Test

Signed-off-by: Anastasios Papagiannis <[email protected]>
cilium · Nov 21, 2024 · 0350886 · 0350886
1 parent a511135
commit 0350886
Show file tree

Hide file tree

Showing 5 changed files with 350 additions and 39 deletions.
diff --git a/bpf/process/policy_filter.h b/bpf/process/policy_filter.h
@@ -8,6 +8,7 @@
 
 #define POLICY_FILTER_MAX_POLICIES   128
 #define POLICY_FILTER_MAX_NAMESPACES 1024
+#define POLICY_FILTER_MAX_CGROUP_IDS 512
 
 struct {
 	__uint(type, BPF_MAP_TYPE_LRU_HASH);
@@ -29,17 +30,39 @@ struct {
 		});
 } policy_filter_maps SEC(".maps");
 
+// This map keeps exactly the same information as policy_filter_maps
+// but keeps the reverse mappings. i.e.
+// policy_filter_maps maps policy_id to cgroup_ids
+// policy_filter_reverse_maps maps cgroup_id to policy_ids
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);
+	__uint(max_entries, POLICY_FILTER_MAX_CGROUP_IDS);
+	__uint(key_size, sizeof(__u64)); /* cgroup id */
+	__array(
+		values, struct {
+			__uint(type, BPF_MAP_TYPE_HASH);
+			__uint(max_entries, POLICY_FILTER_MAX_POLICIES);
+			__type(key, __u32); /* policy id */
+			__type(value, __u8); /* empty  */
+		});
+} policy_filter_reverse_maps SEC(".maps");
+
 // policy_filter_check checks whether the policy applies on the current process.
 // Returns true if it does, false otherwise.
 
 FUNC_INLINE bool policy_filter_check(u32 policy_id)
 {
 	void *policy_map;
-	__u64 cgroupid;
+	__u64 cgroupid = 0;
 
 	if (!policy_id)
 		return true;
 
+	// we just want to make sure that policy_filter_reverse_maps
+	// is part of the object file in order to read the map
+	// spec from the user space
+	map_lookup_elem(&policy_filter_reverse_maps, &cgroupid);
+
 	policy_map = map_lookup_elem(&policy_filter_maps, &policy_id);
 	if (!policy_map)
 		return false;

diff --git a/cmd/tetra/debug/dump.go b/cmd/tetra/debug/dump.go
@@ -181,18 +181,33 @@ func PolicyfilterState(fname string) {
 		return
 	}
 
-	if len(data) == 0 {
+	fmt.Println("--- Direct Map ---")
+
+	if len(data.Direct) == 0 {
 		fmt.Printf("(empty)\n")
-		return
 	}
 
-	for polId, cgIDs := range data {
+	for polId, cgIDs := range data.Direct {
 		ids := make([]string, 0, len(cgIDs))
 		for id := range cgIDs {
 			ids = append(ids, strconv.FormatUint(uint64(id), 10))
 		}
 		fmt.Printf("%d: %s\n", polId, strings.Join(ids, ","))
 	}
+
+	fmt.Println("--- Reverse Map ---")
+
+	if len(data.Reverse) == 0 {
+		fmt.Printf("(empty)\n")
+	}
+
+	for cgIDs, polIds := range data.Reverse {
+		ids := make([]string, 0, len(polIds))
+		for id := range polIds {
+			ids = append(ids, strconv.FormatUint(uint64(id), 10))
+		}
+		fmt.Printf("%d: %s\n", cgIDs, strings.Join(ids, ","))
+	}
 }
 
 func NamespaceState(fname string) error {