Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ipftrace: A Linux Function Tracer for Network People

Yutaro Hayakawa
June 06, 2020
Technology
4
5.3k

ipftrace: A Linux Function Tracer for Network People

Kernel/VM/探検隊online part1での発表資料

Yutaro Hayakawa

June 06, 2020
Tweet

More Decks by Yutaro Hayakawa

See All by Yutaro Hayakawa
eBPFは何が嬉しいのか?
yutarohayakawa
3
1.3k
BufferbloatとLinux
yutarohayakawa
4
700
Prism: Proxies without the Pain
yutarohayakawa
0
170
きっと明日から役立つeBPFのしくみ
yutarohayakawa
9
2.6k
eBPFをFreeBSDにポーティングしようとしている話
yutarohayakawa
4
2.5k
eBPF Implementation for FreeBSD
yutarohayakawa
0
270

Other Decks in Technology

See All in Technology
ChatGPTをどう使うか?(JJUGナイトセミナー5/23)
shin_higuchi
0
750
AWS WAFおよびWafCharmを複数サービスに導入した結果と課題
iwamot
0
190
競プロ作問を支える技術
tsutaj
0
240
ユーザーストーリーマッピング
kawaguti
PRO
4
850
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
390
Turbinando Microsserviços com Distributed Cache
jordihofc
1
330
20230525_経営者・マーケティング担当必見!ChatGPTがもたらすマーケティング革命(45min版)_v1.02_共有用・後半パート.pdf
doradora09
0
170
LLMの普及による機械学習の民主化とMLPdMの重要性 / democratization-of-ml-and-importance-of-mlpdm-by-llm
yuya4
2
2.4k
「XIAOGYAN」への想い
matsujirushi
0
160
microCMSのエンジニア組織と文化
microcms
0
460
Security-JAWS#29 AWS Summit Tokyo 2023 オンデマンド配信を楽しむためのセキュリティ関連トピックご紹介
kthrtty
1
230
【Oracle Cloud ウェビナー】Oracle Databaseはクラウドに移行するべきか否か 全10ケースをご紹介 (2023年5月24日)
oracle4engineer
PRO
1
110

Featured

See All Featured
Raft: Consensus for Rubyists
vanstee
130
5.8k
The World Runs on Bad Software
bkeepers
PRO
59
5.9k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.3k
How to Ace a Technical Interview
jacobian
271
22k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
Building an army of robots
kneath
300
41k
Designing for Performance
lara
601
65k
Code Review Best Practice
trishagee
53
12k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
33
21k
The Language of Interfaces
destraynor
149
21k

Transcript

  1. JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS
    /FUXPSL1FPQMF
    201 /
    :VUBSP )BZBLBXB
    ZIBZBLBXB!HNBJMDPN

    View Slide

  2. 8IPBN*
    • :VUBSP )BZBLBXB 5XJUUFS!:VUBSP)BZBLBXB

    • 48&!-*/&גࣜձࣾ
    • ࣗࣾΫϥ΢υͷωοτϫʔΫιϑτ΢ΣΞ։ൃνʔϜ
    • ιϑτ΢ΣΞϩʔυόϥϯαͷ։ൃɾӡ༻
    • ͦͷଞ
    • F#1'Λ'SFF#4%ʹҠ২͢Δ(4P$ϓϩδΣΫτ ݱࡏ΋։ൃத

    • Χʔωϧ7.͸ճ໨ લճ͖ͬͱ໌೔͔Β໾ཱͭF#1'ͷ࢓૊Έ

    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB

    View Slide

  3. "HFOEB
    • -JOVYͷωοτϫʔΫػೳͷσόοάπʔϧJQGUSBDFΛ࡞ͬͨ࿩
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB

    View Slide

  4. JQGUSBDF
    • -JOVYͷOFUXPSLػೳʹಛԽͨؔ͠਺ίʔϧτϨʔαʔ
    • ΧʔωϧͷதͰ͋Δύέοτ͕Ͳͷؔ਺Λ௨͔ͬͨͷτϨʔε͕औΕΔ
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    // TCP10.0.0.10

    # iptables -t raw -A OUTPUT -p tcp -d 10.0.0.10 -j MARK --set-mark 0xdeadbeef
    # ipft -m 0xdeadbeef

    View Slide

  5. 0VUQVU
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    Attaching program (total 1803, succeeded 1052, failed 751 filtered: 0)
    Trace ready!
    Samples: 246 Lost: 0^C
    Trace done!
    ===
    3347634373462 0000 selinux_ipv4_output (len: 5764 gso_type: tcpv4)
    3347634379670 0000 ip_output (len: 5764 gso_type: tcpv4)
    3347634382597 0000 nf_hook_slow (len: 5764 gso_type: tcpv4)
    3347634385879 0000 selinux_ipv4_postroute (len: 5764 gso_type: tcpv4)
    3347634388958 0000 selinux_ip_postroute (len: 5764 gso_type: tcpv4)
    3347634391979 0000 ip_finish_output (len: 5764 gso_type: tcpv4)
    3347634394932 0000 __cgroup_bpf_run_filter_skb (len: 5764 gso_type: tcpv4)
    3347634398196 0000 ip_finish_output2 (len: 5764 gso_type: tcpv4)
    3347634401431 0000 neigh_direct_output (len: 5764 gso_type: tcpv4)
    3347634404503 0000 dev_queue_xmit (len: 5764 gso_type: tcpv4)
    3347634407363 0000 __dev_queue_xmit (len: 5764 gso_type: tcpv4)
    3347634410290 0000 netdev_pick_tx (len: 5764 gso_type: tcpv4)
    3347634413287 0000 validate_xmit_skb (len: 5764 gso_type: tcpv4)
    3347634416425 0000 netif_skb_features (len: 5764 gso_type: tcpv4)
    3347634419602 0000 skb_network_protocol (len: 5764 gso_type: tcpv4)
    3347634422951 0000 skb_csum_hwoffload_help (len: 5764 gso_type: tcpv4)
    ύέοτ͕ʮ௨ͬͨʯؔ਺
    $16*%
    5JNF4UBNQ
    Ћ
    Ϣʔβఆٛͷσʔλ

    View Slide

  6. 0VUQVU
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    3347634425930 0000 validate_xmit_xfrm (len: 5764 gso_type: tcpv4)
    3347634429001 0000 dev_hard_start_xmit (len: 5764 gso_type: tcpv4)
    3347634432145 0000 iptunnel_handle_offloads (len: 5764 gso_type: tcpv4)
    3347634435381 0000 ip_rt_update_pmtu (len: 5764 gso_type: tcpv4|ipxip4)
    3347634438569 0000 iptunnel_xmit (len: 5764 gso_type: tcpv4|ipxip4)
    3347634441580 0000 skb_scrub_packet (len: 5764 gso_type: tcpv4|ipxip4)
    3347634444653 0000 skb_push (len: 5764 gso_type: tcpv4|ipxip4)
    3347634447795 0000 ip_local_out (len: 5784 gso_type: tcpv4|ipxip4)
    3347634450651 0000 __ip_local_out (len: 5784 gso_type: tcpv4|ipxip4)
    3347634453520 0000 nf_hook_slow (len: 5784 gso_type: tcpv4|ipxip4)
    3347634456546 0000 selinux_ipv4_output (len: 5784 gso_type: tcpv4|ipxip4)
    3347634459478 0000 ip_output (len: 5784 gso_type: tcpv4|ipxip4)
    3347634462317 0000 nf_hook_slow (len: 5784 gso_type: tcpv4|ipxip4)
    3347634465284 0000 selinux_ipv4_postroute (len: 5784 gso_type: tcpv4|ipxip4)
    3347634468208 0000 selinux_ip_postroute (len: 5784 gso_type: tcpv4|ipxip4)
    3347634471081 0000 ip_finish_output (len: 5784 gso_type: tcpv4|ipxip4)
    3347634474005 0000 ip_finish_output2 (len: 5784 gso_type: tcpv4|ipxip4)
    3347634477149 0000 neigh_resolve_output (len: 5784 gso_type: tcpv4|ipxip4)
    3347634480256 0000 eth_header (len: 5784 gso_type: tcpv4|ipxip4)
    3347634483169 0000 skb_push (len: 5784 gso_type: tcpv4|ipxip4)
    3347634486125 0000 dev_queue_xmit (len: 5798 gso_type: tcpv4|ipxip4)

    View Slide

  7. 0VUQVU
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    3347634488963 0000 __dev_queue_xmit (len: 5798 gso_type: tcpv4|ipxip4)
    3347634491902 0000 netdev_pick_tx (len: 5798 gso_type: tcpv4|ipxip4)
    3347634494765 0000 validate_xmit_skb (len: 5798 gso_type: tcpv4|ipxip4)
    3347634497750 0000 netif_skb_features (len: 5798 gso_type: tcpv4|ipxip4)
    3347634500779 0000 passthru_features_check (len: 5798 gso_type: tcpv4|ipxip4)
    3347634503730 0000 skb_network_protocol (len: 5798 gso_type: tcpv4|ipxip4)
    3347634506729 0000 skb_csum_hwoffload_help (len: 5798 gso_type: tcpv4|ipxip4)
    3347634509655 0000 validate_xmit_xfrm (len: 5798 gso_type: tcpv4|ipxip4)
    3347634512554 0000 dev_hard_start_xmit (len: 5798 gso_type: tcpv4|ipxip4)
    3347634515513 0000 dev_forward_skb (len: 5798 gso_type: tcpv4|ipxip4)
    3347634518497 0000 __dev_forward_skb (len: 5798 gso_type: tcpv4|ipxip4)
    3347634521441 0000 skb_scrub_packet (len: 5798 gso_type: tcpv4|ipxip4)

    View Slide

  8. .PUJWBUJPO
    • ࢓ࣄฑ-JOVYͷωοτϫʔΫػೳΛϔϏʔʹ࢖͏
    • ϧʔλʔͱͯ͠ /"5ͱͯ͠ '8ͱͯ͠ -#ͱͯ͠
    • ύέοτ͸ԟʑʹͯ͠Ͳ͔͍ͬ͘!
    • ຊ౰ʹͲ͏ͯ͠΋ݪҼ͕Θ͔Βͳ͍ͱ͖ʹ͸ιʔεΛݟΔ͔͠ͳ͍
    • ιʔεಡΜ͚ͩͩͰΘ͔Δ͜ͱ͸গͳ͍
    • ࣮ߦͯ͠ڍಈΛ֬ೝ͍ͨ͠
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB

    View Slide

  9. 4ZTUFN5BQ CQGUSBDF
    • $ͱBXLΛ߹ΘͤͨΑ͏ͳ%4-Λ࢖ͬͯτϨʔε͕ॻ͚Δ
    • ؔ਺ͷݺͼग़͠ͳͲΛϑοΫͯ͠Ҿ਺ͷ஋ͳͲΛग़ྗ͢Δ͜ͱ͕Ͱ͖Δ
    • τϨʔε͢Δର৅͸Ϣʔβ͕બͿඞཁ͕͋ΔͷͰԿ΋ख͕͔Γ͕ͳ͍ঢ়ଶͰ͸গʑ࢖͍ͮΒ͍
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    // bpftrace"
    // open(2)!
    !
    tracepoint:syscalls:sys_enter_open {
    printf("%s %s¥n", comm, str(args->filename));
    }
    // IO

    tracepoint:block:block_rq_issue {
    @[args->comm] = hist(args->bytes);
    }

    View Slide

  10. GUSBDF
    • Χʔωϧશମͷؔ਺ݺͼग़͠ͷτϨʔε͕औΕΔπʔϧ
    • Կ΋ख͕͔Γ͕ͳ͍ঢ়ଶͰ΋࢖͍΍͍͕͢ εΫϦϓςΟϯάͷػೳ͸ͳ͍
    • ग़ྗ͕ϑΝδʔʹͳΓ͕ͪ ωοτϫʔΫͷॲཧҎ֎΋ࠞͬͯ͘͟Δ
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    # _-----=> irqs-off
    # / _----=> need-resched
    # | / _---=> hardirq/softirq
    # || / _--=> preempt-depth
    # ||| / delay
    # TASK-PID CPU# |||| TIMESTAMP FUNCTION
    # | | | |||| | |
    gdbus-8688 [003] .... 105981.564554: vfs_read <-SyS_read
    bamfdaemon-8170 [002] .... 105981.564584: vfs_writev <-do_writev
    gdbus-8688 [003] .... 105981.564590: vfs_read <-SyS_read
    gdbus-8688 [003] .... 105981.564590: __vfs_read <-vfs_read
    compiz-8331 [007] .... 105981.564706: vfs_writev <-do_writev
    gdbus-8688 [003] .... 105981.564822: vfs_write <-SyS_write
    gdbus-8688 [003] .... 105981.564823: __vfs_write <-vfs_write
    gdbus-8688 [003] .... 105981.983184: vfs_read <-SyS_read
    gdbus-8688 [003] .... 105981.983187: __vfs_read <-vfs_read

    View Slide

  11. /FUXPSLEPNBJOTQFDJGJDSFRVJSFNFOU
    • ωοτϫʔΫػೳΛτϨʔε͍ͨ͠ͱ͖ݻ༗ͷ໰୊
    • ಛఆͷʮύέοτʯʹؔ܎͢Δॲཧ͚ͩݟΔ͜ͱ͕Ͱ͖ͳ͍
    • ྫ͑͹
    • 5$1൪Ѽͷύέοτ
    • Ѽઌ͕ͷ*$.1ύέοτ
    • ؔ਺ݺͼग़͠ͷτϨʔε͚ͩͰ͸ͲͷύέοτΛॲཧ͍ͯ͠Δ͔Θ͔
    Βͳ͍
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB

    View Slide

  12. 3FRVJSFNFOU
    • ͜ΜͳτϨʔαʔ͕ཉ͍͠
    • Կ΋ख͕͔Γ͕ͳ͍ঢ়ଶͰ࢖͍΍͍͢ ؔ਺ίʔϧτϨʔαʔ
    • ύέοτΛॲཧ͢Δؔ਺Ҏ֎ʹ͸ͦΜͳʹڵຯ͕ͳ͍
    • ύέοτ୯ҐͰτϨʔε͍ͨ͠
    • 4ZTUFN5BQͱ͔CQGUSBDFΈ͍ͨͳTDSJQUJOHͷػೳ΋ཉ͍͠
    • ͜ΕΛશ෦ຬͨ͢Α͏ͳτϨʔαʔ͸ͳ͔ͬͨͷͰࣗ෼Ͱ࡞ͬͨ
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB

    View Slide

  13. )PXJQGUSBDF XPSLT
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    [email protected]@TLC [email protected] [email protected]@YNJU
    • -JOVYͷωοτϫʔΫͷॲཧ͸ύέοτ [email protected]
    ΛҾ਺ʹ
    ͱΔؔ਺ʹύέοτΛ௨͍ͯ͘͠Α͏ͳܗΛ͍ͯ͠Δ
    int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb)
    'SPN
    TPDLFU
    UP/*$
    TLC

    View Slide

  14. )PXJQGUSBDF XPSLT
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    • TLCΛҾ਺ʹऔΔؔ਺͚ͩΛશ෦ϑοΫͯ͠TLCͷϙΠϯλ஋͝ͱͰ
    τϨʔεϩάΛऔΕ͹ύέοτ͕௨ͬͨؔ਺ͷϦετ͕ಘΒΕΔ
    [email protected]@TLC [email protected] [email protected]@YNJU
    'SPN
    TPDLFU
    UP/*$
    TLC#
    -PH -PH -PH
    TLC" BEESFTT<[email protected]@TLCz [email protected] [email protected]@YNJUz>
    TLC# BEESFTT<[email protected]@TLCz [email protected] [email protected]@YNJUz>
    TLC"

    View Slide

  15. )PXJQGUSBDF XPSLT
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    • TLCʹ lNBSLzΛ͚ͭͯͦΕΛݟΔ͜ͱʹΑͬͯಛఆͷύέοτ͚ͩ
    ΛτϨʔεͰ͖Δ
    [email protected]@TLC [email protected] [email protected]@YNJU
    'SPN
    TPDLFU
    UP/*$
    TLC"
    -PH
    JGNBSLUBSHFU
    NBSL
    TLC" BEESFTT<[email protected]@TLCz [email protected] [email protected]@YNJUz>
    NBSL
    -PH
    JGNBSLUBSHFU
    NBSL
    -PH
    JGNBSLUBSHFU
    NBSL

    View Slide

  16. *NQMFNFOUBUJPO
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    • TLCΛҾ਺ʹऔΔؔ਺Λશ෦औಘ͢Δ
    • σόοά৘ใ %8"3'PS#5'
    Λ࢖͏
    ؔ਺໊
    ϙΠϯλܕͷ৘ใ
    ϙΠϯλ͕ࢦ͍ͯ͠Δ
    σʔλͷܕ৘ใ

    View Slide

  17. *NQMFNFOUBUJPO
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    • TLCΛҾ਺ʹऔΔؔ਺Λશ෦ϑοΫͯ͠τϨʔεϩάΛग़͢
    • LQSPCF F#1' [email protected]
    [email protected]@TLC
    F#1'
    1SPHSBN
    [email protected]
    F#1'
    1SPHSBN
    JQGU QSPDFTT
    5SBDF
    -PHT
    &WFOUEBUB
    1FSGSJOHCVGGFS
    6TFS
    ,FSOFM
    "UUBDI
    LQSPCF

    View Slide

  18. *NQMFNFOUBUJPO
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    • TLCʹNBSLΛ͚ͭΔ
    • TLCNBSLͱ͍͏ࣗ༝ʹ࢖͑ΔCJUͷϑΟʔϧυ͕͋Δ
    • JQUBCMFT OFUGJMUFS
    ΍UD TFUTPDLPQU [email protected]"3,
    ͳͲͰॻ͖ࠐΈ͕Ͱ͖Δ
    • ͜ΕΒͰهड़Ͱ͖Δ೚ҙͷ৚݅ͰύέοτʹϚʔΫΛ͚ͭΒΕΔ
    • OFUOTΛ·͙ͨͱফ͑Δ ίϯςφͷτϨʔγϯάʹศར
    // TCP10.0.0.10

    # iptables -t raw -A OUTPUT -p tcp -d 10.0.0.10 -j MARK --set-mark 0xdeadbeef
    # ipft -m 0xdeadbeef

    View Slide

  19. 4DSJQUJOH
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    • ؔ਺͕ݺͼग़͞Εͨ࣌ͷTLCʹ͍͍ͭͯΔσʔλ΋ͪΐͬͱݟ͍ͨ
    • ͪΐͬͱͨ͠ϓϩάϥϚϏϦςΟ͕ཉ͍͠
    • -VBͰ֦ுΛॻ͚Δػೳ
    Attaching program (total 1803, succeeded 1052, failed 751 filtered: 0)
    Trace ready!
    Samples: 246 Lost: 0^C
    Trace done!
    ===
    3347634373462 0000 selinux_ipv4_output (len: 5764 gso_type: tcpv4)
    3347634379670 0000 ip_output (len: 5764 gso_type: tcpv4)
    3347634382597 0000 nf_hook_slow (len: 5764 gso_type: tcpv4)
    3347634385879 0000 selinux_ipv4_postroute (len: 5764 gso_type: tcpv4)
    3347634388958 0000 selinux_ip_postroute (len: 5764 gso_type: tcpv4)
    3347634391979 0000 ip_finish_output (len: 5764 gso_type: tcpv4)
    ͜ͷ෦෼

    View Slide

  20. 4DSJQUJOH
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    -- void
    -- custom_function(uint8_t *buf, void *ctx,
    -- struct sk_buff *skb)
    --
    function emit()
    return BPF.emit({
    ...
    -- Get skb->len
    BPF.MOV64_REG(BPF.R1, BPF.R6),
    BPF.MOV64_IMM(BPF.R2, uint_size),
    BPF.MOV64_REG(BPF.R3, BPF.R8),
    BPF.ALU64_IMM(BPF.ADD, BPF.R3, len_offset),
    BPF.CALL_INSN(BPF.FUNC.probe_read),
    ...
    })
    end
    function dump(data)
    len, gso_type = string.unpack(“=I4I4, data)
    return string.format("(len: %d gso_type: %s)",
    len, flags2str(gso_type))
    end
    • -VBͰFNJU EVNQͷͭΛॻ͘ͱग़
    ྗΛΧελϚΠζͰ͖Δ
    • FNJU௥ՃͷσʔλΛूΊΔF#1'ͷ
    όΠτίʔυΛు͘ϚΫϩΞηϯϒ
    ϥͰॻ͚Δ
    • EVNQFNJUͰूΊͨσʔλΛ੒ܗ
    ͨ͠จࣈྻΛు͘

    View Slide

  21. -JOVYWFSTJPOBSDIJUFDUVSFEFQFOEFODZJTTVF
    • -JOVYͷόʔδϣϯ͕มΘΔͱߏ଄ମͷϑΥʔϚοτ͕มΘΔ
    • -VBεΫϦϓτͰࢀর͍ͯ͠ΔTLCͷϝϯό౳
    • JQGUSBDFຊମͰ࢖͍ͬͯΔTLCNBSL΋ಉ༷
    • ͜ΕΒ͸-JOVYͷόʔδϣϯʹΑͬͯΦϑηοτ΍αΠζ͕มΘͬͯ͠·͏
    • Ͳ͏͢Δ͔ʁ
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB

    View Slide

  22. -JOVYWFSTJPOBSDIJUFDUVSFEFQFOEFODZJTTVF
    • σόοά৘ใΛ࢖ͬͯߏ଄ମͷϝϯό
    ͷΦϑηοτ΍σʔλܕͷαΠζΛ࣮
    ߦ࣌ʹղܾ͢Δ
    • -VB͔Β͸
    JQGUPGGTFUPGTJ[FPGUZQFPGΛ࢖ͬͯ
    σόοά৘ใΛΫΤϦͰ͖ΔΑ͏ʹ͢
    Δ
    • ͜ΕͰ-JOVYͷόʔδϣϯʹґଘ͠ͳ͍
    Α͏ʹॻ͚Δʂ
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    function emit()
    return BPF.emit({
    ...
    -- Get skb->len
    BPF.MOV64_REG(BPF.R1, BPF.R6),
    BPF.MOV64_IMM(BPF.R2,
    ipft.sizeof(
    ipft.typeof(”sk_buff”, “len”)
    )
    ),
    BPF.MOV64_REG(BPF.R3, BPF.R8),
    BPF.ALU64_IMM(BPF.ADD, BPF.R3,
    ipft.offsetof(”sk_buff”, ”len”)
    ),
    BPF.CALL_INSN(BPF.FUNC.probe_read),
    ...
    })
    end

    View Slide

  23. )PXVTFGVMJUJT
    • -JOVYͷ43Wͷ540(40ͷॲཧʹόά͕
    ͋Γ ಛఆͷઃఆͰੑೳ͕ѱ͘ͳΔ
    • JQGUSBDFΛ࢖༻ͯ͠ݪҼΛಛఆ
    • मਖ਼ύονΛVQTUSFBN
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    2 : : [email protected] 9 6 - 9 1 : 940. 80 /0 : .2 1 9 83 17 36 .97

    View Slide

  24. $PODMVTJPO
    • -JOVYͷωοτϫʔΫػೳʹಛԽͨ͠σόοάπʔϧJQGUSBDFΛ঺հ
    • ࢖ָ͍͍ͬͯͯ͠πʔϧͰ͢Χʔωϧ୳ݕ͕௙Γ·͢
    • /FUXPSLͳํʑ͸ੋඇ࢖ͬͯΈ͍ͯͩ͘͞
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    IUUQTHJUIVCDPN:VUBSP)BZBLBXBJQGUSBDF

    View Slide

  25. "QQFOEJY
    • JQUBCMFTͰύέοτ͕མ͍ͪͯΔ༷ࢠ
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    548333116979692 0000 iptable_mangle_hook
    548333116988109 0000 tcp_v4_early_demux
    548333116992390 0000 ip_route_input_noref
    548333117014187 0000 ip_route_input_rcu
    548333117020308 0000 __fib_validate_source
    548333117025321 0000 ip_local_deliver
    548333117028313 0000 iptable_mangle_hook
    548333117031775 0000 kfree_skb
    548333117035025 0000 skb_release_all
    548333117037921 0000 skb_release_head_state
    548333117040797 0000 skb_release_data
    548333117044159 0000 skb_free_head
    548333117069838 0000 kfree_skbmem
    iptables –A INPUT –t mangle –s 1.1.1.1 –j DROP
    ͜ͷลΓͰ
    ϧʔςΟϯά
    NBOHMFUBCMF
    ͷೖΓޱ

    View Slide

  26. "QQFOEJY
    [email protected]ʹΑͬͯύέοτ͕མͪΔ༷ࢠ
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    593441693907269 0000 ip_rcv_finish
    593441693921407 0000 ip_route_input_noref
    593441693926953 0000 ip_route_input_rcu
    593441693930384 0000 ip_route_input_slow
    593441693935998 0000 fib_validate_source
    593441693940631 0000 __fib_validate_source
    593441693945170 0000 kfree_skb
    593441693949104 0000 skb_release_all
    593441693953039 0000 skb_release_head_state
    593441693956357 0000 skb_release_data
    593441693960079 0000 skb_free_head
    593441693964360 0000 kfree_skbmem
    ιʔεΞυϨε
    ͷݕࠪΛ͢Δ
    ؔ਺

    View Slide

  27. "QQFOEJY
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    402343336955099 0000 tcp_v4_fill_cb
    402343336958653 0000 tcp_add_backlog
    402343336962128 0000 skb_condense
    402343336993878 0000 tcp_v4_do_rcv
    402343336998126 0000 tcp_rcv_established
    402343337004807 0000 __kfree_skb
    402343337008443 0000 skb_release_all
    402343337011794 0000 skb_release_head_state
    402343337015133 0000 skb_release_data
    402343337018458 0000 skb_free_head
    402343337021844 0000 kfree_skbmem
    402343337527315 0000 iptable_mangle_hook
    402343337531219 0000 ip_output
    402343337534572 0000 nf_hook_slow
    402343337537925 0000 iptable_mangle_hook
    402343337541373 0000 ip_finish_output
    402343337544750 0000 __cgroup_bpf_run_filter_skb
    402343337548311 0000 __ip_finish_output
    TLCΛղ์͢Δؔ਺

    View Slide

  28. "QQFOEJY
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    402343336955099 0000 tcp_v4_fill_cb
    402343336958653 0000 tcp_add_backlog
    402343336962128 0000 skb_condense
    402343336993878 0000 tcp_v4_do_rcv
    402343336998126 0000 tcp_rcv_established
    402343337004807 0000 __kfree_skb
    402343337008443 0000 skb_release_all
    402343337011794 0000 skb_release_head_state
    402343337015133 0000 skb_release_data
    402343337018458 0000 skb_free_head
    402343337021844 0000 kfree_skbmem
    ===
    402343337527315 0000 iptable_mangle_hook
    402343337531219 0000 ip_output
    402343337534572 0000 nf_hook_slow
    402343337537925 0000 iptable_mangle_hook
    402343337541373 0000 ip_finish_output
    402343337544750 0000 __cgroup_bpf_run_filter_skb
    402343337548311 0000 __ip_finish_output
    ͜͏ͳͬͯ΄͍͠
    ͳ͔ͥͭͷ
    τϨʔε͕ͬͭ͘͘!
    ͦΕ΋݁ߏͳස౓Ͱ

    View Slide

  29. "QQFOEJY
    • -JOVY͸Ωϟογϡͷώοτ཰Λ্͛ΔͨΊʹಉ͡TLCͷϝϞϦΛ࢖
    ͍ճ͢
    • JQGUSBDF͸TLCͷΞυϨεΛ࢖ͬͯύέοτΛ۠ผ͢Δ
    • ਓ͕ؒݟΕ͹Θ͔Δ͕ࣗಈͰڥ໨ΛݟΔͷ͸೉͍͠
    JQGUSBDF"-JOVY'VODUJPO5SBDFSGPS/FUXPSL1FPQMFc:VUBSP )BZBLBXB
    402343337004807 0000 __kfree_skb
    402343337008443 0000 skb_release_all
    402343337011794 0000 skb_release_head_state
    402343337015133 0000 skb_release_data
    402343337018458 0000 skb_free_head
    402343337021844 0000 kfree_skbmem
    402343337527315 0000 iptable_mangle_hook

    View Slide