Skip to content

Feat/improve bpf logging #1623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Aaravanand00 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Feat/improve bpf logging #1623

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1ac7e26
feat(bpf): improve debug logging clarity and consistency
Aaravanand00 Mar 21, 2026
c4f95b7
bpf: improve eBPF logging consistency and safety
Aaravanand00 Mar 21, 2026
45dc068
bpf: reduce BPF_LOG arguments in service.h to stay within verifier li…
Aaravanand00 Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions bpf/include/common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ struct buf {
};
struct {
__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
__uint(max_entries, 1);
__uint(max_entries, 2);
__type(key, int);
__type(value, struct buf);
} tmp_buf SEC(".maps");
Expand Down Expand Up @@ -249,12 +249,11 @@ static inline int convert_v6(char *data, __u32 *ip6)

/* 2001:0db8:3333:4444:CCCC:DDDD:EEEE:FFFF */
/* 192.168.000.001 */
static inline char *ip2str(__u32 *ip_ptr, bool v4)
static inline char *ip2str_idx(__u32 *ip_ptr, bool v4, int idx)
{
struct buf *buf;
int zero = 0;
int ret;
buf = bpf_map_lookup_elem(&tmp_buf, &zero);
buf = bpf_map_lookup_elem(&tmp_buf, &idx);
if (!buf)
return NULL;
if (v4) {
Expand All @@ -267,4 +266,9 @@ static inline char *ip2str(__u32 *ip_ptr, bool v4)
return buf->data;
}

static inline char *ip2str(__u32 *ip_ptr, bool v4)
{
return ip2str_idx(ip_ptr, v4, 0);
}

#endif // _COMMON_H_
38 changes: 25 additions & 13 deletions bpf/kmesh/workload/cgroup_sock.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,10 @@ static inline int sock_traffic_control(struct kmesh_context *kmesh_ctx)
BPF_LOG(
DEBUG,
KMESH,
"origin dst addr=[%u:%s:%u]\n",
ctx->family,
"origin dst addr=[%s:%u], family=[%u]\n",
ip2str((__u32 *)&kmesh_ctx->orig_dst_addr, (ctx->family == AF_INET)),
bpf_ntohs(ctx->user_port));
bpf_ntohs(ctx->user_port),
ctx->family);

frontend_v = map_lookup_frontend(&frontend_k);
if (!frontend_v) {
Expand All @@ -50,7 +50,9 @@ static inline int sock_traffic_control(struct kmesh_context *kmesh_ctx)
ret = frontend_manager(kmesh_ctx, frontend_v);
if (ret != 0) {
if (ret != -ENOENT)
BPF_LOG(ERR, KMESH, "frontend_manager failed, ret:%d\n", ret);
BPF_LOG(ERR, KMESH, "frontend_manager failed for dst=[%s:%u], ret:%d\n",
ip2str((__u32 *)&kmesh_ctx->orig_dst_addr, (ctx->family == AF_INET)),
bpf_ntohs(ctx->user_port), ret);
return ret;
}
observe_on_operation_end(SOCK_TRAFFIC_CONTROL, kmesh_ctx);
Expand All @@ -65,7 +67,9 @@ static inline int set_original_dst_info(struct kmesh_context *kmesh_ctx)
struct sock_storage_data *storage = NULL;
storage = bpf_sk_storage_get(&map_of_sock_storage, sk, 0, BPF_LOCAL_STORAGE_GET_F_CREATE);
if (!storage) {
BPF_LOG(ERR, KMESH, "failed to get storage from map_of_sock_storage");
BPF_LOG(ERR, KMESH, "failed to get storage for dst=[%s:%u]\n",
ip2str((__u32 *)&kmesh_ctx->orig_dst_addr, (ctx->family == AF_INET)),
bpf_ntohs(ctx->user_port));
return 0;
}

Expand Down Expand Up @@ -111,7 +115,8 @@ int cgroup_connect4_prog(struct bpf_sock_addr *ctx)

kmesh_ctx.dnat_ip.ip4 = backend_v->addr.ip4;
if (set_original_dst_info(&kmesh_ctx)) {
BPF_LOG(ERR, KMESH, "[IPv4]failed to set original destination info");
BPF_LOG(ERR, KMESH, "[IPv4]failed to set original destination info for dst=[%s:53]\n",
ip2str((__u32 *)&kmesh_ctx.orig_dst_addr.ip4, true));
return CGROUP_SOCK_OK;
}

Expand All @@ -130,7 +135,8 @@ int cgroup_connect4_prog(struct bpf_sock_addr *ctx)
}
ret = set_original_dst_info(&kmesh_ctx);
if (ret) {
BPF_LOG(ERR, KMESH, "[IPv4]failed to set original destination info, ret is %d\n", ret);
BPF_LOG(ERR, KMESH, "[IPv4]failed to set original destination info for dst=[%s:%u], ret is %d\n",
ip2str((__u32 *)&kmesh_ctx.orig_dst_addr.ip4, true), bpf_ntohs(ctx->user_port), ret);
return CGROUP_SOCK_OK;
}

Expand All @@ -139,7 +145,8 @@ int cgroup_connect4_prog(struct bpf_sock_addr *ctx)
kmesh_workload_tail_call(ctx, TAIL_CALL_CONNECT4_INDEX);

// if tail call failed will run this code
BPF_LOG(ERR, KMESH, "workload tail call failed, err is %d\n", ret);
BPF_LOG(ERR, KMESH, "workload tail call failed for dst=[%s:%u], err is %d\n",
ip2str((__u32 *)&kmesh_ctx.orig_dst_addr.ip4, true), bpf_ntohs(ctx->user_port), ret);
}

return CGROUP_SOCK_OK;
Expand All @@ -158,7 +165,8 @@ int cgroup_connect6_prog(struct bpf_sock_addr *ctx)
return CGROUP_SOCK_OK;
}

BPF_LOG(DEBUG, KMESH, "enter cgroup/connect6\n");
BPF_LOG(DEBUG, KMESH, "enter cgroup/connect6 for dst=[%s:%u]\n",
ip2str((__u32 *)&kmesh_ctx.orig_dst_addr, false), bpf_ntohs(ctx->user_port));
if (ctx->protocol != IPPROTO_TCP)
return CGROUP_SOCK_OK;

Expand All @@ -171,7 +179,8 @@ int cgroup_connect6_prog(struct bpf_sock_addr *ctx)

ret = set_original_dst_info(&kmesh_ctx);
if (ret) {
BPF_LOG(ERR, KMESH, "[IPv6]failed to set original destination info, ret is %d\n", ret);
BPF_LOG(ERR, KMESH, "[IPv6]failed to set original destination info for dst=[%s:%u], ret is %d\n",
ip2str((__u32 *)&kmesh_ctx.orig_dst_addr, false), bpf_ntohs(ctx->user_port), ret);
return CGROUP_SOCK_OK;
}

Expand All @@ -183,7 +192,8 @@ int cgroup_connect6_prog(struct bpf_sock_addr *ctx)
kmesh_workload_tail_call(ctx, TAIL_CALL_CONNECT6_INDEX);

// if tail call failed will run this code
BPF_LOG(ERR, KMESH, "workload tail call6 failed, err is %d\n", ret);
BPF_LOG(ERR, KMESH, "workload tail call6 failed for dst=[%s:%u], err is %d\n",
ip2str((__u32 *)&kmesh_ctx.orig_dst_addr, false), bpf_ntohs(ctx->user_port), ret);
}

return CGROUP_SOCK_OK;
Expand Down Expand Up @@ -216,7 +226,8 @@ int bpf_redirect_dns_send(struct bpf_sock_addr *ctx)

int ret = set_original_dst_info(&kmesh_ctx);
if (ret) {
BPF_LOG(ERR, KMESH, "[IPv4]failed to set original destination info, ret is %d\n", ret);
BPF_LOG(ERR, KMESH, "[IPv4]failed to set original destination info for DNS dst=[%s:53], ret is %d\n",
ip2str((__u32 *)&kmesh_ctx.orig_dst_addr.ip4, true), ret);
return CGROUP_SOCK_OK;
}

Expand Down Expand Up @@ -253,7 +264,8 @@ int bpf_restore_dns_recv(struct bpf_sock_addr *ctx)
struct sock_storage_data *storage = NULL;
storage = bpf_sk_storage_get(&map_of_sock_storage, ctx->sk, 0, BPF_LOCAL_STORAGE_GET_F_CREATE);
if (!storage) {
BPF_LOG(ERR, KMESH, "failed to get storage from map_of_sock_storage");
BPF_LOG(ERR, KMESH, "failed to get storage for DNS dst=[%s:53]\n",
ip2str((__u32 *)&kmesh_ctx.orig_dst_addr.ip4, true));
return CGROUP_SOCK_OK;
}

Expand Down
25 changes: 17 additions & 8 deletions bpf/kmesh/workload/include/authz.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,8 @@ static int match_dst_ports(Istio__Security__Match *match, struct xdp_info *info,
if (match->n_not_destination_ports != 0) {
notPorts = KMESH_GET_PTR_VAL(match->not_destination_ports, void *);
if (!notPorts) {
BPF_LOG(ERR, AUTH, "failed to retrieve not_destination_ports pointer");
BPF_LOG(ERR, AUTH, "failed to retrieve not_destination_ports pointer for src=[%s:%u]\n",
ip2str((__u32 *)&tuple_info->ipv4.saddr, (info->iph->version == 4)), dport);
return UNMATCHED;
}
#pragma unroll
Expand All @@ -186,7 +187,8 @@ static int match_dst_ports(Istio__Security__Match *match, struct xdp_info *info,

ports = KMESH_GET_PTR_VAL(match->destination_ports, void *);
if (!ports) {
BPF_LOG(ERR, AUTH, "failed to retrieve destination_ports pointer");
BPF_LOG(ERR, AUTH, "failed to retrieve destination_ports pointer for src=[%s:%u]\n",
ip2str((__u32 *)&tuple_info->ipv4.saddr, (info->iph->version == 4)), dport);
return UNMATCHED;
}
#pragma unroll
Expand Down Expand Up @@ -620,13 +622,14 @@ int policy_check(struct xdp_md *ctx)
int i;

if (construct_tuple_key(ctx, &tuple_key, &info) != PARSER_SUCC) {
BPF_LOG(ERR, AUTH, "failed to get tuple key in rule_check");
BPF_LOG(ERR, AUTH, "failed to get tuple key in rule_check\n");
return XDP_PASS;
}

match_ctx = bpf_map_lookup_elem(&kmesh_tc_args, &tuple_key);
if (!match_ctx) {
BPF_LOG(ERR, AUTH, "failed to retrieve match_context from map");
BPF_LOG(ERR, AUTH, "failed to retrieve match_context from map for src=[%s:%u]\n",
ip2str((__u32 *)&tuple_key.ipv4.saddr, (info.iph->version == 4)), tuple_key.ipv4.sport);
return XDP_PASS;
Comment on lines +631 to 633
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error log prints src=[%s:%u] using tuple_key.ipv4.sport regardless of IP version. For IPv6 tuples, ipv4.sport does not alias ipv6.sport, so the port logged will be incorrect. Use info.iph->version to select ipv4 vs ipv6 fields (and consider using ip2str_idx with separate buffers if you ever log both src/dst in the same statement).

Copilot uses AI. Check for mistakes.
}
for (i = 0; i < MAX_MEMBER_NUM_PER_POLICY; i++) {
Expand Down Expand Up @@ -655,7 +658,10 @@ int policy_check(struct xdp_md *ctx)
}

if (matched) {
BPF_LOG(DEBUG, AUTH, "policy %s matched", match_ctx->policy_name);
BPF_LOG(INFO, AUTH, "policy %s matched, src=[%s:%u], dst=[%s:%u]\n",
match_ctx->policy_name,
ip2str_idx((__u32 *)&tuple_key.ipv4.saddr, (info.iph->version == 4), 0), tuple_key.ipv4.sport,
ip2str_idx((__u32 *)&tuple_key.ipv4.daddr, (info.iph->version == 4), 1), tuple_key.ipv4.dport);
Comment on lines +661 to +664
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this INFO log, src/dst ports are taken from tuple_key.ipv4.{sport,dport} even when processing IPv6 packets; those fields don’t overlap the IPv6 port offsets, so ports will be wrong. Also, for IPv6 dst, using &tuple_key.ipv4.daddr does not point at tuple_key.ipv6.daddr, so the destination address string will be wrong. Please branch on info.iph->version and use tuple_key.ipv6.{saddr,daddr,sport,dport} for IPv6.

Copilot uses AI. Check for mistakes.
if (info.iph->version == IPV4_VERSION) {
BPF_LOG(DEBUG, AUTH, "src ip: %s, src port:%u", ip2str(&tuple_key.ipv4.saddr, true), tuple_key.ipv4.sport);
BPF_LOG(
Expand All @@ -666,11 +672,13 @@ int policy_check(struct xdp_md *ctx)
DEBUG, AUTH, "dst ip: %s, dst port:%u\n", ip2str(tuple_key.ipv6.daddr, false), tuple_key.ipv6.dport);
}
if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) {
BPF_LOG(ERR, AUTH, "failed to delete tail call context from map");
BPF_LOG(ERR, AUTH, "failed to delete tail call context from map for src=[%s:%u]\n",
ip2str((__u32 *)&tuple_key.ipv4.saddr, (info.iph->version == 4)), tuple_key.ipv4.sport);
}
Comment on lines 674 to 677
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This delete-failure log prints src=[%s:%u] using tuple_key.ipv4.sport regardless of IP version. For IPv6 packets, ipv4.sport does not alias ipv6.sport, so the logged port will be incorrect. Use info.iph->version to choose the correct port/address fields before logging.

Copilot uses AI. Check for mistakes.
__u32 auth_result = match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? AUTH_DENY : AUTH_ALLOW;
if (bpf_map_update_elem(&map_of_auth_result, &tuple_key, &auth_result, BPF_ANY) != 0) {
BPF_LOG(ERR, AUTH, "failed to update auth result in map_of_auth_result");
BPF_LOG(ERR, AUTH, "failed to update auth result in map_of_auth_result for src=[%s:%u]\n",
ip2str((__u32 *)&tuple_key.ipv4.saddr, (info.iph->version == 4)), tuple_key.ipv4.sport);
}
Comment on lines 678 to 682
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This map update failure log prints src=[%s:%u] using tuple_key.ipv4.sport regardless of IP version. For IPv6 packets, ipv4.sport does not alias ipv6.sport, so the logged port will be incorrect. Use info.iph->version to select ipv4 vs ipv6 fields (ports and addresses) for accurate logging.

Copilot uses AI. Check for mistakes.
return match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? XDP_DROP : XDP_PASS;
}
Expand All @@ -681,7 +689,8 @@ int policy_check(struct xdp_md *ctx)

ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY);
if (ret < 0) {
BPF_LOG(ERR, AUTH, "failed to update map, error: %d", ret);
BPF_LOG(ERR, AUTH, "failed to update match_ctx in map for src=[%s:%u], error: %d\n",
ip2str((__u32 *)&tuple_key.ipv4.saddr, (info.iph->version == 4)), tuple_key.ipv4.sport, ret);
return XDP_PASS;
}
bpf_tail_call(ctx, &map_of_xdp_tailcall, TAIL_CALL_POLICIES_CHECK);
Expand Down
10 changes: 5 additions & 5 deletions bpf/kmesh/workload/include/backend.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ static inline int svc_dnat(struct kmesh_context *kmesh_ctx, backend_value *backe
BPF_LOG(
ERR,
BACKEND,
"svc_dnat: cannot find matched service port [%s:%u]\n",
"svc_dnat: cannot find matched service port for dst=[%s:%u]\n",
ip2str((__u32 *)&backend_v->addr.ip6, ctx->family == AF_INET),
bpf_ntohs(ctx->user_port));
return -ENOENT;
Expand All @@ -62,9 +62,9 @@ backend_manager(struct kmesh_context *kmesh_ctx, backend_value *backend_v, __u32

if (backend_v->waypoint_port != 0) {
BPF_LOG(
DEBUG,
INFO,
BACKEND,
"route to waypoint[%s:%u]\n",
"route to waypoint dst=[%s:%u]\n",
ip2str((__u32 *)&backend_v->wp_addr, ctx->family == AF_INET),
bpf_ntohs(backend_v->waypoint_port));
ret = waypoint_manager(kmesh_ctx, &backend_v->wp_addr, backend_v->waypoint_port);
Expand All @@ -74,9 +74,9 @@ backend_manager(struct kmesh_context *kmesh_ctx, backend_value *backend_v, __u32
ret = svc_dnat(kmesh_ctx, backend_v, service_v);
if (ret == 0) {
BPF_LOG(
DEBUG,
INFO,
BACKEND,
"svc %u dnat to [%s:%u]\n",
"svc %u dnat to dst=[%s:%u]\n",
service_id,
ip2str((__u32 *)&kmesh_ctx->dnat_ip, ctx->family == AF_INET),
bpf_ntohs(kmesh_ctx->dnat_port));
Expand Down
4 changes: 2 additions & 2 deletions bpf/kmesh/workload/include/frontend.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,9 @@ static inline int frontend_manager(struct kmesh_context *kmesh_ctx, frontend_val
// For pod direct access, if a pod has waypoint captured, we will redirect to waypoint, otherwise we do nothing.
if (backend_v->waypoint_port != 0) {
BPF_LOG(
DEBUG,
INFO,
FRONTEND,
"find waypoint addr=[%s:%u]\n",
"find waypoint dst=[%s:%u]\n",
ip2str((__u32 *)&backend_v->wp_addr, kmesh_ctx->ctx->family == AF_INET),
bpf_ntohs(backend_v->waypoint_port));
ret = waypoint_manager(kmesh_ctx, &backend_v->wp_addr, backend_v->waypoint_port);
Expand Down
9 changes: 5 additions & 4 deletions bpf/kmesh/workload/include/service.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ static inline int lb_locality_strict_handle(struct kmesh_context *kmesh_ctx, __u
kmesh_ctx->dnat_ip = (struct ip_addr){0};
kmesh_ctx->dnat_port = 0;
BPF_LOG(
ERR, SERVICE, "locality loadbalance match nothing in STRICT mode, service_id %d ret:%d\n", service_id, ret);
ERR, SERVICE, "locality loadbalance match nothing in STRICT mode for service_id %d ret:%d\n",
service_id, ret);
}
return ret;
}
Expand Down Expand Up @@ -109,9 +110,9 @@ static inline int service_manager(struct kmesh_context *kmesh_ctx, __u32 service

if (service_v->wp_addr.ip4 != 0 && service_v->waypoint_port != 0) {
BPF_LOG(
DEBUG,
INFO,
SERVICE,
"find waypoint addr=[%s:%u]\n",
"find waypoint dst=[%s:%u]\n",
ip2str((__u32 *)&service_v->wp_addr, kmesh_ctx->ctx->family == AF_INET),
bpf_ntohs(service_v->waypoint_port));
ret = waypoint_manager(kmesh_ctx, &service_v->wp_addr, service_v->waypoint_port);
Expand All @@ -121,7 +122,7 @@ static inline int service_manager(struct kmesh_context *kmesh_ctx, __u32 service
return ret;
}

BPF_LOG(DEBUG, SERVICE, "service [%u] lb policy [%u]", service_id, service_v->lb_policy);
BPF_LOG(INFO, SERVICE, "service [%u] lb policy [%u]\n", service_id, service_v->lb_policy);

switch (service_v->lb_policy) {
case LB_POLICY_RANDOM:
Expand Down
3 changes: 2 additions & 1 deletion bpf/kmesh/workload/sendmsg.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,8 @@ static inline void encode_metadata_org_dst_addr(struct sk_msg_md *msg, __u32 *of
if (alloc_dst_length(msg, tlv_size + TLV_END_SIZE))
return;

BPF_LOG(DEBUG, SENDMSG, "get valid dst, do encoding...\n");
BPF_LOG(DEBUG, SENDMSG, "get valid dst, do encoding for dst=[%s:%u]...\n",
ip2str((__u32 *)&dst_ip, v4), bpf_ntohs(dst_port));

// write T
SK_MSG_WRITE_BUF(msg, off, &type, TLV_TYPE_SIZE);
Expand Down
12 changes: 9 additions & 3 deletions bpf/kmesh/workload/sockops.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,9 @@ static inline void enable_encoding_metadata(struct bpf_sock_ops *skops)
extract_skops_to_tuple(skops, &tuple_info);
err = bpf_sock_hash_update(skops, &map_of_kmesh_socket, &tuple_info, BPF_ANY);
if (err)
BPF_LOG(ERR, SOCKOPS, "enable encoding metadata failed!, err is %d", err);
BPF_LOG(ERR, SOCKOPS, "enable encoding metadata failed for src=[%s:%u], dst=[%s:%u], err is %d\n",
ip2str_idx((__u32 *)&tuple_info.ipv4.saddr, (skops->family == AF_INET), 0), bpf_ntohs(tuple_info.ipv4.sport),
ip2str_idx((__u32 *)&tuple_info.ipv4.daddr, (skops->family == AF_INET), 1), bpf_ntohs(tuple_info.ipv4.dport), err);
}

SEC("sockops")
Expand All @@ -164,7 +166,9 @@ int sockops_prog(struct bpf_sock_ops *skops)
break;
observe_on_connect_established(skops->sk, OUTBOUND);
if (bpf_sock_ops_cb_flags_set(skops, BPF_SOCK_OPS_STATE_CB_FLAG) != 0)
BPF_LOG(ERR, SOCKOPS, "set sockops cb failed!\n");
BPF_LOG(ERR, SOCKOPS, "set sockops cb failed for src=[%s:%u], dst=[%s:%u]\n",
ip2str_idx((__u32 *)&skops->local_ip4, (skops->family == AF_INET), 0), skops->local_port,
ip2str_idx((__u32 *)&skops->remote_ip4, (skops->family == AF_INET), 1), bpf_ntohs(GET_SKOPS_REMOTE_PORT(skops)));
Comment on lines +169 to +171
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error log prints local_ip4/remote_ip4 for all families, but this program handles both AF_INET and AF_INET6. For IPv6 sockets the *_ip4 fields are not the correct source/destination addresses. Use skops->local_ip6 / skops->remote_ip6 (and keep the IPv4 path for AF_INET).

Copilot uses AI. Check for mistakes.
Comment on lines +169 to +171
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This log always reads skops->local_ip4/remote_ip4, even when skops->family == AF_INET6. Besides producing incorrect addresses for IPv6, this unconditional field access can also be rejected by the verifier on some kernels. Prefer selecting local_ip4/remote_ip4 vs local_ip6/remote_ip6 based on skops->family (or build a bpf_sock_tuple via extract_skops_to_tuple and log from that).

Copilot uses AI. Check for mistakes.
struct bpf_sock *sk = (struct bpf_sock *)skops->sk;
if (!sk) {
break;
Expand All @@ -184,7 +188,9 @@ int sockops_prog(struct bpf_sock_ops *skops)
break;
observe_on_connect_established(skops->sk, INBOUND);
if (bpf_sock_ops_cb_flags_set(skops, BPF_SOCK_OPS_STATE_CB_FLAG) != 0)
BPF_LOG(ERR, SOCKOPS, "set sockops cb failed!\n");
BPF_LOG(ERR, SOCKOPS, "set sockops cb failed for src=[%s:%u], dst=[%s:%u]\n",
ip2str_idx((__u32 *)&skops->local_ip4, (skops->family == AF_INET), 0), skops->local_port,
ip2str_idx((__u32 *)&skops->remote_ip4, (skops->family == AF_INET), 1), bpf_ntohs(GET_SKOPS_REMOTE_PORT(skops)));
auth_ip_tuple(skops);
break;
case BPF_SOCK_OPS_STATE_CB:
Expand Down
20 changes: 4 additions & 16 deletions bpf/kmesh/workload/xdp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,20 +28,6 @@ static inline int should_shutdown(struct xdp_info *info, struct bpf_sock_tuple *
{
__u32 *value = bpf_map_lookup_elem(&map_of_auth_result, tuple_info);
if (value && *value == 1) {
if (info->iph->version == 4)
BPF_LOG(
INFO,
XDP,
"auth denied, src ip: %s, port: %u\n",
ip2str(&tuple_info->ipv4.saddr, true),
tuple_info->ipv4.sport);
else
BPF_LOG(
INFO,
XDP,
"auth denied, src ip: %s, port: %u\n",
ip2str(&tuple_info->ipv6.saddr[0], false),
tuple_info->ipv6.sport);
bpf_map_delete_elem(&map_of_auth_result, tuple_info);
return AUTH_FORBID;
}
Expand Down Expand Up @@ -70,7 +56,8 @@ static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct
}
frontend_v = kmesh_map_lookup_elem(&map_of_frontend, &frontend_k);
if (!frontend_v) {
BPF_LOG(DEBUG, XDP, "failed to get frontend in xdp");
BPF_LOG(DEBUG, XDP, "failed to get frontend for dst=[%s] in xdp\n",
ip2str((__u32 *)&frontend_k.addr, (info->iph->version == 4)));
return AUTH_ALLOW;
}
workload_uid = frontend_v->upstream_id;
Expand Down Expand Up @@ -110,7 +97,8 @@ int xdp_authz(struct xdp_md *ctx)
match_ctx.auth_result = XDP_PASS;
ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, &match_ctx, BPF_ANY);
if (ret < 0) {
BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret);
BPF_LOG(ERR, AUTH, "Failed to update kmesh_tc_args for src=[%s:%u], error: %d\n",
ip2str((__u32 *)&tuple_key.ipv4.saddr, (info.iph->version == 4)), tuple_key.ipv4.sport, ret);
return XDP_PASS;
}

Expand Down
Loading