Skip to content

Commit

Permalink
optimize filter sampling logic when filtering not enabled
Browse files Browse the repository at this point in the history
Signed-off-by: Mohamed Mahmoud <[email protected]>
  • Loading branch information
msherif1234 committed Dec 18, 2024
1 parent bb70b5a commit 1342023
Show file tree
Hide file tree
Showing 7 changed files with 41 additions and 23 deletions.
39 changes: 25 additions & 14 deletions bpf/flows.c
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,17 @@ static inline void update_dns(additional_metrics *extra_metrics, pkt_info *pkt,
}

static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
u32 filter_sampling = 0;

if (!is_filter_enabled()) {
if (sampling > 1 && (bpf_get_prandom_u32() % sampling) != 0) {
do_sampling = 0;
return TC_ACT_OK;
}
filter_sampling = sampling;
do_sampling = 1;
}

u16 eth_protocol = 0;
pkt_info pkt;
__builtin_memset(&pkt, 0, sizeof(pkt));
Expand All @@ -103,21 +114,21 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
id.direction = direction;

// check if this packet need to be filtered if filtering feature is enabled
u32 filter_sampling = 0;
bool skip = check_and_do_flow_filtering(&id, pkt.flags, 0, eth_protocol, &filter_sampling);
if (skip) {
return TC_ACT_OK;
}
if (filter_sampling == 0) {
filter_sampling = sampling;
}

// If sampling is defined, will only parse 1 out of "sampling" flows
if (filter_sampling > 1 && (bpf_get_prandom_u32() % filter_sampling) != 0) {
do_sampling = 0;
return TC_ACT_OK;
if (is_filter_enabled()) {
bool skip = check_and_do_flow_filtering(&id, pkt.flags, 0, eth_protocol, &filter_sampling);
if (filter_sampling == 0) {
filter_sampling = sampling;
}
// If sampling is defined, will only parse 1 out of "sampling" flows
if (filter_sampling > 1 && (bpf_get_prandom_u32() % filter_sampling) != 0) {
do_sampling = 0;
return TC_ACT_OK;
}
do_sampling = 1;
if (skip) {
return TC_ACT_OK;
}
}
do_sampling = 1;

int dns_errno = 0;
if (enable_dns_tracking) {
Expand Down
13 changes: 6 additions & 7 deletions bpf/flows_filter.h
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,18 @@ static __always_inline int do_flow_filter_lookup(flow_id *id, struct filter_key_
struct filter_value_t *rule = (struct filter_value_t *)bpf_map_lookup_elem(&filter_map, key);

if (rule) {
BPF_PRINTK("rule found\n");
BPF_PRINTK("rule found drop_reason %d flags %d\n", drop_reason, flags);
result++;
if (rule->action != MAX_FILTER_ACTIONS) {
BPF_PRINTK("action matched: %d\n", rule->action);
*action = rule->action;
result++;
}

if (rule->sample && sampling != NULL) {
BPF_PRINTK("sampling action is set to %d\n", rule->sample);
*sampling = rule->sample;
result++;
}
// match specific rule protocol or use wildcard protocol
if (rule->protocol == id->transport_protocol || rule->protocol == 0) {
switch (id->transport_protocol) {
Expand Down Expand Up @@ -195,11 +199,6 @@ static __always_inline int do_flow_filter_lookup(flow_id *id, struct filter_key_
goto end;
}
}
u32 sample = rule->sample;
if (sample && sampling != NULL) {
BPF_PRINTK("sampling action is set to %d\n", sample);
*sampling = sample;
}
}
end:
BPF_PRINTK("result: %d action %d\n", result, *action);
Expand Down
12 changes: 10 additions & 2 deletions bpf/utils.h
Original file line number Diff line number Diff line change
Expand Up @@ -174,13 +174,20 @@ static inline int fill_ethhdr(struct ethhdr *eth, void *data_end, pkt_info *pkt,
return SUBMIT;
}

static inline bool is_filter_enabled() {
if (enable_flows_filtering || enable_pca) {
return true;
}
return false;
}

/*
* check if flow filter is enabled and if we need to continue processing the packet or not
*/
static inline bool check_and_do_flow_filtering(flow_id *id, u16 flags, u32 drop_reason,
u16 eth_protocol, u32 *sampling) {
// check if this packet need to be filtered if filtering feature is enabled
if (enable_flows_filtering || enable_pca) {
if (is_filter_enabled()) {
filter_action action = ACCEPT;
if (is_flow_filtered(id, &action, flags, drop_reason, eth_protocol, sampling) != 0 &&
action != MAX_FILTER_ACTIONS) {
Expand Down Expand Up @@ -210,7 +217,8 @@ static inline bool check_and_do_flow_filtering(flow_id *id, u16 flags, u32 drop_
} else {
// we have no matching rules so we update global counter for flows that are not matched by any rule
increase_counter(FILTER_NOMATCH);
// we have accept rule but no match so we can't let mismatched flows in the hashmap table.
// we have accept rule but no match so we can't let mismatched flows in the hashmap table or
// we have no match at all and the action is the default value MAX_FILTER_ACTIONS.
if (action == ACCEPT || action == MAX_FILTER_ACTIONS) {
return true;
} else {
Expand Down
Binary file modified pkg/ebpf/bpf_arm64_bpfel.o
Binary file not shown.
Binary file modified pkg/ebpf/bpf_powerpc_bpfel.o
Binary file not shown.
Binary file modified pkg/ebpf/bpf_s390_bpfeb.o
Binary file not shown.
Binary file modified pkg/ebpf/bpf_x86_bpfel.o
Binary file not shown.

0 comments on commit 1342023

Please sign in to comment.