如何创建接收到的数据包与允许通过的数据包的关系图



我有一个XDP程序,在该程序中,我将丢弃环回设备上接收的每一个其他数据包(将来将使用物理设备(。我想创建一个图表,显示设备(或xdp程序(接收到的包数与每秒允许使用包通过的包数(xdp_pass(。我的目标是开发该程序,以减轻udp洪水攻击,因此我需要收集此类数据来衡量其性能。

我将重点讨论从XDP到用户空间的度量传递部分,因为绘制数据本身是一个相当大的主题。

如果你只关心PASS/DDROP整体,我可以推荐xdp教程中的basic03地图计数。

最后的";"分配";在本教程中,将代码转换为每个CPU的示例。对于DDoS相关程序,这一点相当关键,因为使用共享地图会导致阻塞。这是这样一个程序的例子:

#include <linux/bpf.h>
#define SEC(NAME) __attribute__((section(NAME), used))
#define XDP_MAX_ACTION 5
// From https://github.com/libbpf/libbpf/blob/master/src/bpf_helper_defs.h
static void *(*bpf_map_lookup_elem)(void *map, const void *key) = (void *) 1;
struct bpf_map_def {
unsigned int type;
unsigned int key_size;
unsigned int value_size;
unsigned int max_entries;
unsigned int map_flags;
};
struct datarec {
__u64 rx_packets;
};
struct bpf_map_def SEC("maps") xdp_stats_map = {
.type        = BPF_MAP_TYPE_PERCPU_ARRAY,
.key_size    = sizeof(__u32),
.value_size  = sizeof(struct datarec),
.max_entries = XDP_MAX_ACTION,
};
SEC("xdp_stats1")
int xdp_stats1_func(struct xdp_md *ctx)
{
// void *data_end = (void *)(long)ctx->data_end;
// void *data     = (void *)(long)ctx->data;
struct datarec *rec;
__u32 action = XDP_PASS; /* XDP_PASS = 2 */
// TODO add some logic, instread of returning directly, just set action to XDP_PASS or XDP_BLOCK
/* Lookup in kernel BPF-side return pointer to actual data record */
rec = bpf_map_lookup_elem(&xdp_stats_map, &action);
if (!rec)
return XDP_ABORTED;
// Since xdp_stats_map is a per-CPU map, every logical-CPU/Core gets its own memory,
//  we can safely increment without raceconditions or need for locking.
rec->rx_packets++;
return action;
}
char _license[] SEC("license") = "GPL";

您会注意到,我们使用相同的映射键,与时间无关。这种程序要求用户空间以1秒的间隔轮询地图并计算差异。如果你需要100%准确的统计数据或不想每秒轮询数据,你可以在密钥中包含时间:

#include <linux/bpf.h>
#define SEC(NAME) __attribute__((section(NAME), used))
#define XDP_MAX_ACTION 5
// From https://github.com/libbpf/libbpf/blob/master/src/bpf_helper_defs.h
static void *(*bpf_map_lookup_elem)(void *map, const void *key) = (void *) 1;
static long (*bpf_map_update_elem)(void *map, const void *key, const void *value, __u64 flags) = (void *) 2;
static __u64 (*bpf_ktime_get_ns)(void) = (void *) 5;
struct bpf_map_def {
unsigned int type;
unsigned int key_size;
unsigned int value_size;
unsigned int max_entries;
unsigned int map_flags;
};
struct timekey {
__u32 action;
__u32 second;
};
struct datarec {
__u64 rx_packets;
__u64 last_update;
};
struct bpf_map_def SEC("maps") xdp_stats_map = {
.type        = BPF_MAP_TYPE_PERCPU_HASH,
.key_size    = sizeof(struct timekey),
.value_size  = sizeof(struct datarec),
.max_entries = XDP_MAX_ACTION * 60,
};
#define SECOND_NS 1000000000
SEC("xdp")
int xdp_stats1_func(struct xdp_md *ctx)
{
// void *data_end = (void *)(long)ctx->data_end;
// void *data     = (void *)(long)ctx->data;
struct datarec *rec;
struct timekey key;
__u64 now;
key.action = XDP_PASS; /* XDP_PASS = 2 */
// TODO add some logic, instread of returning directly, just set action to XDP_PASS or XDP_BLOCK
now = bpf_ktime_get_ns();
key.second = (now / SECOND_NS) % 60;
/* Lookup in kernel BPF-side return pointer to actual data record */
rec = bpf_map_lookup_elem(&xdp_stats_map, &key);
if (rec) {
// If the last update to this key was more than 1 second ago, we are reusing the key, reset it.
if (rec->last_update - now > SECOND_NS) {
rec->rx_packets = 0;
}
rec->last_update = now;
rec->rx_packets++;
} else {
struct datarec new_rec = {
.rx_packets  = 1,
.last_update = now,
};
bpf_map_update_elem(&xdp_stats_map, &key, &new_rec, BPF_ANY);
}    
return key.action;
}
char _license[] SEC("license") = "GPL";

还制作了一个用户空间示例,展示了如何从第二个示例中读取地图。(对不起围棋,我的C技能不能通过简单的eBPF程序(:

package main
import (
"bytes"
"embed"
"fmt"
"os"
"os/signal"
"runtime"
"time"
"github.com/dylandreimerink/gobpfld"
"github.com/dylandreimerink/gobpfld/bpftypes"
"github.com/dylandreimerink/gobpfld/ebpf"
)
//go:embed src/xdp
var f embed.FS
func main() {
elfFileBytes, err := f.ReadFile("src/xdp")
if err != nil {
fmt.Fprintf(os.Stderr, "error opening ELF file: %sn", err.Error())
os.Exit(1)
}
elf, err := gobpfld.LoadProgramFromELF(bytes.NewReader(elfFileBytes), gobpfld.ELFParseSettings{
TruncateNames: true,
})
if err != nil {
fmt.Fprintf(os.Stderr, "error while reading ELF file: %sn", err.Error())
os.Exit(1)
}
prog := elf.Programs["xdp_stats1_func"].(*gobpfld.ProgramXDP)
log, err := prog.Load(gobpfld.ProgXDPLoadOpts{
VerifierLogLevel: bpftypes.BPFLogLevelVerbose,
})
if err != nil {
fmt.Println(log)
fmt.Fprintf(os.Stderr, "error while loading progam: %sn", err.Error())
os.Exit(1)
}
err = prog.Attach(gobpfld.ProgXDPAttachOpts{
InterfaceName: "lo",
})
if err != nil {
fmt.Fprintf(os.Stderr, "error while loading progam: %sn", err.Error())
os.Exit(1)
}
defer func() {
prog.XDPLinkDetach(gobpfld.BPFProgramXDPLinkDetachSettings{
All: true,
})
}()
statMap := prog.Maps["xdp_stats_map"].(*gobpfld.HashMap)
sigChan := make(chan os.Signal, 1)
signal.Notify(sigChan, os.Interrupt)
ticker := time.NewTicker(1 * time.Second)
done := false
for !done {
select {
case <-ticker.C:
var key MapKey
// Since the map is a per-CPU type, the value we will read is an array with the same amount of elements
// as logical CPU's
value := make([]MapValue, runtime.NumCPU())
// Map keyed by second, index keyed by action, value = count
userMap := map[uint32][]uint32{}
latest := uint64(0)
latestSecond := int32(0)
gobpfld.MapIterForEach(statMap.Iterator(), &key, &value, func(_, _ interface{}) error {
// Sum all values
total := make([]uint32, 5)
for _, val := range value {
total[key.Action] += uint32(val.PktCount)
// Record the latest changed key, this only works if we have at least 1 pkt/s.
if latest < val.LastUpdate {
latest = val.LastUpdate
latestSecond = int32(key.Second)
}
}
userMap[key.Second] = total
return nil
})
// We wan't the last second, not the current one, since it is still changing
latestSecond--
if latestSecond < 0 {
latestSecond += 60
}
values := userMap[uint32(latestSecond)]
fmt.Printf("%02d: aborted: %d,  dropped: %d, passed: %d, tx'ed: %d, redirected: %dn",
latestSecond,
values[ebpf.XDP_ABORTED],
values[ebpf.XDP_DROP],
values[ebpf.XDP_PASS],
values[ebpf.XDP_TX],
values[ebpf.XDP_REDIRECT],
)
case <-sigChan:
done = true
}
}
}
type MapKey struct {
Action uint32
Second uint32
}
type MapValue struct {
PktCount   uint64
LastUpdate uint64
}

相关内容

  • 没有找到相关文章

最新更新