Use libpcap-filter for packet filtering

[jschwinger233]

This is a POC PR to demonstrate how to introduce libpcap for pwru, will clean this shit up after some detail discussions.

1. Statically link for libpcap. It's feasible, as long as we compile the libpcap.a with some specific compilation flags, which can be integrated into release flow. This PR doesn't implement this for now, but we won't be bothered by the linking trouble.
2. Generating filter ebpf instructions. 1) libpcap API compiles pcap-filter expression into cbpf; 2) cloudflare/cbpfc compiles cbpf into ebpf; 3) we, pwru, translate direct skb fields accessing into bpf_probe_read_kernel. The last step is very subtle and this PR still leaves some issue to make it work perfectly, see the TODO@gray in the PR.
3. Inject generated ebpf instructions into existing instructions. To achieve this task, I add a bpf_printk in the bpf c code, which is exactly the position I will inject the filter instructions. Adding bpf_printk is good because: 1) it tells us the location of skb->data (L3 header pointer) and skb->data_end (...), which is necessary for cloudflare/cbpfc to do the conversion; 2) it leaves R1, R2, R3, R4 available for cloudflare/cbpfc conversion; 3) it's a clear signal to let us find the injection point: we just need to find the instruction calling bpf_printk; Still there are error-prone parts: we have to adjust offsets for some jump instructions.
4. For the legacy filter flags such as --filter-dst-ip, we can make it part of the pcap-filter expression. For example, if user run pwru with --filter-dst-ip 1.2.3.4 --pcap-filter 'tcp and dst port 80', we can compose a new pcap filter expression: tcp and dst port 80 and dest host 1.2.3.4. So all the existing filtering code in bpf c becomes obsolete. However, this PR hasn't done this so far, but the point is we won't break the CLI interface.

Introducing tailcall or similar mechanism to decouple the generated instructions from the existing part is valuable, but I decided to implement this POC first to see if there is some hidden obstacle.

Current implementation is buggy and dirty, full of debugging logs, but I can improve it later if the ideas look good to @brb
I know my explanation is still vague, feel free to ask anything.

This PR allows pwru to filter traffic using pcap-filter(7) expression. For example, we can run pwru --filter-pcap 'ip6[40+13] & 0x3f = 0x2' to capture Syn TCP on IPv6.

The main ideas to achieve the goal are:

1. Link libpcap, use its API to compile pcap-filter expression to cbpf
2. Use cloudflare/cbpfc to convert cbpf to ebpf
3. Adjust generated ebpf instructions to pass the verifier
4. Inject the instructions to a specific position

Although the steps sound superficial and simple, the implementation details require meticulousness. See the comments in the libpcap package.

The original CLI flags won't be broken, as we converted them into part of pcap-filter expression.

Fixes: #85
Fixes: #142

Signed-off-by: Zhichuan Liang gray.liang@isovalent.com

[brb]

Very nice!

Answers to the points above:

1. Yep, we can embed libpcap.a at a later stage.
2. My main worry about relying on cloudflare/cbpfc is that it introduces a runtime dependency on Clang (or did I completely misread their README?)
3. SGTM.
4. Yep, I'd bother about the conversion for now.
   5 (the tail call). Yep, we can do it later. Either a tail call or freplace could do the job.

[brb]

My main worry about relying on cloudflare/cbpfc is that it introduces a runtime dependency on Clang (or did I completely misread their README?)

@jibi instructed me that it's only for C compilation. So please ignore my concern.

[jschwinger233]

Functionality should be fine now, next I can clean the code up and make it a readable PR.

[brb]

Functionality should be fine now, next I can clean the code up and make it a readable PR.

👍 Next release is going to be crazy good.

[jschwinger233]

@brb ready for review but don't merge until I fix the release flow😂and docs

[brb]

Shall we add -ldflags "-linkmode 'external' -extldflags '-static'" to get a statically linked exec?

[jschwinger233]

It's in the libpcap/compile.go, so go build without ldflags can generate statically linked elf:

/*
#cgo LDFLAGS: -L/usr/local/lib -lpcap -static
#include <stdlib.h>
#include <pcap.h>
*/
import "C"

Or it's better if we move the flags to go build?

[brb]

TIL that -static in #cgo forces building a statically linked go exec. It's fine to keep it here.

[brb]

Could we add this step to Makefile under libpcap.a target?

[brb]

Very nice! Also, thanks a lot for code comments which made the changes easier to understand.

Some minor nits.

[brb]

Isn't this 1M for kernels we support?

[jschwinger233]

You're right, but this is for compiling pcap-filter to cbpf, which is concise and I consider 4096 is sufficient so that we don't have to waste unnecessary memory.

For instance, we can implement equivalent filter to pwru --filter-src-ip --filter-dst-ip --filter-src-port --filter-dst-port --filter proto --filter-tcp-flag syn using only 19 pieces of cbpf instructions:

$ tcpdump -d 'src host 1.1.1.1 and dst host 2.2.2.2 and src port 23 and dst port 23 and tcp and tcp[tcpfl
ags] & tcp-syn != 0'
Warning: assuming Ethernet
(000) ldh      [12]
(001) jeq      #0x800           jt 2	jf 19
(002) ld       [26]
(003) jeq      #0x1010101       jt 4	jf 19
(004) ld       [30]
(005) jeq      #0x2020202       jt 6	jf 19
(006) ldb      [23]
(007) jeq      #0x84            jt 19	jf 8
(008) jeq      #0x6             jt 9	jf 19
(009) ldh      [20]
(010) jset     #0x1fff          jt 19	jf 11
(011) ldxb     4*([14]&0xf)
(012) ldh      [x + 14]
(013) jeq      #0x17            jt 14	jf 19
(014) ldh      [x + 16]
(015) jeq      #0x17            jt 16	jf 19
(016) ldb      [x + 27]
(017) jset     #0x2             jt 18	jf 19
(018) ret      #262144
(019) ret      #0

[brb]

Nit: s/TC_ACT_OK/0/

[brb]

GL to folks who will use bpf_printk for debugging :-) Maybe let's add a warning as a code comment in the beginning of kprobe_pwru.c?

[brb]

If empty filter, then we will end up calling the bpf_printk?

[jschwinger233]

Will revise, thanks for pointing out 👍

[brb]

TIL about this loader's feature 🤩

[brb]

I'd suggest to drop all previous filters, and allow users to specify the filter pcap in the same way as with tcpdump. For example, pwru --output-tuple 'host 1.1.1.1 and port 80'. Let's do it as a follow-up.