Various changes to improve Clovisor:

1.) make clovisor work on GKE 2.) running more efficient correlation between k8s service, pods, and service port name for the pod's container port 3.) add per session trace metrics on Clovisor's traces, including request and response sizes, trace-id, request-id, and more HTTP header fields 4.) improve eBPF code to account for TCP sessions which do not finish with either FIN or RST flags 5.) tested with Clover sample app (the "SDC") Change-Id: Ia1a6275caf31a63fb1288c93cea42b32a4606307 Signed-off-by: Stephen Wong <stephen.kf.wong@gmail.com>
author: Stephen Wong <stephen.kf.wong@gmail.com> 2019-01-18 01:50:08 +0000
committer: Stephen Wong <stephen.kf.wong@gmail.com> 2019-01-18 01:50:08 +0000
commit: 6aa27547b71bff174e3017f637a002546033bf39 (patch)
tree: b89410b7bf14d896c04686ed05d7259f01a3e43e /clover/clovisor/libclovisor/ebpf/session_tracking.c
parent: adf4c7d34840acbc4676d895075d7098c0064f9c (diff)
1 files changed, 31 insertions, 14 deletions
diff --git a/clover/clovisor/libclovisor/ebpf/session_tracking.c b/clover/clovisor/libclovisor/ebpf/session_tracking.c
index 99f704a..ea68788 100755
--- a/clover/clovisor/libclovisor/ebpf/session_tracking.c
+++ b/clover/clovisor/libclovisor/ebpf/session_tracking.c
@@ -17,6 +17,7 @@
 #define MAX_SESSION_TABLE_ENTRIES 8192
 
 typedef enum {
+    UNDEFINED = 0,
     HTTP = 1,
     HTTP2 = 2,
     TCP = 3,
@@ -145,24 +146,37 @@ static inline app_proto_t ingress_tcp_parsing(struct tcphdr *tcp_hdr,
     unsigned short dest_port = htons(tcp_hdr->dest);
     egress_match_t egress_match = {};
     policy_action_t *policy_ptr = NULL;
+    app_proto_t ret = TCP;
 
     unsigned int *proto = dports2proto.lookup(&dest_port);
     if (proto != NULL) {
+        /*
         if (tcp_hdr->syn && !tcp_hdr->ack) {
-            return TCP;
+            return ret;
         }
+        */
+        ret = HTTP;
         if (tcp_hdr->fin || tcp_hdr->rst) {
             process_response(ntohl(ipv4_hdr->saddr),
                              ntohl(ipv4_hdr->daddr),
                              ntohs(tcp_hdr->source),
                              ntohs(tcp_hdr->dest));
-            return TCP;
+        } else {
+            process_request(ntohl(ipv4_hdr->saddr),
+                            ntohl(ipv4_hdr->daddr),
+                            ntohs(tcp_hdr->source),
+                            ntohs(tcp_hdr->dest));
         }
-        process_request(ntohl(ipv4_hdr->saddr),
-                        ntohl(ipv4_hdr->daddr),
-                        ntohs(tcp_hdr->source),
-                        ntohs(tcp_hdr->dest));
     } else {
+        dest_port = htons(tcp_hdr->source);
+        proto = dports2proto.lookup(&dest_port);
+        if (proto != NULL) {
+            // clock response receiving time
+            process_response(ntohl(ipv4_hdr->daddr),
+                             ntohl(ipv4_hdr->saddr),
+                             ntohs(tcp_hdr->dest),
+                             ntohs(tcp_hdr->source));
+        }
         egress_match.dst_ip = ntohl(ipv4_hdr->saddr);
         egress_match.dst_port = ntohs(tcp_hdr->source);
         policy_ptr = egress_lookup_table.lookup(&egress_match);
@@ -173,6 +187,7 @@ static inline app_proto_t ingress_tcp_parsing(struct tcphdr *tcp_hdr,
 
         if (policy_ptr != NULL) {
             if (*policy_ptr == RECORD) {
+                ret = HTTP;
                 if (tcp_hdr->fin || tcp_hdr->rst) {
                     process_response(ntohl(ipv4_hdr->daddr),
                                      ntohl(ipv4_hdr->saddr),
@@ -185,7 +200,7 @@ static inline app_proto_t ingress_tcp_parsing(struct tcphdr *tcp_hdr,
 
     // everything else drops to TCP
     //return ((void*)tcp_hdr);
-    return HTTP;
+    return ret;
 }
 
 static inline app_proto_t egress_tcp_parsing(struct tcphdr *tcp_hdr,
@@ -200,12 +215,13 @@ static inline app_proto_t egress_tcp_parsing(struct tcphdr *tcp_hdr,
     unsigned int *proto = dports2proto.lookup(&src_port);
 
     if (proto != NULL) {
-        if (tcp_hdr->fin || tcp_hdr->rst) {
-            process_response(ntohl(ipv4_hdr->daddr),
-                             ntohl(ipv4_hdr->saddr),
-                             ntohs(tcp_hdr->dest),
-                             ntohs(tcp_hdr->source));
-        }
+        //if (tcp_hdr->fin || tcp_hdr->rst) {
+        process_response(ntohl(ipv4_hdr->daddr),
+                         ntohl(ipv4_hdr->saddr),
+                         ntohs(tcp_hdr->dest),
+                         ntohs(tcp_hdr->source));
+        //}
+        ret = HTTP;
     } else {
 
         egress_match.dst_ip = ntohl(ipv4_hdr->daddr);
@@ -222,11 +238,12 @@ static inline app_proto_t egress_tcp_parsing(struct tcphdr *tcp_hdr,
                                 ntohl(ipv4_hdr->daddr),
                                 ntohs(tcp_hdr->source),
                                 ntohs(tcp_hdr->dest));
+                ret = HTTP;
             }
         }
     }
     //return(ret_hdr);
-    return HTTP;
+    return ret;
 }
 
 static inline int handle_packet(struct __sk_buff *skb, int is_ingress)
author	Stephen Wong <stephen.kf.wong@gmail.com>	2019-01-18 01:50:08 +0000
committer	Stephen Wong <stephen.kf.wong@gmail.com>	2019-01-18 01:50:08 +0000
commit	6aa27547b71bff174e3017f637a002546033bf39 (patch)
tree	b89410b7bf14d896c04686ed05d7259f01a3e43e /clover/clovisor/libclovisor/ebpf/session_tracking.c
parent	adf4c7d34840acbc4676d895075d7098c0064f9c (diff)