packages/Kmesh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!37 fix oncn-mda do not support ipv6

Browse Source 
From: @weli1 
Reviewed-by: @supercharge 
Signed-off-by: @supercharge
This commit is contained in:
openeuler-ci-bot 2025-03-21 09:33:13 +00:00 committed by Gitee
commit 24271e91a1
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 881 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Kmesh.spec
View File

@ -1,7 +1,7 @@
%global codepath kmesh
Name: Kmesh
Version: 0.4.1
Release: 2
Release: 3
Summary: %{name} is a eBPF-based service mesh kernel solution
License: ASL 2.0 and GPL-2.0
URL: https://github.com/kmesh-net
@ -22,6 +22,10 @@ Requires: libboundscheck
Patch0001: Downgrade-go-version-to-v1.21.4.patch
Patch0002: Remove-useless-tag-in-Makefile.patch
Patch0003: Support-uid-gid.patch
Patch0004: fix-oncn-mda-don-t-support-use-ipv6-family-in-sockop.patch
Patch0005: remove-libboundscheck-dependency.patch
Patch0006: The-FN-get_netns_cookie-in-the-6.x-kernel-is-changed.patch
Patch0007: add-sockmap-dump-function.patch
%description
%{name} is a eBPF-based service mesh kernel solution.
@ -121,6 +125,10 @@ rm -rf %{buildroot}
%attr(0500,root,root) /kmesh/start_kmesh.sh
%changelog
* Fri Mar 21 2025 weli-l<1289113577@qq.com> - 0.4.1-3
- 1. fix oncn-mda don't support ipv4 mapped ipv6
2. remove libboundscheck dependence
* Tue Dec 17 2024 weli-l<1289113577@qq.com> - 0.4.1-2
- modify ebpf prog permissions

32
The-FN-get_netns_cookie-in-the-6.x-kernel-is-changed.patch Normal file
View File

@ -0,0 +1,32 @@
From 411b0126f3693b53cc72bc01c0be919d24071fd1 Mon Sep 17 00:00:00 2001
From: bitcoffee <liuxin350@huawei.com>
Date: Sun, 15 Dec 2024 20:31:19 +0800
Subject: [PATCH] fix helper function in the 6.x kernel cannot be correctly
matched on the Kmesh macros env
The FN(get_netns_cookie) in the 6.x kernel is changed to
FN(get_netns_cookie, 212, ##ctx). Original logic cannot adapt to
the 6.x kernel. Modify kmesh_macros_env to adapt to the new kernel
logic.
Signed-off-by: bitcoffee <liuxin350@huawei.com>
---
kmesh_macros_env.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kmesh_macros_env.sh b/kmesh_macros_env.sh
index 01a6934..ddfdf13 100644
--- a/kmesh_macros_env.sh
+++ b/kmesh_macros_env.sh
@@ -8,7 +8,7 @@ function set_config() {
}
# MDA_LOOPBACK_ADDR
-if grep -q "FN(get_netns_cookie)" $KERNEL_HEADER_LINUX_BPF; then
+if grep -q "FN(get_netns_cookie" $KERNEL_HEADER_LINUX_BPF; then
set_config MDA_LOOPBACK_ADDR 1
else
set_config MDA_LOOPBACK_ADDR 0
--
2.33.0

545
add-sockmap-dump-function.patch Normal file
View File

@ -0,0 +1,545 @@
From 7a892ba8c584ab4535b2749611ef498f5289ce3e Mon Sep 17 00:00:00 2001
From: bitcoffee <liuxin350@huawei.com>
Date: Tue, 24 Dec 2024 22:54:46 +0800
Subject: [PATCH 1/4] add sockmap dump function
---
oncn-mda/cli_src/CMakeLists.txt | 3 +
oncn-mda/cli_src/func/dump.c | 214 ++++++++++++++++++++++++++++++
oncn-mda/cli_src/func/global.c | 2 +-
oncn-mda/cli_src/mdadump.c | 7 +
oncn-mda/ebpf_src/sock_redirect.c | 96 +++++++++++++-
oncn-mda/include/data.h | 3 +
oncn-mda/include/dump.h | 6 +
oncn-mda/include/macli.h | 12 ++
oncn-mda/include/writecap.h | 80 +++++++++++
9 files changed, 421 insertions(+), 2 deletions(-)
create mode 100644 oncn-mda/cli_src/func/dump.c
create mode 100644 oncn-mda/cli_src/mdadump.c
create mode 100644 oncn-mda/include/dump.h
create mode 100644 oncn-mda/include/writecap.h
diff --git a/oncn-mda/cli_src/CMakeLists.txt b/oncn-mda/cli_src/CMakeLists.txt
index 5bf849f..7c710b3 100644
--- a/oncn-mda/cli_src/CMakeLists.txt
+++ b/oncn-mda/cli_src/CMakeLists.txt
@@ -16,4 +16,7 @@ endif($ENV{HS_COVERAGE_ENABLE})
add_executable(mdacore mdacore.c ${SRC_LIST})
target_link_libraries(mdacore -lbpf -lelf -lz -lm)
+add_executable(mdadump mdadump.c ${SRC_LIST})
+target_link_libraries(mdadump -lbpf -lelf -lz -lm)
+
MESSAGE("======================Leave cli folder=======================")
diff --git a/oncn-mda/cli_src/func/dump.c b/oncn-mda/cli_src/func/dump.c
new file mode 100644
index 0000000..72a4916
--- /dev/null
+++ b/oncn-mda/cli_src/func/dump.c
@@ -0,0 +1,214 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Kmesh */
+
+#include <signal.h>
+#include "macli.h"
+#include "writecap.h"
+volatile sig_atomic_t g_keep_running = TRUE;
+
+static void init_filter_rule(struct sock_param *input)
+{
+ (void)memset(input, 0x0, sizeof(struct sock_param));
+}
+
+void dump_usage(void)
+{
+ printf("Usage: dump {OPTIONS}\n");
+ printf(" OPTIONS: -i|--ip: filter ip,eg:1.1.1.1/24\n");
+ printf(" OPTIONS: -p|--ports: filter ports,eg:15001~15006\n");
+ printf(" OPTIONS: -w|--write: output file\n");
+}
+
+static const struct option g_dump_optionsp[] = {
+ {"ip", required_argument, NULL, 'i'},
+ {"ports", required_argument, NULL, 'p'},
+ {"writes", required_argument, NULL, 'w'},
+ {NULL}
+};
+
+int get_input_dump_ip(const char* src, struct sock_param* filter_rules)
+{
+ if (filter_rules->dump_params.current_cidr_num >= MAX_PARAM_LENGTH) {
+ printf("over the max cidrs set num, max is %d\n", MAX_PARAM_LENGTH);
+ return FAILED;
+ }
+ char tmp_arg[MAX_CIDR_LENGTH] = {0};
+ (void)strncpy(tmp_arg, src, MAX_IP_LENGTH);
+ (void)strncat(tmp_arg, "/32", sizeof(tmp_arg) - strlen(tmp_arg));
+ __u32 ip;
+ __u32 mask;
+ if (check_cidr(tmp_arg, &ip, &mask) != SUCCESS)
+ return FAILED;
+ int current_param_num = filter_rules->dump_params.current_cidr_num++;
+ filter_rules->dump_params.dump_cidr[current_param_num].ip4 = ip;
+ filter_rules->dump_params.dump_cidr[current_param_num].mask = mask;
+ return SUCCESS;
+}
+
+int get_input_dump_port(const char* src, struct sock_param *filter_rules)
+{
+ if (strlen(src) > MAX_PORT_RANGE_LENGTH - 1) {
+ printf("input ports is too long! your input: %s\n", src);
+ return FAILED;
+ }
+ if (filter_rules->dump_params.current_port_num >= MAX_PARAM_LENGTH) {
+ printf("over the max ports set num, max is %d\n", MAX_PARAM_LENGTH);
+ return FAILED;
+ }
+ __u32 begin_port;
+ __u32 end_port;
+ if (check_port(src, &begin_port, &end_port) != SUCCESS) {
+ return FAILED;
+ }
+ int current_param_num = filter_rules->dump_params.current_port_num++;
+ filter_rules->dump_params.dump_port[current_param_num].begin_port = begin_port;
+ filter_rules->dump_params.dump_port[current_param_num].end_port = end_port;
+ return SUCCESS;
+}
+
+int dump_get_opt(int argc, char **argv, struct sock_param *input_dump_filter_rules, char *output_file)
+{
+ int opt;
+ optind = 1;
+ while ((opt = getopt_long(argc, argv, "i:p:w:", g_dump_optionsp, NULL)) >= 0) {
+ switch (opt) {
+ case 'i':
+ if (get_input_dump_ip(optarg, input_dump_filter_rules) != SUCCESS)
+ return FAILED;
+ break;
+ case 'p':
+ if (get_input_dump_port(optarg, input_dump_filter_rules) != SUCCESS)
+ return FAILED;
+ break;
+ case 'w': {
+ char dirBuff[PATH_MAX] = {0};
+ (void)strncpy(dirBuff, optarg, PATH_MAX - 1);
+ char *baseName = basename(optarg);
+ char *tmpPath = dirname(dirBuff);
+
+ if (realpath(tmpPath, output_file) == NULL) {
+ printf("input file path %s error! errno:%d\n", tmpPath, errno);
+ return FAILED;
+ }
+ (void)strncat(output_file, "/", PATH_MAX - strlen(output_file) - 1);
+ (void)strncat(output_file, baseName, PATH_MAX - strlen(output_file) - 1);
+ break;
+ }
+ case '?':
+ default:
+ dump_usage();
+ return FAILED;
+ }
+ }
+ if (optind != argc) {
+ printf("unknown param!\n");
+ dump_usage();
+ return FAILED;
+ }
+ return SUCCESS;
+}
+
+
+void sig_handler(int sig)
+{
+ if (sig == SIGINT) {
+ g_keep_running = FALSE;
+ }
+}
+
+int update_dump_param(struct mesh_map_info *param_map_info, struct sock_param *param_list)
+{
+ int key = 0;
+ if (bpf_map_update_elem(param_map_info->fd, &key, param_list, BPF_EXIST)) {
+ printf("update key ip failed! errno:%d\n", errno);
+ return FAILED;
+ }
+ return SUCCESS;
+}
+
+int init_dump(struct sock_param *param_list, struct mesh_map_info *dump_map_info, struct mesh_map_info *param_map_info)
+{
+ init_filter_rule(param_list);
+ init_mesh_map(dump_map_info, pinmap_file_path[MESH_MAP_OPS_DUMP_I_MAP],
+ to_str(SOCK_DUMP_MAP_I_NAME), NULL);
+ init_mesh_map(param_map_info, pinmap_file_path[MESH_MAP_OPS_PARAM_MAP],
+ to_str(SOCK_PARAM_MAP_NAME), NULL);
+
+ if (dump_map_info->fd < 0 || param_map_info->fd < 0) {
+ printf("can not found the pin file %s, %s, is the serviceMesh on?\n",
+ dump_map_info->pin_file_path, param_map_info->pin_file_path);
+ return FAILED;
+ }
+
+ if (get_map_filter_rule(param_map_info, param_list) != SUCCESS)
+ return FAILED;
+ return SUCCESS;
+}
+
+void get_next_dump_data(int output_file, struct mesh_map_info *dump_map_info)
+{
+ struct dump_data dump_datas = {0};
+ if (bpf_map_lookup_and_delete_elem(dump_map_info->fd, NULL, &dump_datas) == 0) {
+ write_console(&dump_datas);
+ } else if (errno == ENOENT)
+ return;
+ else {
+ printf("get next dump message failed, errno:%d\n", errno);
+ g_keep_running = FALSE;
+ }
+}
+
+void close_dump_fd(struct mesh_map_info *dump_map_info, struct mesh_map_info *param_map_info)
+{
+ if (dump_map_info->fd > 0)
+ close((*dump_map_info).fd);
+ if (param_map_info->fd > 0)
+ close((*param_map_info).fd);
+}
+
+int do_dump(int argc, char **argv)
+{
+ int ret = FAILED;
+ g_keep_running = TRUE;
+ char output_file_name[PATH_MAX] = {0};
+ int output_file = FALSE;
+ if (signal(SIGINT, sig_handler) == SIG_ERR) {
+ printf("create the signal failed!\n");
+ return ERROR;
+ }
+
+ struct sock_param param_list;
+ struct mesh_map_info dump_map_info;
+ struct mesh_map_info param_map_info;
+ if (init_dump(&param_list, &dump_map_info, &param_map_info) != SUCCESS)
+ goto err;
+
+ if (dump_get_opt(argc, argv, &param_list, output_file_name) != SUCCESS)
+ goto err;
+
+ if (strcmp(output_file_name, "") != 0) {
+ printf("can not open the cap file\n");
+ goto err;
+ }
+
+ param_list.dump_params.switch_on = TRUE;
+ if (update_dump_param(&param_map_info, &param_list) != SUCCESS) {
+ printf("start dump failed!\n");
+ goto err;
+ }
+
+ while(g_keep_running == TRUE)
+ get_next_dump_data(output_file, &dump_map_info);
+
+ param_list.dump_params.switch_on = FALSE;
+ param_list.dump_params.current_cidr_num = 0;
+ param_list.dump_params.current_port_num = 0;
+ if (update_dump_param(&param_map_info, &param_list)) {
+ printf("stop dump failed!\n");
+ goto err;
+ }
+ ret = SUCCESS;
+err:
+ close_dump_fd(&dump_map_info, &param_map_info);
+ return ret;
+}
\ No newline at end of file
diff --git a/oncn-mda/cli_src/func/global.c b/oncn-mda/cli_src/func/global.c
index fc0a2b7..949a00d 100644
--- a/oncn-mda/cli_src/func/global.c
+++ b/oncn-mda/cli_src/func/global.c
@@ -177,7 +177,7 @@ static int get_map_fd(const char *const map_name, int *const fd)
return SUCCESS;
}
-static int init_mesh_map(
+int init_mesh_map(
struct mesh_map_info *const fds_map,
const char *const pin_file_path,
const char *const map_name,
diff --git a/oncn-mda/cli_src/mdadump.c b/oncn-mda/cli_src/mdadump.c
new file mode 100644
index 0000000..0b27bf6
--- /dev/null
+++ b/oncn-mda/cli_src/mdadump.c
@@ -0,0 +1,7 @@
+#include <stdio.h>
+#include "dump.h"
+
+int main(int argc, char *argv[])
+{
+ return do_dump(argc, argv);
+}
diff --git a/oncn-mda/ebpf_src/sock_redirect.c b/oncn-mda/ebpf_src/sock_redirect.c
index 456afeb..78af95e 100644
--- a/oncn-mda/ebpf_src/sock_redirect.c
+++ b/oncn-mda/ebpf_src/sock_redirect.c
@@ -3,6 +3,100 @@
#include "mesh_accelerate.h"
+static int filter_dump_ip(const struct sk_msg_md *const msg, const struct sock_param *const param)
+{
+ if (param->dump_params.current_cidr_num == 0)
+ return FILTER_PASS;
+
+ bpf_log(DEBUG, "filter param:sip:%u, dip:%u\n", msg->local_ip4, msg->remote_ip4);
+ __u32 local_ip4 = bpf_ntohl(msg->local_ip4);
+ __u32 remote_ip4 = bpf_ntohl(msg->remote_ip4);
+
+ for (int i = 0; i < MAX_PARAM_LENGTH; ++i) {
+ if (i >= param->dump_params.current_cidr_num)
+ break;
+ if (param->dump_params.dump_cidr[i].ip4 == local_ip4 ||
+ param->dump_params.dump_cidr[i].ip4 == remote_ip4)
+ return FILTER_PASS;
+ }
+ return FILTER_RETURN;
+}
+
+static int adj_filter_dump_port(const struct port_range *const param, __u32 msg_sport, __u32 msg_dport)
+{
+ __u32 begin_port = param->begin_port;
+ __u32 end_port = param->end_port;
+ bpf_log(DEBUG, "filter param need:begin ports: %u, end ports:%u\n", begin_port, end_port);
+ if ((msg_sport >= begin_port && msg_sport <= end_port) ||
+ (msg_dport >= begin_port && msg_dport <= end_port))
+ return FILTER_PASS;
+ return FILTER_RETURN;
+}
+
+static int filter_dump_port(const struct sk_msg_md *const msg, const struct sock_param *const param)
+{
+ if (param->dump_params.current_port_num == 0)
+ return FILTER_PASS;
+
+ __u32 msg_sport = msg->local_port;
+ __u32 msg_dport = bpf_ntohl(msg->remote_port);
+
+ for (int i = 0; i < MAX_PARAM_LENGTH; ++i) {
+ if (i >= param->dump_params.current_port_num)
+ break;
+ if (adj_filter_dump_port(&(param->dump_params.dump_port[i]), msg_sport, msg_dport) == FILTER_PASS)
+ return FILTER_PASS;
+ }
+ return FILTER_RETURN;
+}
+
+static void get_dump_data(const struct sk_msg_md *const msg, struct dump_data *const data)
+{
+ __u64 current_timestamp = bpf_ktime_get_ns();
+ data->timestamp = current_timestamp;
+ data->sip = msg->local_ip4;
+ data->sport = (bpf_htonl(msg->local_port) >> FORMAT_IP_LENGTH);
+ data->dip = msg->remote_ip4;
+ data->dport = (force_read(msg->remote_port) >> FORMAT_IP_LENGTH);
+ data->data_length = msg->size;
+ bpf_probe_read_kernel(data->data, 4096, (void *)(long)msg->data);
+}
+
+static void dump_msg(const struct sk_msg_md *const msg)
+{
+ bpf_log(DEBUG, "begin dump\n");
+ int index = 0;
+ struct sock_param *param = bpf_map_lookup_elem(&SOCK_PARAM_MAP_NAME, &index);
+ if (param == NULL)
+ return;
+
+ if (param->dump_params.switch_on == FALSE)
+ return;
+
+ bpf_log(DEBUG, "dump");
+
+ if (filter_dump_ip(msg, param) != FILTER_PASS) {
+ bpf_log(DEBUG, "ip:%u, ports:%u filtered by ip\n", msg->local_ip4, msg->local_port);
+ return;
+ }
+
+ if (filter_dump_port(msg, param) != FILTER_PASS) {
+ bpf_log(DEBUG, "ip:%u, ports:%u filtered by port\n", msg->local_ip4, msg->local_port);
+ return;
+ }
+
+ struct dump_data *data = NULL;
+ data = bpf_map_lookup_elem(&SOCK_DUMP_CPU_ARRAY_NAME, &index);
+ if (data == NULL)
+ return;
+
+ get_dump_data(msg, data);
+
+ if (bpf_map_push_elem(&SOCK_DUMP_MAP_I_NAME, data, BPF_EXIST))
+ bpf_log(ERROR, "push the element failed!\n");
+ bpf_log(DEBUG, "dump success\n");
+}
+
SEC("sk_msg")
int SOCK_REDIRECT_NAME(struct sk_msg_md *const msg)
{
@@ -23,7 +117,7 @@ int SOCK_REDIRECT_NAME(struct sk_msg_md *const msg)
ret = bpf_msg_redirect_hash(msg, &SOCK_OPS_MAP_NAME, redir_key, BPF_F_INGRESS);
if (ret != SK_DROP) {
bpf_log(DEBUG, "redirect the sk success\n");
-
+ dump_msg(msg);
} else {
// If you connect to the peer machine, you do end up in this branch
bpf_log(INFO, "no such socket, may be peer socket on another machine\n");
diff --git a/oncn-mda/include/data.h b/oncn-mda/include/data.h
index 951a3ab..7098ef5 100644
--- a/oncn-mda/include/data.h
+++ b/oncn-mda/include/data.h
@@ -15,6 +15,8 @@
#define SK_BPF_GID_UID 18000
#define BPF_SO_ORIGINAL_DST 800
+#define MAX_DUMP_DATA_LENGTH 4096
+
#define SUCCESS 0
#define FAILED 1
@@ -139,6 +141,7 @@ struct dump_data {
__u32 dip;
__u32 dport;
__u32 data_length;
+ __u8 data[MAX_DUMP_DATA_LENGTH];
};
#pragma pack()
diff --git a/oncn-mda/include/dump.h b/oncn-mda/include/dump.h
new file mode 100644
index 0000000..b76f474
--- /dev/null
+++ b/oncn-mda/include/dump.h
@@ -0,0 +1,6 @@
+#ifndef __DUMP_H__
+#define __DUMP_H__
+
+int do_dump(int argc, char *argv[]);
+
+#endif
\ No newline at end of file
diff --git a/oncn-mda/include/macli.h b/oncn-mda/include/macli.h
index 1db7e7a..cd0dcd7 100644
--- a/oncn-mda/include/macli.h
+++ b/oncn-mda/include/macli.h
@@ -101,6 +101,9 @@ struct mesh_service_info {
struct mesh_prog_info prog_fds[MESH_PROG_NUM];
};
+extern const char pinmap_file_path[][PATH_MAX];
+extern const char pinprog_file_path[][PATH_MAX];
+
// global.c
int check_cidr(const char *const src, __u32 *const ip, __u32 *const mask);
int check_port(const char *const src, __u32 *const begin_port, __u32 *const end_port);
@@ -120,4 +123,13 @@ void close_fds(int cgroup_fd, const struct mesh_service_info *const fds);
// chain.c
int do_chain(int argc, char *const *argv, struct sock_param *const filter_rules);
+int init_mesh_map(
+ struct mesh_map_info *const fds_map,
+ const char *const pin_file_path,
+ const char *const map_name,
+#if LIBBPF_HIGHER_0_6_0_VERSION
+ struct create_map_attr *const map_attr);
+#else
+ struct bpf_create_map_attr *const map_attr);
+#endif
#endif
diff --git a/oncn-mda/include/writecap.h b/oncn-mda/include/writecap.h
new file mode 100644
index 0000000..2aabc82
--- /dev/null
+++ b/oncn-mda/include/writecap.h
@@ -0,0 +1,80 @@
+/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) */
+/* Copyright Authors of Kmesh */
+
+#include "data.h"
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <libgen.h>
+
+#include <securec.h>
+#include <arpa/inet.h>
+#include <sys/sysinfo.h>
+#include <stdio.h>
+#include <time.h>
+
+#define MAC_LENGTH 6
+#define MAX_IP_PORT_LENGTH 32
+#define MAX_IP_LENGTH 16
+const int NANO_2_SECOND_RATE = 1000000000;
+
+int get_sys_time(__u64 ktime, time_t *dataTime)
+{
+ struct sysinfo info;
+ time_t boot_time;
+ if (sysinfo(&info)) {
+ return FAILED;
+ }
+ time_t cur_time = time(NULL);
+ if (cur_time > info.uptime)
+ boot_time = cur_time - info.uptime;
+ else
+ boot_time = info.uptime - cur_time;
+ *dataTime = boot_time + ktime / NANO_2_SECOND_RATE;
+ return SUCCESS;
+}
+
+int format_ip(__u32 ip4, char *ip, int ipSize)
+{
+ struct in_addr src;
+ src.s_addr = ip4;
+ if (inet_ntop(AF_INET, &src, ip, ipSize) == NULL) {
+ printf("can not convert the ip:%d\n", ip4);
+ return FAILED;
+ }
+ return SUCCESS;
+}
+
+int format_ip_port(__u32 ip4, __u32 port, char *ip, int ipSize)
+{
+ char tmp_ip[MAX_IP_LENGTH] = {0};
+
+ if (format_ip(ip4, tmp_ip, MAX_IP_LENGTH) != SUCCESS)
+ return FAILED;
+ (void)snprintf(ip, ipSize - 1, "%s:%u", tmp_ip, port);
+ return SUCCESS;
+}
+
+void write_console(const struct dump_data *data)
+{
+ time_t print_time;
+
+ char srcIP[MAX_IP_PORT_LENGTH] = {0};
+ char dstIP[MAX_IP_PORT_LENGTH] = {0};
+ format_ip_port(data->sip, ntohl(data->sport << 16), srcIP, sizeof(srcIP));
+ format_ip_port(data->dip, ntohl(data->dport << 16), dstIP, sizeof(dstIP));
+ if (get_sys_time(data->timestamp, &print_time) == FAILED)
+ printf("[%llu],ip:%s > %s\n", data->timestamp, srcIP, dstIP);
+ else {
+ struct tm print_tm;
+ localtime_r(&print_time, &print_tm);
+ printf("[%d-%d-%d %d:%d:%d],ip:%s > %s, data length:%d\n",
+ print_tm.tm_year + 1900, print_tm.tm_mon + 1, print_tm.tm_mday,
+ print_tm.tm_hour, print_tm.tm_min, print_tm.tm_sec,
+ srcIP, dstIP, data->data_length);
+ int print_length = data->data_length <= MAX_DUMP_DATA_LENGTH ? data->data_length : MAX_DUMP_DATA_LENGTH;
+ for (int i = 0; i < print_length; i++) {
+ printf("%c", data->data[i]);
+ }
+ printf("\n");
+ }
+}
--
2.33.0

26
fix-oncn-mda-don-t-support-use-ipv6-family-in-sockop.patch Normal file
View File

@ -0,0 +1,26 @@
From 3ec7e0af60ea52a1db143a5cb001c0cf171da064 Mon Sep 17 00:00:00 2001
From: bitcoffee <liuxin350@huawei.com>
Date: Thu, 12 Dec 2024 19:13:53 +0800
Subject: [PATCH] fix oncn-mda don't support use ipv6 family in sockops
Signed-off-by: bitcoffee <liuxin350@huawei.com>
---
oncn-mda/ebpf_src/sock_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/oncn-mda/ebpf_src/sock_ops.c b/oncn-mda/ebpf_src/sock_ops.c
index f5ab001..92840cc 100644
--- a/oncn-mda/ebpf_src/sock_ops.c
+++ b/oncn-mda/ebpf_src/sock_ops.c
@@ -397,7 +397,7 @@ static void clean_ops_map(struct bpf_sock_ops *const skops)
SEC("sockops")
int SOCK_OPS_NAME(struct bpf_sock_ops *const skops)
{
- if (skops->family != AF_INET)
+ if ((skops->family != AF_INET) && (skops->family != AF_INET6))
return 0;
switch (skops->op) {
--
2.33.0

269
remove-libboundscheck-dependency.patch Normal file
View File

@ -0,0 +1,269 @@
From 66c6cd8aa818fc1b31f0d646817b7577c11396fc Mon Sep 17 00:00:00 2001
From: bitcoffee <liuxin350@huawei.com>
Date: Thu, 12 Dec 2024 19:41:12 +0800
Subject: [PATCH] remove libboundscheck dependency
Signed-off-by: bitcoffee <liuxin350@huawei.com>
---
oncn-mda/cli_src/CMakeLists.txt | 2 +-
oncn-mda/cli_src/func/chain.c | 23 ++++----------
oncn-mda/cli_src/func/global.c | 53 +++++++++------------------------
oncn-mda/cli_src/func/log.c | 2 +-
oncn-mda/cli_src/func/switch.c | 16 ++++------
oncn-mda/include/log.h | 1 -
oncn-mda/include/macli.h | 1 -
7 files changed, 28 insertions(+), 70 deletions(-)
diff --git a/oncn-mda/cli_src/CMakeLists.txt b/oncn-mda/cli_src/CMakeLists.txt
index 471da73..5bf849f 100644
--- a/oncn-mda/cli_src/CMakeLists.txt
+++ b/oncn-mda/cli_src/CMakeLists.txt
@@ -14,6 +14,6 @@ if($ENV{HS_COVERAGE_ENABLE})
endif($ENV{HS_COVERAGE_ENABLE})
add_executable(mdacore mdacore.c ${SRC_LIST})
-target_link_libraries(mdacore -lbpf -lboundscheck -lelf -lz -lm)
+target_link_libraries(mdacore -lbpf -lelf -lz -lm)
MESSAGE("======================Leave cli folder=======================")
diff --git a/oncn-mda/cli_src/func/chain.c b/oncn-mda/cli_src/func/chain.c
index 3890606..4cf2988 100644
--- a/oncn-mda/cli_src/func/chain.c
+++ b/oncn-mda/cli_src/func/chain.c
@@ -32,14 +32,9 @@ static int get_input_ip(const char *const src, struct input_filter_rule *const i
macli_log(ERR, "over the max cidrs set num, max is %d\n", MAX_PARAM_LENGTH);
return FAILED;
}
- int ret = strcpy_s(input_filter_rules->input_ip[(input_filter_rules->input_ip_num)++], MAX_CIDR_LENGTH, src);
- if (ret == ERANGE_AND_RESET) {
- macli_log(ERR, "input cidr string too long!\n");
- return FAILED;
- } else if (ret != EOK) {
- macli_log(ERR, "get filter rules failed! errno:%d\n", ret);
- return FAILED;
- }
+ (void)memset(input_filter_rules->input_ip[(input_filter_rules->input_ip_num)], 0x0, MAX_CIDR_LENGTH);
+ (void)strncpy(input_filter_rules->input_ip[(input_filter_rules->input_ip_num)++], src, MAX_CIDR_LENGTH - 1);
+
return SUCCESS;
}
@@ -49,15 +44,9 @@ static int get_input_port(const char *const src, struct input_filter_rule *const
macli_log(ERR, "over the max ports set num, max is %d\n", MAX_PARAM_LENGTH);
return FAILED;
}
- int ret =
- strcpy_s(input_filter_rules->input_port[(input_filter_rules->input_port_num)++], MAX_PORT_RANGE_LENGTH, src);
- if (ret == ERANGE_AND_RESET) {
- macli_log(ERR, "input port string is too long!\n");
- return FAILED;
- } else if (ret != EOK) {
- macli_log(ERR, "get filter rules failed! errno:%d\n", ret);
- return FAILED;
- }
+ (void)memset(input_filter_rules->input_port[(input_filter_rules->input_port_num)], 0x0, MAX_PORT_RANGE_LENGTH);
+ (void)strncpy(input_filter_rules->input_port[(input_filter_rules->input_port_num)++], src, MAX_PORT_RANGE_LENGTH - 1);
+
return SUCCESS;
}
diff --git a/oncn-mda/cli_src/func/global.c b/oncn-mda/cli_src/func/global.c
index 2579078..a0f17ab 100644
--- a/oncn-mda/cli_src/func/global.c
+++ b/oncn-mda/cli_src/func/global.c
@@ -113,10 +113,8 @@ static int get_prog_fd(const char *const prog_name, int *const fd)
__u32 obj_id = 0;
__u32 info_length = sizeof(struct bpf_prog_info);
while (true) {
- if (memset_s(&prog_info, info_length, 0x0, info_length) != EOK) {
- macli_log(ERR, "system memset failed!\n");
- return FAILED;
- }
+ (void)memset(&prog_info, 0x0, info_length);
+
if (bpf_prog_get_next_id(obj_id, &obj_id)) {
if (errno == ENOENT)
break;
@@ -151,10 +149,7 @@ static int get_map_fd(const char *const map_name, int *const fd)
__u32 obj_id = 0;
__u32 info_length = sizeof(struct bpf_map_info);
while (true) {
- if (memset_s(&map_info, info_length, 0x0, info_length) != EOK) {
- macli_log(ERR, "system memset failed!\n");
- return FAILED;
- }
+ (void)memset(&map_info, 0x0, info_length);
if (bpf_map_get_next_id(obj_id, &obj_id)) {
if (errno == ENOENT)
break;
@@ -192,13 +187,10 @@ static int init_mesh_map(
struct bpf_create_map_attr *const map_attr)
#endif
{
- int ret = EOK;
- ret += strcpy_s(fds_map->name, BPF_OBJ_NAME_LEN, map_name);
- ret += strcpy_s(fds_map->pin_file_path, PATH_MAX, pin_file_path);
- if (ret != EOK) {
- macli_log(ERR, "system copy string failed!");
- return FAILED;
- }
+ (void)memset(fds_map->name, 0x0, BPF_OBJ_NAME_LEN);
+ (void)strncpy(fds_map->name, map_name, BPF_OBJ_NAME_LEN - 1);
+ (void)memset(fds_map->pin_file_path, 0x0, PATH_MAX);
+ (void)strncpy(fds_map->pin_file_path, pin_file_path, PATH_MAX - 1);
if (get_map_fd(fds_map->name, &(fds_map->fd)) != SUCCESS)
return FAILED;
fds_map->xattr = map_attr;
@@ -212,12 +204,8 @@ static int init_mesh_prog(
enum bpf_attach_type attach_type,
int attach_fd)
{
- int ret = EOK;
- ret = strcpy_s(fds_prog->name, BPF_OBJ_NAME_LEN, prog_name);
- if (ret != EOK) {
- macli_log(ERR, "system copy string failed!");
- return FAILED;
- }
+ (void)memset(fds_prog->name, 0x0, BPF_OBJ_NAME_LEN);
+ (void)strncpy(fds_prog->name, prog_name, BPF_OBJ_NAME_LEN - 1);
if (get_prog_fd(fds_prog->name, &(fds_prog->fd)) != SUCCESS)
return FAILED;
fds_prog->attach_type = attach_type;
@@ -228,13 +216,8 @@ static int init_mesh_prog(
static int init_mesh_prog_pin_file(struct mesh_prog_info *const fds_prog, const char *const pin_file_path)
{
- int ret = EOK;
- ret = strcpy_s(fds_prog->pin_file_path, PATH_MAX, pin_file_path);
- if (ret != EOK) {
- macli_log(ERR, "system copy string failed!");
- return FAILED;
- }
-
+ (void)memset(fds_prog->pin_file_path, 0x0, PATH_MAX);
+ (void)strncpy(fds_prog->pin_file_path, pin_file_path, PATH_MAX - 1);
return SUCCESS;
}
@@ -318,7 +301,7 @@ int get_u32_num(const char *const src, __u32 *const ret)
const int convert_base = 10;
char tmp_buff[TMP_BUF_SIZE] = {0};
unsigned long tmp = strtoul(src, NULL, convert_base);
- if (sprintf_s(tmp_buff, sizeof(tmp_buff), "%lu", tmp) < 0) {
+ if (snprintf(tmp_buff, sizeof(tmp_buff), "%lu", tmp) < 0) {
macli_log(ERR, "system sprintf string failed!\n");
return FAILED;
}
@@ -332,12 +315,8 @@ int get_u32_num(const char *const src, __u32 *const ret)
int check_cidr(const char *const src, __u32 *const ip, __u32 *const mask)
{
- int ret = EOK;
char tmp_buff[MAX_CIDR_LENGTH] = {0};
- if ((ret = strcpy_s(tmp_buff, sizeof(tmp_buff), src)) != EOK) {
- macli_log(ERR, "system copy string failed! errno:%d\n", ret);
- return FAILED;
- }
+ (void)strncpy(tmp_buff, src, sizeof(tmp_buff) - 1);
char *ip_part = tmp_buff;
char *p = strrchr(tmp_buff, '/');
if (p == NULL)
@@ -358,12 +337,8 @@ int check_cidr(const char *const src, __u32 *const ip, __u32 *const mask)
int check_port(const char *const src, __u32 *const begin_port, __u32 *const end_port)
{
- int ret = EOK;
char tmp_buff[MAX_PORT_RANGE_LENGTH] = {0};
- if ((ret = strcpy_s(tmp_buff, sizeof(tmp_buff), src)) != EOK) {
- macli_log(ERR, "system copy string failed! errno:%d\n", ret);
- return FAILED;
- }
+ (void)strncpy(tmp_buff, src, sizeof(tmp_buff) - 1);
// support 80-90
// support 80
char *num1 = tmp_buff;
diff --git a/oncn-mda/cli_src/func/log.c b/oncn-mda/cli_src/func/log.c
index 9381c7e..b7b8287 100644
--- a/oncn-mda/cli_src/func/log.c
+++ b/oncn-mda/cli_src/func/log.c
@@ -20,7 +20,7 @@ void ma_log(enum LOG_LEVEL level, const char *format, ...)
va_list ap;
va_start(ap, format);
char fmt_str[MAX_FMT_STR_LENGTH] = {0};
- if (vsnprintf_s(fmt_str, sizeof(fmt_str), sizeof(fmt_str) - 1, format, ap) == -1) {
+ if (vsnprintf(fmt_str, sizeof(fmt_str), format, ap) < 0) {
va_end(ap);
return;
}
diff --git a/oncn-mda/cli_src/func/switch.c b/oncn-mda/cli_src/func/switch.c
index 416f00e..3974ba8 100644
--- a/oncn-mda/cli_src/func/switch.c
+++ b/oncn-mda/cli_src/func/switch.c
@@ -365,7 +365,6 @@ static int check_file_access(const char *const config_path)
static int read_chain_config(const char *const config_path, struct sock_param *const filter_rules)
{
- int ret;
if (check_file_access(config_path) != SUCCESS)
return FAILED;
FILE *config_file = fopen(config_path, "r");
@@ -384,10 +383,10 @@ static int read_chain_config(const char *const config_path, struct sock_param *c
if (*p == '#' || *p == '\0')
continue;
- if ((ret = strcpy_s(buf_save, sizeof(buf_save), buf)) != EOK) {
- macli_log(ERR, "system copy string failed! errno:%d\n", ret);
- continue;
- }
+ (void)memset(buf_save, 0x0, sizeof(buf_save));
+ (void)strncpy(buf_save, buf, sizeof(buf_save));
+ buf_save[MAX_BUFSIZE - 1] = 0;
+
char *chain_argv[MAX_INPUT] = {0};
int chain_argc = 0;
if (parser_arg(buf, (int)strlen(buf), &chain_argc, chain_argv) != SUCCESS)
@@ -519,15 +518,12 @@ int do_enable(int argc, char *const *argv)
char config_path[PATH_MAX] = {0};
struct sock_param filter_rules = {0};
struct mesh_service_info fds = {0};
- int ret;
if (set_rlimit() != SUCCESS)
return FAILED;
- if ((ret = strcpy_s(config_path, PATH_MAX, CONFIGFILE_PATH)) != EOK) {
- macli_log(ERR, "system copy string failed! errno:%d\n", ret);
- return FAILED;
- }
+ (void)memset(config_path, 0x0, PATH_MAX);
+ (void)strncpy(config_path, CONFIGFILE_PATH, PATH_MAX - 1);
if (enable_get_opt(argc, argv, config_path, &is_help) != SUCCESS)
return FAILED;
diff --git a/oncn-mda/include/log.h b/oncn-mda/include/log.h
index bfc026f..86162e0 100644
--- a/oncn-mda/include/log.h
+++ b/oncn-mda/include/log.h
@@ -8,7 +8,6 @@
#include <stdlib.h>
#include <time.h>
#include <stdarg.h>
-#include "securec.h"
enum LOG_LEVEL { FATAL = 0, ERR, WARN, INFO, DEBUG };
diff --git a/oncn-mda/include/macli.h b/oncn-mda/include/macli.h
index ebe8f69..1db7e7a 100644
--- a/oncn-mda/include/macli.h
+++ b/oncn-mda/include/macli.h
@@ -20,7 +20,6 @@
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/stat.h>
-#include "securec.h"
#include "data.h"
#include "log.h"
--
2.33.0