From a6cc8ece4f06fe24a3486331ee3daa82f164c5d0 Mon Sep 17 00:00:00 2001 From: Matthias Radestock Date: Thu, 25 May 2017 21:59:12 +0100 Subject: [PATCH 1/3] simplify connection tracker initialization - eliminate the code duplication when falling back to procfs scanning - trim some superfluous comments Also fix a bug in the procvess: when falling back to procfs scanning in ReportConnections, the scanner was given a "--any-nat" param, which is wrong. --- probe/endpoint/connection_tracker.go | 53 +++++++++++----------------- 1 file changed, 21 insertions(+), 32 deletions(-) diff --git a/probe/endpoint/connection_tracker.go b/probe/endpoint/connection_tracker.go index fcd60179c..2243990dc 100644 --- a/probe/endpoint/connection_tracker.go +++ b/probe/endpoint/connection_tracker.go @@ -31,36 +31,21 @@ type connectionTracker struct { reverseResolver *reverseResolver } -func newProcfsConnectionTracker(conf connectionTrackerConfig) connectionTracker { - if conf.WalkProc && conf.Scanner == nil { - conf.Scanner = procspy.NewConnectionScanner(conf.ProcessCache) - } - return connectionTracker{ - conf: conf, - flowWalker: newConntrackFlowWalker(conf.UseConntrack, conf.ProcRoot, conf.BufferSize), - ebpfTracker: nil, - reverseResolver: newReverseResolver(), - } -} - func newConnectionTracker(conf connectionTrackerConfig) connectionTracker { - if !conf.UseEbpfConn { - // ebpf off, use proc scanning for connection tracking - return newProcfsConnectionTracker(conf) - } - et, err := newEbpfTracker() - if err != nil { - // ebpf failed, fallback to proc scanning for connection tracking - log.Warnf("Error setting up the eBPF tracker, falling back to proc scanning: %v", err) - return newProcfsConnectionTracker(conf) - } ct := connectionTracker{ conf: conf, - flowWalker: nil, - ebpfTracker: et, reverseResolver: newReverseResolver(), } - go ct.getInitialState() + if conf.UseEbpfConn { + et, err := newEbpfTracker() + if err == nil { + ct.ebpfTracker = et + go ct.getInitialState() + return ct + } + log.Warnf("Error setting up the eBPF tracker, falling back to proc scanning: %v", err) + } + ct.useProcfs() return ct } @@ -83,6 +68,16 @@ func flowToTuple(f flow) (ft fourTuple) { return ft } +func (t *connectionTracker) useProcfs() { + t.ebpfTracker = nil + if t.conf.WalkProc && t.conf.Scanner == nil { + t.conf.Scanner = procspy.NewConnectionScanner(t.conf.ProcessCache) + } + if t.flowWalker == nil { + t.flowWalker = newConntrackFlowWalker(t.conf.UseConntrack, t.conf.ProcRoot, t.conf.BufferSize) + } +} + // ReportConnections calls trackers according to the configuration. func (t *connectionTracker) ReportConnections(rpt *report.Report) { hostNodeID := report.MakeHostNodeID(t.conf.HostID) @@ -93,13 +88,7 @@ func (t *connectionTracker) ReportConnections(rpt *report.Report) { return } log.Warnf("ebpf tracker died, gently falling back to proc scanning") - if t.conf.WalkProc && t.conf.Scanner == nil { - t.conf.Scanner = procspy.NewConnectionScanner(t.conf.ProcessCache) - } - if t.flowWalker == nil { - t.flowWalker = newConntrackFlowWalker(t.conf.UseConntrack, t.conf.ProcRoot, t.conf.BufferSize, "--any-nat") - } - t.ebpfTracker = nil + t.useProcfs() } // seenTuples contains information about connections seen by conntrack and it will be passed to the /proc parser From b80a51bc39a08623b5414c0ee8336452e6893450 Mon Sep 17 00:00:00 2001 From: Matthias Radestock Date: Thu, 25 May 2017 22:22:44 +0100 Subject: [PATCH 2/3] cosmetic: remove outdated comment we now do correctly fall back to proc scanning when eBPF fails --- probe/endpoint/connection_tracker.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/probe/endpoint/connection_tracker.go b/probe/endpoint/connection_tracker.go index 2243990dc..6b66e7780 100644 --- a/probe/endpoint/connection_tracker.go +++ b/probe/endpoint/connection_tracker.go @@ -96,9 +96,6 @@ func (t *connectionTracker) ReportConnections(rpt *report.Report) { if t.flowWalker != nil { t.performFlowWalk(rpt, &seenTuples) } - // if eBPF was enabled but failed to initialize, Scanner will be nil. - // We can't recover from this, so don't walk proc in that case. - // TODO: implement fallback if t.conf.WalkProc && t.conf.Scanner != nil { t.performWalkProc(rpt, hostNodeID, &seenTuples) } From b52b2078cabfe226b04a0b63d7d5507b0e131591 Mon Sep 17 00:00:00 2001 From: Matthias Radestock Date: Thu, 25 May 2017 22:24:37 +0100 Subject: [PATCH 3/3] refactor: remove unnecessary conditional we always have a flowWalker when not using ebpf --- probe/endpoint/connection_tracker.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/probe/endpoint/connection_tracker.go b/probe/endpoint/connection_tracker.go index 6b66e7780..c437d9719 100644 --- a/probe/endpoint/connection_tracker.go +++ b/probe/endpoint/connection_tracker.go @@ -93,9 +93,7 @@ func (t *connectionTracker) ReportConnections(rpt *report.Report) { // seenTuples contains information about connections seen by conntrack and it will be passed to the /proc parser seenTuples := map[string]fourTuple{} - if t.flowWalker != nil { - t.performFlowWalk(rpt, &seenTuples) - } + t.performFlowWalk(rpt, &seenTuples) if t.conf.WalkProc && t.conf.Scanner != nil { t.performWalkProc(rpt, hostNodeID, &seenTuples) }