iovisor-dev@lists.iovisor.org | Tracepoint/Kprobe for tracking inbound connections

Home Messages Hashtags Subgroups

Date Date 1 - 6 of 6

Tracepoint/Kprobe for tracking inbound connections

Yonghong Song #1923 On Wed, Oct 14, 2020 at 11:57 AM Kanthi P <Pavuluri.kanthi@...> wrote: [Edited Message Follows] Nice, thanks Song. I am actually looking to track it till it is closed, so might have to remove that tag when the socket goes to closed state. And once I have the concurrent connections info, say in a map, I am using XDP to drop the connections after they reach a threshold So also wanted to ask if there is any way I can read the concurrent connections in XDP since the kernel already keeps track of them at /proc/net/tcp*? That would help me avoid placing another tracepoint to track the connection count. XDP only tracks raw packet. There is no skb or other meta data is available at that point. You either need to track by yourself or you add another skb or sk level hook. Appreciate your help! Thanks, Kanthi On Thu, Oct 1, 2020 at 11:26 AM Y Song <ys114321@...> wrote: On Tue, Sep 29, 2020 at 4:14 AM Kanthi P <Pavuluri.kanthi@...> wrote: Hi, I am looking for tracking inbound connections on a system using tracepoints/kprobes. I was checking "trace_inet_sock_set_state", with which we can track the state changes during connection establishment and closure. It seems straightforward to track total connections, but since we only want inbound, one way would be to look at what are the ip addresses/ports on which a node listens to and while tracking the state changes, I can see if the local address/port matches to the one this system listens on and based on that make a decision whether its an inbound connection or not. This looks a bit roundabout way for me, so thought of reaching for suggestions to do it simpler. Another way is to store the socker address when TCP_SYN_RECV to TCP_ESTABLISHED state change happens and during closure we can check if it is for this socket, so we know its inbound connection. But this would make the map size grow too high as we have about 50k concurrent connections. Can you suggest a better way to do this? Maybe you can use sk_local_storage? You can attach a piece of information to the socket during TCP_SYN_RECV and later on during TCP_ESTABLISHED to check that data, and you can delete that data from the socket if you do not need it any more, all in bpf program. Thanks, Kanthi
More All Messages By This Member
Kanthi P <Pavuluri.kanthi@...> #1922 Thanks Forrest! toggle quoted message Show quoted text On Wed, Oct 7, 2020 at 1:03 PM Forrest Chen <forrest0579@...> wrote: you can attach kprobe in 'tcp_conn_request" for inbound connection -- forrest0579@...
More All Messages By This Member
Kanthi P <Pavuluri.kanthi@...> #1921 Edited Nice, thanks Song. I am actually looking to track it till it is closed, so might have to remove that tag when the socket goes to closed state. And once I have the concurrent connections info, say in a map, I am using XDP to drop the connections after they reach a threshold So also wanted to ask if there is any way I can read the concurrent connections in XDP since the kernel already keeps track of them at /proc/net/tcp*? That would help me avoid placing another tracepoint to track the connection count. Appreciate your help! Thanks, Kanthi On Thu, Oct 1, 2020 at 11:26 AM Y Song <ys114321@...> wrote: toggle quoted message Show quoted text On Tue, Sep 29, 2020 at 4:14 AM Kanthi P <Pavuluri.kanthi@...> wrote: > > Hi, > > I am looking for tracking inbound connections on a system using tracepoints/kprobes. > > I was checking "trace_inet_sock_set_state", with which we can track the state changes during connection establishment and closure. It seems straightforward to track total connections, but since we only want inbound, one way would be to look at what are the ip addresses/ports on which a node listens to and while tracking the state changes, I can see if the local address/port matches to the one this system listens on and based on that make a decision whether its an inbound connection or not. This looks a bit roundabout way for me, so thought of reaching for suggestions to do it simpler. > > Another way is to store the socker address when TCP_SYN_RECV to TCP_ESTABLISHED state change happens and during closure we can check if it is for this socket, so we know its inbound connection. But this would make the map size grow too high as we have about 50k concurrent connections. > > Can you suggest a better way to do this? Maybe you can use sk_local_storage? You can attach a piece of information to the socket during TCP_SYN_RECV and later on during TCP_ESTABLISHED to check that data, and you can delete that data from the socket if you do not need it any more, all in bpf program. > > Thanks, > Kanthi >
More All Messages By This Member
Forrest Chen #1914 you can attach kprobe in 'tcp_conn_request" for inbound connection -- forrest0579@...
More All Messages By This Member
Yonghong Song #1913 On Tue, Sep 29, 2020 at 4:14 AM Kanthi P <Pavuluri.kanthi@...> wrote: Hi, I am looking for tracking inbound connections on a system using tracepoints/kprobes. I was checking "trace_inet_sock_set_state", with which we can track the state changes during connection establishment and closure. It seems straightforward to track total connections, but since we only want inbound, one way would be to look at what are the ip addresses/ports on which a node listens to and while tracking the state changes, I can see if the local address/port matches to the one this system listens on and based on that make a decision whether its an inbound connection or not. This looks a bit roundabout way for me, so thought of reaching for suggestions to do it simpler. Another way is to store the socker address when TCP_SYN_RECV to TCP_ESTABLISHED state change happens and during closure we can check if it is for this socket, so we know its inbound connection. But this would make the map size grow too high as we have about 50k concurrent connections. Can you suggest a better way to do this? Maybe you can use sk_local_storage? You can attach a piece of information to the socket during TCP_SYN_RECV and later on during TCP_ESTABLISHED to check that data, and you can delete that data from the socket if you do not need it any more, all in bpf program. Thanks, Kanthi
More All Messages By This Member
Kanthi P <Pavuluri.kanthi@...> #1912 Hi, I am looking for tracking inbound connections on a system using tracepoints/kprobes. I was checking "trace_inet_sock_set_state", with which we can track the state changes during connection establishment and closure. It seems straightforward to track total connections, but since we only want inbound, one way would be to look at what are the ip addresses/ports on which a node listens to and while tracking the state changes, I can see if the local address/port matches to the one this system listens on and based on that make a decision whether its an inbound connection or not. This looks a bit roundabout way for me, so thought of reaching for suggestions to do it simpler. Another way is to store the socker address when TCP_SYN_RECV to TCP_ESTABLISHED state change happens and during closure we can check if it is for this socket, so we know its inbound connection. But this would make the map size grow too high as we have about 50k concurrent connections. Can you suggest a better way to do this? Thanks, Kanthi
More All Messages By This Member

1 - 6 of 6

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms