nfprobe 0.0.1

A netflow probe using ebpf.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

use std::mem;
use super::{
    bpf::{
        self,
        Any,
        BpfMap,
        BpfMapIter,
    },
    consts,
    Result,
};

pub struct NfpMapIter<'a> {
    iters: Vec<BpfMapIter<'a>>,
}

impl<'a> NfpMapIter<'a> {
    pub fn new(metric_maps: &'a [BpfMap]) -> Self {
        let iters: Vec<BpfMapIter> = metric_maps.iter()
            .map(|m| BpfMapIter::new(m))
            .collect();
        NfpMapIter { iters }
    }

    pub fn next(&mut self, key: &mut Any, val: &mut Any) -> Result<bool> {
        while !self.iters.is_empty() {
            let iter = &mut self.iters[0];

            let exists = iter.next(key)?;
            if !exists {
                self.iters.pop();
                continue;
            }

            let exists = iter.map.lookup(key, val)?;
            if !exists {
                return Err(error!("missing in metric map"));
            }
            return Ok(true);
        }
        Ok(false)
    }
}

// struct bucket_key in bpf/nfprobe.h
#[repr(C)]
#[derive(Default, Clone)]
pub struct Bucket {
    start_ts: u64,
    end_ts:   u64,
}

pub struct NfpMap {
    pub bucket_map: BpfMap,
    key_size:       u32,
    val_size:       u32,
    max_entries:    u32
}

impl NfpMap {
    pub fn open(
        protocol: &str, key_size: u32, val_size: u32, max_entries: u32
    ) -> Result<Self> {
        let metric_map = BpfMap::new(
            bpf::BPF_MAP_TYPE_HASH,
            key_size, val_size,
            max_entries, 0, 0
        )?;

        let mut path = String::from(consts::BPF_MAP_ROOT);
        path.push_str("/buckets_");
        path.push_str(protocol);

        let bucket_map = BpfMap::open(
            &path, bpf::BPF_MAP_TYPE_HASH_OF_MAPS,
            mem::size_of::<Bucket>() as u32, mem::size_of::<u32>() as u32,
            consts::BUCKET_MAP_LIMIT, 0, metric_map.fd
        )?;

        Ok(NfpMap { bucket_map, key_size, val_size, max_entries })
    }

    pub fn get_metric_maps(
        &self, ts: u64
    ) -> Result<(Vec<Bucket>, Vec<BpfMap>)> {
        let mut bucket = Bucket::default();
        let mut buckets = Vec::<Bucket>::new();
        let mut iter = BpfMapIter::new(&self.bucket_map);

        loop {
            let exists = iter.next(&mut bucket)?;
            if !exists {
                break;
            }

            // only get closed buckets
            if bucket.end_ts < ts {
                buckets.push(bucket.clone());
            }
        }

        buckets.sort_by_key(|x| x.end_ts);
        let maps = buckets.iter()
            .map(|b| self.get_metric_map(b))
            .collect::<Result<Vec<BpfMap>>>()?;

        Ok((buckets, maps))
    }

    pub fn get_metric_map(&self, bucket: &Bucket) -> Result<BpfMap> {
        let mut id :u32 = 0;
        let exists = self.bucket_map.lookup(bucket, &mut id)?;
        if !exists {
            return Err(error!("missing in bucket map"));
        }
        BpfMap::from_id(id, 0).map_err(|e| e.into())
    }

    pub fn allocate(
        &mut self, start_ts: u64, bucket_width: u64, count: u32
    ) -> Result<Vec<Bucket>> {
        let mut bucket = Bucket::default();
        let mut buckets = Vec::<Bucket>::new();
        let mut ts = start_ts;

        for _ in 0..count {
            let metric_map = BpfMap::new(
                bpf::BPF_MAP_TYPE_HASH,
                self.key_size, self.val_size,
                self.max_entries, 0, 0)?;

            bucket.start_ts = ts;
            bucket.end_ts = ts + bucket_width;
            buckets.push(bucket.clone());

            ts = bucket.end_ts;

            if false == self.bucket_map.update(
                &bucket, &metric_map.fd, bpf::BPF_ANY)? {
                break
            }
        }

        Ok(buckets)
    }

    pub fn deallocate(&mut self, buckets: Vec<Bucket>) -> Result<Vec<bool>> {
        buckets.iter()
            .map(|b| self.bucket_map.delete(b).map_err(|e| e.into()))
            .collect()
    }
}