 0x0, Pakcet Count: 6, Bytes Count: 712
  * cookie: 880, uid: 0xfffe, Pakcet Count: 1, Bytes Count: 70
  *
+ *	-s: do getsockopt SO_COOKIE test, the program will set up a pair of
+ * UDP sockets and send packets between them. And read out the traffic data
+ * directly from the ebpf map based on the socket cookie.
+ *
  * Clean up: if using shell script, the script file will delete the iptables
  * rule and unmount the bpf program when exit. Else the iptables rule need
  * to be deleted by hand, see run_cookie_uid_helper_example.sh for detail.
@@ -34,6 +39,8 @@
 #include <limits.h>
 #include <linux/bpf.h>
 #include <linux/if_ether.h>
+#include <net/if.h>
+#include <signal.h>
 #include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
@@ -46,6 +53,8 @@
 #include <bpf/bpf.h>
 #include "libbpf.h"
 
+#define PORT 8888
+
 struct stats {
 	uint32_t uid;
 	uint64_t packets;
@@ -54,6 +63,8 @@ struct stats {
 
 static int map_fd, prog_fd;
 
+static bool test_finish;
+
 static void maps_create(void)
 {
 	map_fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(uint32_t),
@@ -164,7 +175,7 @@ static void prog_attach_iptables(char *file)
 		printf("file path too long: %s\n", file);
 		exit(1);
 	}
-	sprintf(rules, "iptables -A INPUT -m bpf --object-pinned %s -j ACCEPT",
+	sprintf(rules, "iptables -A OUTPUT -m bpf --object-pinned %s -j ACCEPT",
 		file);
 	ret = system(rules);
 	if (ret < 0) {
@@ -177,7 +188,8 @@ static void print_table(void)
 {
 	struct stats curEntry;
 	uint32_t curN = UINT32_MAX;
-	uint32_t nextN, res;
+	uint32_t nextN;
+	int res;
 
 	while (bpf_map_get_next_key(map_fd, &curN, &nextN) > -1) {
 		curN = nextN;
@@ -193,25 +205,117 @@ static void print_table(void)
 	}
 }
 
-int main(int argc, char *argv[])
+static void udp_client(void)
 {
-	if (argc > 2) {
-		printf("Too many argument provided\n");
-		return 1;
-	} else if (argc < 2) {
-		printf("Usage: %s bpfObjName\n", argv[0]);
-		return 1;
+	struct sockaddr_in si_other = {0};
+	struct sockaddr_in si_me = {0};
+	struct stats dataEntry;
+	int s_rcv, s_send, i, recv_len;
+	char message = 'a';
+	char buf;
+	uint64_t cookie;
+	int res;
+	socklen_t cookie_len = sizeof(cookie);
+	socklen_t slen = sizeof(si_other);
+
+	s_rcv = socket(PF_INET, SOCK_DGRAM, 0);
+	if (s_rcv < 0)
+		error(1, errno, "rcv socket creat failed!\n");
+	si_other.sin_family = AF_INET;
+	si_other.sin_port = htons(PORT);
+	if (inet_aton("127.0.0.1", &si_other.sin_addr) == 0)
+		error(1, errno, "inet_aton\n");
+	if (bind(s_rcv, (struct sockaddr *)&si_other, sizeof(si_other)) == -1)
+		error(1, errno, "bind\n");
+	s_send = socket(PF_INET, SOCK_DGRAM, 0);
+	if (s_send < 0)
+		error(1, errno, "send socket creat failed!\n");
+	res = getsockopt(s_send, SOL_SOCKET, SO_COOKIE, &cookie, &cookie_len);
+	if (res < 0)
+		printf("get cookie failed: %s\n", strerror(errno));
+	res = bpf_map_lookup_elem(map_fd, &cookie, &dataEntry);
+	if (res != -1)
+		error(1, errno, "socket stat found while flow not active\n");
+	for (i = 0; i < 10; i++) {
+		res = sendto(s_send, &message, sizeof(message), 0,
+			     (struct sockaddr *)&si_other, slen);
+		if (res == -1)
+			error(1, errno, "send\n");
+		if (res != sizeof(message))
+			error(1, 0, "%uB != %luB\n", res, sizeof(message));
+		recv_len = recvfrom(s_rcv, &buf, sizeof(buf), 0,
+			     (struct sockaddr *)&si_me, &slen);
+		if (recv_len < 0)
+			error(1, errno, "revieve\n");
+		res = memcmp(&(si_other.sin_addr), &(si_me.sin_addr),
+			   sizeof(si_me.sin_addr));
+		if (res != 0)
+			error(1, EFAULT, "sender addr error: %d\n", res);
+		printf("Message received: %c\n", buf);
+		res = bpf_map_lookup_elem(map_fd, &cookie, &dataEntry);
+		if (res < 0)
+			error(1, errno, "lookup sk stat failed, cookie: %lu\n",
+			      cookie);
+		printf("cookie: %lu, uid: 0x%x, Packet Count: %lu,"
+			" Bytes Count: %lu\n\n", cookie, dataEntry.uid,
+			dataEntry.packets, dataEntry.bytes);
 	}
+	close(s_send);
+	close(s_rcv);
+}
 
-	maps_create();
-	prog_load();
-	prog_attach_iptables(argv[1]);
+static int usage(void)
+{
+	printf("Usage: ./run_cookie_uid_helper_example.sh"
+		" bpfObjName -option\n"
+		"	-t	traffic monitor test\n"
+		"	-s	getsockopt cookie test\n");
+	return 1;
+}
 
-	while (true) {
-		print_table();
-		printf("\n");
-		sleep(1);
-	};
+void finish(int ret)
+{
+	test_finish = true;
+}
+
+int main(int argc, char *argv[])
+{
+	int opt;
+	bool cfg_test_traffic = false;
+	bool cfg_test_cookie = false;
+
+	if (argc != 3)
+		return usage();
+	while ((opt = getopt(argc, argv, "ts")) != -1) {
+		switch (opt) {
+		case 't':
+			cfg_test_traffic = true;
+			break;
+		case 's':
+			cfg_test_cookie = true;
+			break;
 
+		default:
+			printf("unknown option %c\n", opt);
+			usage();
+			return -1;
+		}
+	}
+	maps_create();
+	prog_load();
+	prog_attach_iptables(argv[2]);
+	if (cfg_test_traffic) {
+		if (signal(SIGINT, finish) == SIG_ERR)
+			error(1, errno, "register handler failed");
+		while (!test_finish) {
+			print_table();
+			printf("\n");
+			sleep(1);
+		};
+	} else if (cfg_test_cookie) {
+		udp_client();
+	}
+	close(prog_fd);
+	close(map_fd);
 	return 0;
 }
diff --git a/samples/bpf/run_cookie_uid_helper_example.sh b/samples/bpf/run_cookie_uid_helper_example.sh
old mode 100644
new mode 100755
index 40da8aa..f898cfa
--- a/samples/bpf/run_cookie_uid_helper_example.sh
+++ b/samples/bpf/run_cookie_uid_helper_example.sh
@@ -4,11 +4,11 @@ root_dir=$local_dir/../..
 mnt_dir=$(mktemp -d --tmp)
 
 on_exit() {
-	iptables -D INPUT -m bpf --object-pinned ${mnt_dir}/bpf_prog -j ACCEPT
+	iptables -D OUTPUT -m bpf --object-pinned ${mnt_dir}/bpf_prog -j ACCEPT
 	umount ${mnt_dir}
 	rm -r ${mnt_dir}
 }
 
 trap on_exit EXIT
 mount -t bpf bpf ${mnt_dir}
-./per_socket_stats_example ${mnt_dir}/bpf_prog
+./per_socket_stats_example ${mnt_dir}/bpf_prog $1
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ