diff --git a/driver/modern_bpf/helpers/store/auxmap_store_params.h b/driver/modern_bpf/helpers/store/auxmap_store_params.h index de135cbbcc..9afe9d12eb 100644 --- a/driver/modern_bpf/helpers/store/auxmap_store_params.h +++ b/driver/modern_bpf/helpers/store/auxmap_store_params.h @@ -1499,10 +1499,15 @@ static __always_inline void auxmap__store_fdlist_param(struct auxiliary_map *aux sizeof(uint16_t) + (num_pairs * (sizeof(int64_t) + sizeof(int16_t)))); } +typedef struct { + bool only_port_range; + ppm_event_code evt_type; + long mmsg_index; +} dynamic_snaplen_args; + static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs, uint16_t *snaplen, - bool only_port_range, - ppm_event_code evt_type) { + dynamic_snaplen_args *input_args) { if(!maps__get_do_dynamic_snaplen()) { return; } @@ -1519,7 +1524,9 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs, * - writev * - pwritev * - recvmsg + * - recvmmsg * - sendmsg + * - sendmmsg * - send * - recv * - recvfrom @@ -1539,12 +1546,14 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs, * - writev * - pwritev * - recvmsg + * - recvmmsg * - sendmsg + * - sendmmsg */ unsigned long args[5] = {0}; struct sockaddr *sockaddr = NULL; - switch(evt_type) { + switch(input_args->evt_type) { case PPME_SOCKET_SENDTO_X: case PPME_SOCKET_RECVFROM_X: extract__network_args(args, 5, regs); @@ -1571,6 +1580,30 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs, } } break; + case PPME_SOCKET_RECVMMSG_X: + case PPME_SOCKET_SENDMMSG_X: { + extract__network_args(args, 3, regs); + if(bpf_in_ia32_syscall()) { + struct compat_mmsghdr compat_mmh = {}; + struct compat_mmsghdr *mmh_ptr = (struct compat_mmsghdr *)args[1]; + if(likely(bpf_probe_read_user(&compat_mmh, + bpf_core_type_size(struct compat_mmsghdr), + (void *)(mmh_ptr + input_args->mmsg_index)) == 0)) { + sockaddr = (struct sockaddr *)(unsigned long)(compat_mmh.msg_hdr.msg_name); + } + // in any case we break the switch. + break; + } + + struct mmsghdr mmh = {}; + struct mmsghdr *mmh_ptr = (struct mmsghdr *)args[1]; + if(bpf_probe_read_user(&mmh, + bpf_core_type_size(struct mmsghdr), + (void *)(mmh_ptr + input_args->mmsg_index)) == 0) { + sockaddr = (struct sockaddr *)mmh.msg_hdr.msg_name; + } + } break; + default: extract__network_args(args, 3, regs); break; @@ -1639,7 +1672,7 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs, } /* If we check only port range without reading syscall data we can stop here */ - if(only_port_range) { + if(input_args->only_port_range) { return; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pread64.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pread64.bpf.c index 25c650e03a..092bc08741 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pread64.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pread64.bpf.c @@ -63,8 +63,12 @@ int BPF_PROG(pread64_x, struct pt_regs *regs, long ret) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = false, + .mmsg_index = PPME_SYSCALL_PREAD_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, false, PPME_SYSCALL_PREAD_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/preadv.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/preadv.bpf.c index 0eda713df2..b90ce5cd5e 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/preadv.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/preadv.bpf.c @@ -62,8 +62,12 @@ int BPF_PROG(preadv_x, struct pt_regs *regs, long ret) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .mmsg_index = PPME_SYSCALL_PREADV_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, true, PPME_SYSCALL_PREADV_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c index f2fe852388..078a671b93 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c @@ -59,8 +59,12 @@ int BPF_PROG(process_vm_readv_x, struct pt_regs *regs, long ret) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .mmsg_index = PPME_SYSCALL_PROCESS_VM_READV_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, true, PPME_SYSCALL_PROCESS_VM_READV_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c index 7db933e957..f629b20141 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c @@ -59,8 +59,12 @@ int BPF_PROG(process_vm_writev_x, struct pt_regs *regs, long ret) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .mmsg_index = PPME_SYSCALL_PROCESS_VM_WRITEV_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, true, PPME_SYSCALL_PROCESS_VM_WRITEV_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwrite64.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwrite64.bpf.c index 643610b3d3..a50fc7c472 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwrite64.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwrite64.bpf.c @@ -62,9 +62,13 @@ int BPF_PROG(pwrite64_x, struct pt_regs *regs, long ret) { /* If the syscall doesn't fail we use the return value as `size` * otherwise we need to rely on the syscall parameter provided by the user. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = false, + .mmsg_index = PPME_SYSCALL_PWRITE_X, + }; int64_t bytes_to_read = ret > 0 ? ret : extract__syscall_argument(regs, 2); uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, false, PPME_SYSCALL_PWRITE_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if((int64_t)snaplen > bytes_to_read) { snaplen = bytes_to_read; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwritev.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwritev.bpf.c index c0f87a6d74..bfcee99f24 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwritev.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/pwritev.bpf.c @@ -66,8 +66,12 @@ int BPF_PROG(pwritev_x, struct pt_regs *regs, long ret) { * otherwise we need to extract it now and it has a cost. Here we check just * the return value if the syscall is successful. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .mmsg_index = PPME_SYSCALL_PWRITEV_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, true, PPME_SYSCALL_PWRITEV_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(ret > 0 && snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/read.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/read.bpf.c index c6df32c6ba..8911d3a5aa 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/read.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/read.bpf.c @@ -59,8 +59,12 @@ int BPF_PROG(read_x, struct pt_regs *regs, long ret) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = false, + .mmsg_index = PPME_SYSCALL_READ_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, false, PPME_SYSCALL_READ_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/readv.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/readv.bpf.c index 2d8f6ba7c6..8e56e907a6 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/readv.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/readv.bpf.c @@ -58,8 +58,12 @@ int BPF_PROG(readv_x, struct pt_regs *regs, long ret) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .mmsg_index = PPME_SYSCALL_READV_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, true, PPME_SYSCALL_READV_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recv.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recv.bpf.c index 34a8106ccf..93f42c26c9 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recv.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recv.bpf.c @@ -64,8 +64,12 @@ int BPF_PROG(recv_x, struct pt_regs *regs, long ret) { unsigned long args[2] = {0}; extract__network_args(args, 2, regs); + dynamic_snaplen_args snaplen_args = { + .only_port_range = false, + .mmsg_index = PPME_SOCKET_RECV_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, false, PPME_SOCKET_RECV_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvfrom.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvfrom.bpf.c index 7f90812e12..93f8a05f55 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvfrom.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvfrom.bpf.c @@ -63,8 +63,12 @@ int BPF_PROG(recvfrom_x, struct pt_regs *regs, long ret) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = false, + .mmsg_index = PPME_SOCKET_RECVFROM_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, false, PPME_SOCKET_RECVFROM_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmmsg.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmmsg.bpf.c index 23f5dd3a51..b46f38db40 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmmsg.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmmsg.bpf.c @@ -72,8 +72,13 @@ static long handle_exit(uint32_t index, void *ctx) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .evt_type = PPME_SOCKET_RECVMMSG_X, + .mmsg_index = index, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(data->regs, &snaplen, true, PPME_SOCKET_RECVMMSG_X); + apply_dynamic_snaplen(data->regs, &snaplen, &snaplen_args); if(snaplen > mmh.msg_len) { snaplen = mmh.msg_len; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmsg.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmsg.bpf.c index b4c4b310f0..6623e9e1ef 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmsg.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmsg.bpf.c @@ -61,8 +61,12 @@ int BPF_PROG(recvmsg_x, struct pt_regs *regs, long ret) { /* We read the minimum between `snaplen` and what we really * have in the buffer. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .mmsg_index = PPME_SOCKET_RECVMSG_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, true, PPME_SOCKET_RECVMSG_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/send.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/send.bpf.c index c7beaa5365..6a545d9bc7 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/send.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/send.bpf.c @@ -63,9 +63,13 @@ int BPF_PROG(send_x, struct pt_regs *regs, long ret) { unsigned long args[3] = {0}; extract__network_args(args, 3, regs); + dynamic_snaplen_args snaplen_args = { + .only_port_range = false, + .mmsg_index = PPME_SOCKET_SEND_X, + }; int64_t bytes_to_read = ret > 0 ? ret : args[2]; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, false, PPME_SOCKET_SEND_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if((int64_t)snaplen > bytes_to_read) { snaplen = bytes_to_read; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmmsg.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmmsg.bpf.c index 37ee05a00f..e97c6f56e8 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmmsg.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmmsg.bpf.c @@ -77,8 +77,13 @@ static long handle_exit(uint32_t index, void *ctx) { * otherwise we need to extract it now and it has a cost. Here we check just * the return value if the syscall is successful. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .evt_type = PPME_SOCKET_SENDMMSG_X, + .mmsg_index = index, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(data->regs, &snaplen, true, PPME_SOCKET_SENDMMSG_X); + apply_dynamic_snaplen(data->regs, &snaplen, &snaplen_args); if(mmh.msg_len > 0 && snaplen > mmh.msg_len) { snaplen = mmh.msg_len; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmsg.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmsg.bpf.c index cc48b1ddf8..611f75f174 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmsg.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmsg.bpf.c @@ -85,7 +85,11 @@ int BPF_PROG(sendmsg_x, struct pt_regs *regs, long ret) { * the return value if the syscall is successful. */ uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, true, PPME_SOCKET_SENDMSG_X); + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .mmsg_index = PPME_SOCKET_SENDMSG_X, + }; + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(ret > 0 && snaplen > ret) { snaplen = ret; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendto.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendto.bpf.c index 989c88e951..e4b0cb7711 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendto.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendto.bpf.c @@ -80,9 +80,13 @@ int BPF_PROG(sendto_x, struct pt_regs *regs, long ret) { /* If the syscall doesn't fail we use the return value as `size` * otherwise we need to rely on the syscall parameter provided by the user. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = false, + .evt_type = PPME_SOCKET_SENDTO_X, + }; int64_t bytes_to_read = ret > 0 ? ret : args[2]; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, false, PPME_SOCKET_SENDTO_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if((int64_t)snaplen > bytes_to_read) { snaplen = bytes_to_read; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/write.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/write.bpf.c index 98ab3c4cdf..70e52ce87f 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/write.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/write.bpf.c @@ -58,9 +58,13 @@ int BPF_PROG(write_x, struct pt_regs *regs, long ret) { /* If the syscall doesn't fail we use the return value as `size` * otherwise we need to rely on the syscall parameter provided by the user. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = false, + .evt_type = PPME_SYSCALL_WRITE_X, + }; int64_t bytes_to_read = ret > 0 ? ret : extract__syscall_argument(regs, 2); uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, false, PPME_SYSCALL_WRITE_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if((int64_t)snaplen > bytes_to_read) { snaplen = bytes_to_read; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/writev.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/writev.bpf.c index b77844e28a..14b75ffe63 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/writev.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/writev.bpf.c @@ -62,8 +62,12 @@ int BPF_PROG(writev_x, struct pt_regs *regs, long ret) { * otherwise we need to extract it now and it has a cost. Here we check just * the return value if the syscall is successful. */ + dynamic_snaplen_args snaplen_args = { + .only_port_range = true, + .evt_type = PPME_SYSCALL_WRITEV_X, + }; uint16_t snaplen = maps__get_snaplen(); - apply_dynamic_snaplen(regs, &snaplen, true, PPME_SYSCALL_WRITEV_X); + apply_dynamic_snaplen(regs, &snaplen, &snaplen_args); if(ret > 0 && snaplen > ret) { snaplen = ret; }