diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 92b7506a34..721cfc0baf 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -1276,7 +1276,11 @@ enum ppm_param_type { PT_CHARBUFARRAY = 35, /* Pointer to an array of strings, exported by the user events decoder. 64bit. For internal use only. */ PT_CHARBUF_PAIR_ARRAY = 36, /* Pointer to an array of string pairs, exported by the user events decoder. 64bit. For internal use only. */ PT_IPV4NET = 37, /* An IPv4 network. */ - PT_MAX = 38 /* array size */ + PT_IPV6ADDR = 38, /* A 16 byte raw IPv6 address. */ + PT_IPV6NET = 39, /* An IPv6 network. */ + PT_IPADDR = 40, /* Either an IPv4 or IPv6 address. The length indicates which one it is. */ + PT_IPNET = 41, /* Either an IPv4 or IPv6 network. The length indicates which one it is. */ + PT_MAX = 42 /* array size */ }; enum ppm_print_format { diff --git a/userspace/libsinsp/CMakeLists.txt b/userspace/libsinsp/CMakeLists.txt index 7ebfc55307..013a730103 100644 --- a/userspace/libsinsp/CMakeLists.txt +++ b/userspace/libsinsp/CMakeLists.txt @@ -72,6 +72,7 @@ add_library(sinsp STATIC prefix_search.cpp protodecoder.cpp threadinfo.cpp + tuples.cpp sinsp.cpp stats.cpp table.cpp diff --git a/userspace/libsinsp/chisel_api.cpp b/userspace/libsinsp/chisel_api.cpp index ce95871389..5271e3c1ed 100644 --- a/userspace/libsinsp/chisel_api.cpp +++ b/userspace/libsinsp/chisel_api.cpp @@ -62,12 +62,11 @@ void lua_stackdump(lua_State *L); /////////////////////////////////////////////////////////////////////////////// #ifdef HAS_LUA_CHISELS -uint32_t lua_cbacks::rawval_to_lua_stack(lua_State *ls, uint8_t* rawval, const filtercheck_field_info* finfo, uint32_t len) +uint32_t lua_cbacks::rawval_to_lua_stack(lua_State *ls, uint8_t* rawval, ppm_param_type ptype, uint32_t len) { ASSERT(rawval != NULL); - ASSERT(finfo != NULL); - switch(finfo->m_type) + switch(ptype) { case PT_INT8: lua_pushnumber(ls, *(int8_t*)rawval); @@ -158,9 +157,46 @@ uint32_t lua_cbacks::rawval_to_lua_stack(lua_State *ls, uint8_t* rawval, const f lua_pushstring(ls, ch->m_lua_fld_storage); return 1; } + case PT_IPV6ADDR: + { + char address[100]; + ipv6addr *ip = (ipv6addr *) rawval; + + lua_getglobal(ls, "sichisel"); + sinsp_chisel* ch = (sinsp_chisel*)lua_touserdata(ls, -1); + lua_pop(ls, 1); + + if(NULL == inet_ntop(AF_INET6, ip->m_b, address, 100)) + { + strcpy(address, ""); + } + + strncpy(ch->m_lua_fld_storage, + address, + sizeof(ch->m_lua_fld_storage)); + + lua_pushstring(ls, ch->m_lua_fld_storage); + return 1; + } + case PT_IPADDR: + { + if(len == sizeof(struct in_addr)) + { + return rawval_to_lua_stack(ls, rawval, PT_IPV4ADDR, len); + } + else if(len == sizeof(struct in6_addr)) + { + return rawval_to_lua_stack(ls, rawval, PT_IPV6ADDR, len); + } + else + { + throw sinsp_exception("rawval_to_lua_stack called with IP address of incorrect size " + to_string(len)); + } + } + break; default: ASSERT(false); - string err = "wrong event type " + to_string((long long) finfo->m_type); + string err = "wrong event type " + to_string((long long) ptype); fprintf(stderr, "%s\n", err.c_str()); throw sinsp_exception("chisel error"); } @@ -323,7 +359,7 @@ int lua_cbacks::field(lua_State *ls) if(rawval != NULL) { - return rawval_to_lua_stack(ls, rawval, chk->get_field_info(), vlen); + return rawval_to_lua_stack(ls, rawval, chk->get_field_info()->m_type, vlen); } else { @@ -671,7 +707,6 @@ int lua_cbacks::get_thread_table_int(lua_State *ls, bool include_fds, bool bareb sinsp_filter* filter = NULL; sinsp_evt tevt; scap_evt tscapevt; - char ipbuf[128]; // // Get the chisel state @@ -916,81 +951,99 @@ int lua_cbacks::get_thread_table_int(lua_State *ls, bool include_fds, bool bareb } scap_fd_type evt_type = fdit->second.m_type; - if(evt_type == SCAP_FD_IPV4_SOCK || evt_type == SCAP_FD_IPV4_SERVSOCK) + if(evt_type == SCAP_FD_IPV4_SOCK || evt_type == SCAP_FD_IPV4_SERVSOCK || + evt_type == SCAP_FD_IPV6_SOCK || evt_type == SCAP_FD_IPV6_SERVSOCK) { - uint8_t* pip4; + bool include_client; + char sipbuf[128], cipbuf[128]; + uint8_t *sip, *cip; + uint16_t sport, cport; + bool is_server; + int af; if(evt_type == SCAP_FD_IPV4_SOCK) { - // cip - pip4 = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv4info.m_fields.m_sip); - snprintf(ipbuf, - sizeof(ipbuf), - "%" PRIu8 ".%" PRIu8 ".%" PRIu8 ".%" PRIu8, - pip4[0], - pip4[1], - pip4[2], - pip4[3]); + include_client = true; + af = AF_INET; + cip = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv4info.m_fields.m_sip); + sip = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv4info.m_fields.m_dip); + cport = fdit->second.m_sockinfo.m_ipv4info.m_fields.m_sport; + sport = fdit->second.m_sockinfo.m_ipv4info.m_fields.m_dport; + is_server = fdit->second.is_role_server(); + } + else if (evt_type == SCAP_FD_IPV4_SERVSOCK) + { + include_client = false; + af = AF_INET; + cip = NULL; + sip = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv4serverinfo.m_ip); + sport = fdit->second.m_sockinfo.m_ipv4serverinfo.m_port; + is_server = true; + } + else if (evt_type == SCAP_FD_IPV6_SOCK) + { + include_client = true; + af = AF_INET6; + cip = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv6info.m_fields.m_sip); + sip = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv6info.m_fields.m_dip); + cport = fdit->second.m_sockinfo.m_ipv6info.m_fields.m_sport; + sport = fdit->second.m_sockinfo.m_ipv6info.m_fields.m_dport; + is_server = fdit->second.is_role_server(); + } + else + { + include_client = false; + af = AF_INET6; + cip = NULL; + sip = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv6serverinfo.m_ip); + sport = fdit->second.m_sockinfo.m_ipv6serverinfo.m_port; + is_server = true; + } - lua_pushliteral(ls, "cip"); - lua_pushstring(ls, ipbuf); - lua_settable(ls, -3); + // Now convert the raw sip/cip to strings + if(NULL == inet_ntop(af, sip, sipbuf, sizeof(sipbuf))) + { + strcpy(sipbuf, ""); + } - // sip - pip4 = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv4info.m_fields.m_dip); - snprintf(ipbuf, - sizeof(ipbuf), - "%" PRIu8 ".%" PRIu8 ".%" PRIu8 ".%" PRIu8, - pip4[0], - pip4[1], - pip4[2], - pip4[3]); + if(cip) + { + if(NULL == inet_ntop(af, cip, cipbuf, sizeof(cipbuf))) + { + strcpy(cipbuf, ""); + } + } - lua_pushliteral(ls, "sip"); - lua_pushstring(ls, ipbuf); + if(include_client) + { + // cip + lua_pushliteral(ls, "cip"); + lua_pushstring(ls, cipbuf); lua_settable(ls, -3); + } + + // sip + lua_pushliteral(ls, "sip"); + lua_pushstring(ls, sipbuf); + lua_settable(ls, -3); + if(include_client) + { // cport lua_pushliteral(ls, "cport"); - lua_pushnumber(ls, fdit->second.m_sockinfo.m_ipv4info.m_fields.m_sport); - lua_settable(ls, -3); - - // sport - lua_pushliteral(ls, "sport"); - lua_pushnumber(ls, fdit->second.m_sockinfo.m_ipv4info.m_fields.m_dport); - lua_settable(ls, -3); - - // is_server - lua_pushliteral(ls, "is_server"); - lua_pushboolean(ls, fdit->second.is_role_server()); + lua_pushnumber(ls, cport); lua_settable(ls, -3); } - else - { - // sip - pip4 = (uint8_t*)&(fdit->second.m_sockinfo.m_ipv4serverinfo.m_ip); - snprintf(ipbuf, - sizeof(ipbuf), - "%" PRIu8 ".%" PRIu8 ".%" PRIu8 ".%" PRIu8, - pip4[0], - pip4[1], - pip4[2], - pip4[3]); - lua_pushliteral(ls, "sip"); - lua_pushstring(ls, ipbuf); - lua_settable(ls, -3); - - // sport - lua_pushliteral(ls, "sport"); - lua_pushnumber(ls, fdit->second.m_sockinfo.m_ipv4serverinfo.m_port); - lua_settable(ls, -3); + // sport + lua_pushliteral(ls, "sport"); + lua_pushnumber(ls, sport); + lua_settable(ls, -3); - // is_server - lua_pushliteral(ls, "is_server"); - lua_pushboolean(ls, 1); - lua_settable(ls, -3); - } + // is_server + lua_pushliteral(ls, "is_server"); + lua_pushboolean(ls, is_server); + lua_settable(ls, -3); // l4proto const char* l4ps; diff --git a/userspace/libsinsp/chisel_api.h b/userspace/libsinsp/chisel_api.h index a4d5d9a470..f93ee6d174 100644 --- a/userspace/libsinsp/chisel_api.h +++ b/userspace/libsinsp/chisel_api.h @@ -23,7 +23,7 @@ along with sysdig. If not, see . class lua_cbacks { public: - static uint32_t rawval_to_lua_stack(lua_State *ls, uint8_t* rawval, const filtercheck_field_info* finfo, uint32_t len); + static uint32_t rawval_to_lua_stack(lua_State *ls, uint8_t* rawval, ppm_param_type ptype, uint32_t len); static int get_num(lua_State *ls); static int get_ts(lua_State *ls); diff --git a/userspace/libsinsp/cursestable.cpp b/userspace/libsinsp/cursestable.cpp index 23b2fa2d23..3367d5f013 100644 --- a/userspace/libsinsp/cursestable.cpp +++ b/userspace/libsinsp/cursestable.cpp @@ -94,6 +94,7 @@ curses_table::curses_table(sinsp_cursesui* parent, sinsp* inspector, sinsp_table m_colsizes[PT_SOCKFAMILY] = 8; m_colsizes[PT_BOOL] = 8; m_colsizes[PT_IPV4ADDR] = 8; + m_colsizes[PT_IPV6ADDR] = 16; m_colsizes[PT_DYN] = 8; m_colsizes[PT_FLAGS8] = 32; m_colsizes[PT_FLAGS16] = 32; diff --git a/userspace/libsinsp/event.cpp b/userspace/libsinsp/event.cpp index d68e81bff0..0606f7902d 100644 --- a/userspace/libsinsp/event.cpp +++ b/userspace/libsinsp/event.cpp @@ -1700,6 +1700,28 @@ const char* sinsp_evt::get_param_as_str(uint32_t id, OUT const char** resolved_s "INVALID IPv4"); } } + else if(payload[0] == PPM_AF_INET6) + { + if(payload_len == 1 + 16 + 2) + { + ipv6serverinfo addr; + memcpy((uint8_t *) addr.m_ip.m_b, (uint8_t *) payload+1, sizeof(addr.m_ip.m_b)); + addr.m_port = *(uint16_t*)(payload+17); + addr.m_l4proto = (m_fdinfo != NULL) ? m_fdinfo->get_l4proto() : SCAP_L4_UNKNOWN; + string straddr = ipv6serveraddr_to_string(&addr, m_inspector->m_hostname_and_port_resolution_enabled); + snprintf(&m_paramstr_storage[0], + m_paramstr_storage.size(), + "%s", + straddr.c_str()); + } + else + { + ASSERT(false); + snprintf(&m_paramstr_storage[0], + m_paramstr_storage.size(), + "INVALID IPv6"); + } + } else { snprintf(&m_paramstr_storage[0], diff --git a/userspace/libsinsp/fdinfo.h b/userspace/libsinsp/fdinfo.h index 5e64871cce..a0ac04f2ce 100644 --- a/userspace/libsinsp/fdinfo.h +++ b/userspace/libsinsp/fdinfo.h @@ -31,8 +31,8 @@ class sinsp_protodecoder; #define CHAR_FD_IPV4_SOCK '4' #define CHAR_FD_IPV6_SOCK '6' #define CHAR_FD_DIRECTORY 'd' -#define CHAR_FD_IPV4_SERVSOCK '2' -#define CHAR_FD_IPV6_SERVSOCK '3' +#define CHAR_FD_IPV4_SERVSOCK '4' +#define CHAR_FD_IPV6_SERVSOCK '6' #define CHAR_FD_FIFO 'p' #define CHAR_FD_UNIX_SOCK 'u' #define CHAR_FD_EVENT 'e' diff --git a/userspace/libsinsp/filter.cpp b/userspace/libsinsp/filter.cpp index 5672d1009a..64838c96cc 100644 --- a/userspace/libsinsp/filter.cpp +++ b/userspace/libsinsp/filter.cpp @@ -379,6 +379,58 @@ bool flt_compare_ipv4net(cmpop op, uint64_t operand1, ipv4net* operand2) } } +bool flt_compare_ipv6addr(cmpop op, ipv6addr *operand1, ipv6addr *operand2) +{ + switch(op) + { + case CO_EQ: + case CO_IN: + return *operand1 == *operand2; + case CO_NE: + return *operand1 != *operand2; + case CO_CONTAINS: + throw sinsp_exception("'contains' not supported for ipv6 addresses"); + return false; + case CO_ICONTAINS: + throw sinsp_exception("'icontains' not supported for ipv6 addresses"); + return false; + case CO_STARTSWITH: + throw sinsp_exception("'startswith' not supported for ipv6 addresses"); + return false; + case CO_GLOB: + throw sinsp_exception("'glob' not supported for ipv6 addresses"); + return false; + default: + throw sinsp_exception("comparison operator not supported for ipv6 addresses"); + } +} + +bool flt_compare_ipv6net(cmpop op, ipv6addr *operand1, ipv6addr *operand2) +{ + switch(op) + { + case CO_EQ: + case CO_IN: + return operand1->in_subnet(*operand2); + case CO_NE: + return !operand1->in_subnet(*operand2); + case CO_CONTAINS: + throw sinsp_exception("'contains' not supported for ipv6 networks"); + return false; + case CO_ICONTAINS: + throw sinsp_exception("'icontains' not supported for ipv6 networks"); + return false; + case CO_STARTSWITH: + throw sinsp_exception("'startswith' not supported for ipv6 networks"); + return false; + case CO_GLOB: + throw sinsp_exception("'glob' not supported for ipv6 networks"); + return false; + default: + throw sinsp_exception("comparison operator not supported for ipv6 networks"); + } +} + bool flt_compare(cmpop op, ppm_param_type type, void* operand1, void* operand2, uint32_t op1_len, uint32_t op2_len) { // @@ -419,6 +471,36 @@ bool flt_compare(cmpop op, ppm_param_type type, void* operand1, void* operand2, return flt_compare_uint64(op, (uint64_t)*(uint32_t*)operand1, (uint64_t)*(uint32_t*)operand2); case PT_IPV4NET: return flt_compare_ipv4net(op, (uint64_t)*(uint32_t*)operand1, (ipv4net*)operand2); + case PT_IPV6ADDR: + return flt_compare_ipv6addr(op, (ipv6addr *)operand1, (ipv6addr *)operand2); + case PT_IPV6NET: + return flt_compare_ipv6net(op, (ipv6addr *)operand1, (ipv6addr*)operand2); + case PT_IPADDR: + if(op1_len == sizeof(struct in_addr)) + { + return flt_compare(op, PT_IPV4ADDR, operand1, operand2, op1_len, op2_len); + } + else if(op1_len == sizeof(struct in6_addr)) + { + return flt_compare(op, PT_IPV6ADDR, operand1, operand2, op1_len, op2_len); + } + else + { + throw sinsp_exception("rawval_to_string called with IP address of incorrect size " + to_string(op1_len)); + } + case PT_IPNET: + if(op1_len == sizeof(struct in_addr)) + { + return flt_compare(op, PT_IPV4NET, operand1, operand2, op1_len, op2_len); + } + else if(op1_len == sizeof(struct in6_addr)) + { + return flt_compare(op, PT_IPV6NET, operand1, operand2, op1_len, op2_len); + } + else + { + throw sinsp_exception("rawval_to_string called with IP network of incorrect size " + to_string(op1_len)); + } case PT_UINT64: case PT_RELTIME: case PT_ABSTIME: @@ -517,6 +599,8 @@ bool flt_compare_avg(cmpop op, case PT_FLAGS32: case PT_BOOL: case PT_IPV4ADDR: + case PT_IPV6ADDR: + // What does an average mean for ip addresses anyway? u641 = ((uint64_t)*(uint32_t*)operand1) / cnt1; u642 = ((uint64_t)*(uint32_t*)operand2) / cnt2; ASSERT(cnt1 != 0 || u641 == 0); @@ -566,23 +650,25 @@ void sinsp_filter_check::set_inspector(sinsp* inspector) m_inspector = inspector; } -Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, const filtercheck_field_info* finfo, uint32_t len) +Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, + ppm_param_type ptype, + ppm_print_format print_format, + uint32_t len) { ASSERT(rawval != NULL); - ASSERT(finfo != NULL); - switch(finfo->m_type) + switch(ptype) { case PT_INT8: - if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + if(print_format == PF_DEC || + print_format == PF_ID) { return *(int8_t *)rawval; } - else if(finfo->m_print_format == PF_OCT || - finfo->m_print_format == PF_HEX) + else if(print_format == PF_OCT || + print_format == PF_HEX) { - return rawval_to_string(rawval, finfo, len); + return rawval_to_string(rawval, ptype, print_format, len); } else { @@ -591,15 +677,15 @@ Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, const filterchec } case PT_INT16: - if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + if(print_format == PF_DEC || + print_format == PF_ID) { return *(int16_t *)rawval; } - else if(finfo->m_print_format == PF_OCT || - finfo->m_print_format == PF_HEX) + else if(print_format == PF_OCT || + print_format == PF_HEX) { - return rawval_to_string(rawval, finfo, len); + return rawval_to_string(rawval, ptype, print_format, len); } else { @@ -608,15 +694,15 @@ Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, const filterchec } case PT_INT32: - if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + if(print_format == PF_DEC || + print_format == PF_ID) { return *(int32_t *)rawval; } - else if(finfo->m_print_format == PF_OCT || - finfo->m_print_format == PF_HEX) + else if(print_format == PF_OCT || + print_format == PF_HEX) { - return rawval_to_string(rawval, finfo, len); + return rawval_to_string(rawval, ptype, print_format, len); } else { @@ -626,27 +712,27 @@ Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, const filterchec case PT_INT64: case PT_PID: - if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + if(print_format == PF_DEC || + print_format == PF_ID) { return (Json::Value::Int64)*(int64_t *)rawval; } else { - return rawval_to_string(rawval, finfo, len); + return rawval_to_string(rawval, ptype, print_format, len); } case PT_L4PROTO: // This can be resolved in the future case PT_UINT8: - if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + if(print_format == PF_DEC || + print_format == PF_ID) { return *(uint8_t *)rawval; } - else if(finfo->m_print_format == PF_OCT || - finfo->m_print_format == PF_HEX) + else if(print_format == PF_OCT || + print_format == PF_HEX) { - return rawval_to_string(rawval, finfo, len); + return rawval_to_string(rawval, ptype, print_format, len); } else { @@ -656,15 +742,15 @@ Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, const filterchec case PT_PORT: // This can be resolved in the future case PT_UINT16: - if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + if(print_format == PF_DEC || + print_format == PF_ID) { return *(uint16_t *)rawval; } - else if(finfo->m_print_format == PF_OCT || - finfo->m_print_format == PF_HEX) + else if(print_format == PF_OCT || + print_format == PF_HEX) { - return rawval_to_string(rawval, finfo, len); + return rawval_to_string(rawval, ptype, print_format, len); } else { @@ -673,15 +759,15 @@ Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, const filterchec } case PT_UINT32: - if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + if(print_format == PF_DEC || + print_format == PF_ID) { return *(uint32_t *)rawval; } - else if(finfo->m_print_format == PF_OCT || - finfo->m_print_format == PF_HEX) + else if(print_format == PF_OCT || + print_format == PF_HEX) { - return rawval_to_string(rawval, finfo, len); + return rawval_to_string(rawval, ptype, print_format, len); } else { @@ -692,17 +778,17 @@ Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, const filterchec case PT_UINT64: case PT_RELTIME: case PT_ABSTIME: - if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + if(print_format == PF_DEC || + print_format == PF_ID) { return (Json::Value::UInt64)*(uint64_t *)rawval; } else if( - finfo->m_print_format == PF_10_PADDED_DEC || - finfo->m_print_format == PF_OCT || - finfo->m_print_format == PF_HEX) + print_format == PF_10_PADDED_DEC || + print_format == PF_OCT || + print_format == PF_HEX) { - return rawval_to_string(rawval, finfo, len); + return rawval_to_string(rawval, ptype, print_format, len); } else { @@ -722,34 +808,37 @@ Json::Value sinsp_filter_check::rawval_to_json(uint8_t* rawval, const filterchec case PT_FSPATH: case PT_BYTEBUF: case PT_IPV4ADDR: - return rawval_to_string(rawval, finfo, len); - + case PT_IPV6ADDR: + case PT_IPADDR: + return rawval_to_string(rawval, ptype, print_format, len); default: ASSERT(false); - throw sinsp_exception("wrong event type " + to_string((long long) finfo->m_type)); + throw sinsp_exception("wrong event type " + to_string((long long) ptype)); } } -char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_field_info* finfo, uint32_t len) +char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, + ppm_param_type ptype, + ppm_print_format print_format, + uint32_t len) { char* prfmt; ASSERT(rawval != NULL); - ASSERT(finfo != NULL); - switch(finfo->m_type) + switch(ptype) { case PT_INT8: - if(finfo->m_print_format == PF_OCT) + if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo8; } - else if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + else if(print_format == PF_DEC || + print_format == PF_ID) { prfmt = (char*)"%" PRId8; } - else if(finfo->m_print_format == PF_HEX) + else if(print_format == PF_HEX) { prfmt = (char*)"%" PRIX8; } @@ -764,16 +853,16 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi prfmt, *(int8_t *)rawval); return m_getpropertystr_storage; case PT_INT16: - if(finfo->m_print_format == PF_OCT) + if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo16; } - else if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + else if(print_format == PF_DEC || + print_format == PF_ID) { prfmt = (char*)"%" PRId16; } - else if(finfo->m_print_format == PF_HEX) + else if(print_format == PF_HEX) { prfmt = (char*)"%" PRIX16; } @@ -788,16 +877,16 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi prfmt, *(int16_t *)rawval); return m_getpropertystr_storage; case PT_INT32: - if(finfo->m_print_format == PF_OCT) + if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo32; } - else if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + else if(print_format == PF_DEC || + print_format == PF_ID) { prfmt = (char*)"%" PRId32; } - else if(finfo->m_print_format == PF_HEX) + else if(print_format == PF_HEX) { prfmt = (char*)"%" PRIX32; } @@ -814,20 +903,20 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi case PT_INT64: case PT_PID: case PT_ERRNO: - if(finfo->m_print_format == PF_OCT) + if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo64; } - else if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + else if(print_format == PF_DEC || + print_format == PF_ID) { prfmt = (char*)"%" PRId64; } - else if(finfo->m_print_format == PF_10_PADDED_DEC) + else if(print_format == PF_10_PADDED_DEC) { prfmt = (char*)"%09" PRId64; } - else if(finfo->m_print_format == PF_HEX) + else if(print_format == PF_HEX) { prfmt = (char*)"%" PRIX64; } @@ -842,16 +931,16 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi return m_getpropertystr_storage; case PT_L4PROTO: // This can be resolved in the future case PT_UINT8: - if(finfo->m_print_format == PF_OCT) + if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo8; } - else if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + else if(print_format == PF_DEC || + print_format == PF_ID) { prfmt = (char*)"%" PRIu8; } - else if(finfo->m_print_format == PF_HEX) + else if(print_format == PF_HEX) { prfmt = (char*)"%" PRIu8; } @@ -867,16 +956,16 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi return m_getpropertystr_storage; case PT_PORT: // This can be resolved in the future case PT_UINT16: - if(finfo->m_print_format == PF_OCT) + if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo16; } - else if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + else if(print_format == PF_DEC || + print_format == PF_ID) { prfmt = (char*)"%" PRIu16; } - else if(finfo->m_print_format == PF_HEX) + else if(print_format == PF_HEX) { prfmt = (char*)"%" PRIu16; } @@ -891,16 +980,16 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi prfmt, *(uint16_t *)rawval); return m_getpropertystr_storage; case PT_UINT32: - if(finfo->m_print_format == PF_OCT) + if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo32; } - else if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + else if(print_format == PF_DEC || + print_format == PF_ID) { prfmt = (char*)"%" PRIu32; } - else if(finfo->m_print_format == PF_HEX) + else if(print_format == PF_HEX) { prfmt = (char*)"%" PRIu32; } @@ -917,20 +1006,20 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi case PT_UINT64: case PT_RELTIME: case PT_ABSTIME: - if(finfo->m_print_format == PF_OCT) + if(print_format == PF_OCT) { prfmt = (char*)"%" PRIo64; } - else if(finfo->m_print_format == PF_DEC || - finfo->m_print_format == PF_ID) + else if(print_format == PF_DEC || + print_format == PF_ID) { prfmt = (char*)"%" PRIu64; } - else if(finfo->m_print_format == PF_10_PADDED_DEC) + else if(print_format == PF_10_PADDED_DEC) { prfmt = (char*)"%09" PRIu64; } - else if(finfo->m_print_format == PF_HEX) + else if(print_format == PF_HEX) { prfmt = (char*)"%" PRIX64; } @@ -989,6 +1078,35 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi rawval[2], rawval[3]); return m_getpropertystr_storage; + case PT_IPV6ADDR: + { + char address[100]; + + if(NULL == inet_ntop(AF_INET6, rawval, address, 100)) + { + strcpy(address, ""); + } + + strncpy(m_getpropertystr_storage, + address, + 100); + + return m_getpropertystr_storage; + } + case PT_IPADDR: + if(len == sizeof(struct in_addr)) + { + return rawval_to_string(rawval, PT_IPV4ADDR, print_format, len); + } + else if(len == sizeof(struct in6_addr)) + { + return rawval_to_string(rawval, PT_IPV6ADDR, print_format, len); + } + else + { + throw sinsp_exception("rawval_to_string called with IP address of incorrect size " + to_string(len)); + } + case PT_DOUBLE: snprintf(m_getpropertystr_storage, sizeof(m_getpropertystr_storage), @@ -996,7 +1114,7 @@ char* sinsp_filter_check::rawval_to_string(uint8_t* rawval, const filtercheck_fi return m_getpropertystr_storage; default: ASSERT(false); - throw sinsp_exception("wrong event type " + to_string((long long) finfo->m_type)); + throw sinsp_exception("wrong event type " + to_string((long long) ptype)); } } @@ -1010,7 +1128,7 @@ char* sinsp_filter_check::tostring(sinsp_evt* evt) return NULL; } - return rawval_to_string(rawval, m_field, len); + return rawval_to_string(rawval, m_field->m_type, m_field->m_print_format, len); } Json::Value sinsp_filter_check::tojson(sinsp_evt* evt) @@ -1025,7 +1143,7 @@ Json::Value sinsp_filter_check::tojson(sinsp_evt* evt) { return Json::nullValue; } - return rawval_to_json(rawval, m_field, len); + return rawval_to_json(rawval, m_field->m_type, m_field->m_print_format, len); } return jsonval; @@ -1155,6 +1273,7 @@ bool sinsp_filter_check::flt_compare(cmpop op, ppm_param_type type, void* operan switch(type) { case PT_IPV4NET: + case PT_IPV6NET: case PT_SOCKADDR: case PT_SOCKTUPLE: case PT_FDLIST: diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp index f55268784d..94d54de1a0 100644 --- a/userspace/libsinsp/filterchecks.cpp +++ b/userspace/libsinsp/filterchecks.cpp @@ -140,11 +140,11 @@ const filtercheck_field_info sinsp_filter_check_fd_fields[] = {PT_CHARBUF, EPF_NONE, PF_NA, "fd.name", "FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple."}, {PT_CHARBUF, EPF_NONE, PF_NA, "fd.directory", "If the fd is a file, the directory that contains it."}, {PT_CHARBUF, EPF_NONE, PF_NA, "fd.filename", "If the fd is a file, the filename without the path."}, - {PT_IPV4ADDR, EPF_NONE, PF_NA, "fd.ip", "matches the ip address (client or server) of the fd."}, - {PT_IPV4ADDR, EPF_NONE, PF_NA, "fd.cip", "client IP address."}, - {PT_IPV4ADDR, EPF_NONE, PF_NA, "fd.sip", "server IP address."}, - {PT_IPV4ADDR, EPF_NONE, PF_NA, "fd.lip", "local IP address."}, - {PT_IPV4ADDR, EPF_NONE, PF_NA, "fd.rip", "remote IP address."}, + {PT_IPADDR, EPF_FILTER_ONLY, PF_NA, "fd.ip", "matches the ip address (client or server) of the fd."}, + {PT_IPADDR, EPF_NONE, PF_NA, "fd.cip", "client IP address."}, + {PT_IPADDR, EPF_NONE, PF_NA, "fd.sip", "server IP address."}, + {PT_IPADDR, EPF_NONE, PF_NA, "fd.lip", "local IP address."}, + {PT_IPADDR, EPF_NONE, PF_NA, "fd.rip", "remote IP address."}, {PT_PORT, EPF_FILTER_ONLY, PF_DEC, "fd.port", "matches the port (either client or server) of the fd."}, {PT_PORT, EPF_NONE, PF_DEC, "fd.cport", "for TCP/UDP FDs, the client port."}, {PT_PORT, EPF_NONE, PF_DEC, "fd.sport", "for TCP/UDP FDs, server port."}, @@ -161,11 +161,11 @@ const filtercheck_field_info sinsp_filter_check_fd_fields[] = {PT_CHARBUF, EPF_NONE, PF_NA, "fd.sproto", "for TCP/UDP FDs, server protocol."}, {PT_CHARBUF, EPF_NONE, PF_NA, "fd.lproto", "for TCP/UDP FDs, the local protocol."}, {PT_CHARBUF, EPF_NONE, PF_NA, "fd.rproto", "for TCP/UDP FDs, the remote protocol."}, - {PT_IPV4NET, EPF_FILTER_ONLY, PF_NA, "fd.net", "matches the IP network (client or server) of the fd."}, - {PT_IPV4NET, EPF_FILTER_ONLY, PF_NA, "fd.cnet", "matches the client IP network of the fd."}, - {PT_IPV4NET, EPF_FILTER_ONLY, PF_NA, "fd.snet", "matches the server IP network of the fd."}, - {PT_IPV4NET, EPF_FILTER_ONLY, PF_NA, "fd.lnet", "matches the local IP network of the fd."}, - {PT_IPV4NET, EPF_FILTER_ONLY, PF_NA, "fd.rnet", "matches the remote IP network of the fd."}, + {PT_IPNET, EPF_FILTER_ONLY, PF_NA, "fd.net", "matches the IP network (client or server) of the fd."}, + {PT_IPNET, EPF_FILTER_ONLY, PF_NA, "fd.cnet", "matches the client IP network of the fd."}, + {PT_IPNET, EPF_FILTER_ONLY, PF_NA, "fd.snet", "matches the server IP network of the fd."}, + {PT_IPNET, EPF_FILTER_ONLY, PF_NA, "fd.lnet", "matches the local IP network of the fd."}, + {PT_IPNET, EPF_FILTER_ONLY, PF_NA, "fd.rnet", "matches the remote IP network of the fd."}, {PT_BOOL, EPF_NONE, PF_NA, "fd.connected", "for TCP/UDP FDs, 'true' if the socket is connected."}, {PT_BOOL, EPF_NONE, PF_NA, "fd.name_changed", "True when an event changes the name of an fd used by this event. This can occur in some cases such as udp connections where the connection tuple changes."} }; @@ -613,6 +613,10 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool { RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip); } + else if (evt_type == SCAP_FD_IPV6_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip); + } } break; @@ -638,6 +642,14 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool { RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4serverinfo.m_ip); } + else if(evt_type == SCAP_FD_IPV6_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip); + } + else if(evt_type == SCAP_FD_IPV6_SERVSOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6serverinfo.m_ip); + } } break; @@ -652,7 +664,8 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool } scap_fd_type evt_type = m_fdinfo->m_type; - if(evt_type != SCAP_FD_IPV4_SOCK) + if(evt_type != SCAP_FD_IPV4_SOCK && + evt_type != SCAP_FD_IPV6_SOCK) { return NULL; } @@ -662,26 +675,65 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool return NULL; } - if(m_inspector->get_ifaddr_list()->is_ipv4addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip, m_tinfo)) + bool is_local; + + if(evt_type == SCAP_FD_IPV4_SOCK) { - if(m_field_id == TYPE_LIP) + is_local = m_inspector->get_ifaddr_list()->is_ipv4addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip, m_tinfo); + } + else + { + is_local = m_inspector->get_ifaddr_list()->is_ipv6addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip, m_tinfo); + } + + if(is_local) + { + if(m_field_id == TYPE_LIP || m_field_id == TYPE_LNET) { - RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip); + if(evt_type == SCAP_FD_IPV4_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip); + } + else + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip); + } } else { - RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip); + if(evt_type == SCAP_FD_IPV4_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip); + } + else + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip); + } } } else { - if(m_field_id == TYPE_LIP) + if(m_field_id == TYPE_LIP || m_field_id == TYPE_LNET) { - RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip); + if(evt_type == SCAP_FD_IPV4_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip); + } + else + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip); + } } else { - RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip); + if(evt_type == SCAP_FD_IPV4_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip); + } + else + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip); + } } } } @@ -724,17 +776,17 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool return NULL; } - string port = ""; + m_tstr = ""; if(evt_type == SCAP_FD_IPV4_SOCK) { - port = port_to_string(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); + m_tstr = port_to_string(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); } else if(evt_type == SCAP_FD_IPV6_SOCK) { - port = port_to_string(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); + m_tstr = port_to_string(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); } - RETURN_EXTRACT_STRING(port); + RETURN_EXTRACT_STRING(m_tstr); } case TYPE_SERVERPORT: { @@ -816,17 +868,17 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool return NULL; } - string port = ""; + m_tstr = ""; if(evt_type == SCAP_FD_IPV4_SOCK) { - port = port_to_string(nport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); + m_tstr = port_to_string(nport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); } else if(evt_type == SCAP_FD_IPV6_SOCK) { - port = port_to_string(nport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); + m_tstr = port_to_string(nport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); } - RETURN_EXTRACT_STRING(port); + RETURN_EXTRACT_STRING(m_tstr); } case TYPE_LPORT: case TYPE_RPORT: @@ -837,7 +889,8 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool } scap_fd_type evt_type = m_fdinfo->m_type; - if(evt_type != SCAP_FD_IPV4_SOCK) + if(evt_type != SCAP_FD_IPV4_SOCK && + evt_type != SCAP_FD_IPV6_SOCK) { return NULL; } @@ -847,26 +900,65 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool return NULL; } - if(m_inspector->get_ifaddr_list()->is_ipv4addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip, m_tinfo)) + bool is_local; + + if(evt_type == SCAP_FD_IPV4_SOCK) + { + is_local = m_inspector->get_ifaddr_list()->is_ipv4addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip, m_tinfo); + } + else + { + is_local = m_inspector->get_ifaddr_list()->is_ipv6addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip, m_tinfo); + } + + if(is_local) { if(m_field_id == TYPE_LPORT || m_field_id == TYPE_LPROTO) { - RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport); + if(evt_type == SCAP_FD_IPV4_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport); + } + else + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport); + } } else { - RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport); + if(evt_type == SCAP_FD_IPV4_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport); + } + else + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport); + } } } else { if(m_field_id == TYPE_LPORT || m_field_id == TYPE_LPROTO) { - RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport); + if(evt_type == SCAP_FD_IPV4_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport); + } + else + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport); + } } else { - RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport); + if(evt_type == SCAP_FD_IPV4_SOCK) + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport); + } + else + { + RETURN_EXTRACT_VAR(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport); + } } } } @@ -881,7 +973,8 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool } scap_fd_type evt_type = m_fdinfo->m_type; - if(evt_type != SCAP_FD_IPV4_SOCK) + if(evt_type != SCAP_FD_IPV4_SOCK && + evt_type != SCAP_FD_IPV6_SOCK) { return NULL; } @@ -893,44 +986,71 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool int16_t nport = 0; - if(m_inspector->get_ifaddr_list()->is_ipv4addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip, m_tinfo)) + bool is_local; + + if(evt_type == SCAP_FD_IPV4_SOCK) + { + is_local = m_inspector->get_ifaddr_list()->is_ipv4addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip, m_tinfo); + } + else + { + is_local = m_inspector->get_ifaddr_list()->is_ipv6addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip, m_tinfo); + } + + if(is_local) { if(m_field_id == TYPE_LPORT || m_field_id == TYPE_LPROTO) { - nport = m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport; + if(evt_type == SCAP_FD_IPV4_SOCK) + { + nport = m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport; + } + else + { + nport = m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport; + } } else { - nport = m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport; + if(evt_type == SCAP_FD_IPV4_SOCK) + { + nport = m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport; + } + else + { + nport = m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport; + } } } else { if(m_field_id == TYPE_LPORT || m_field_id == TYPE_LPROTO) { - nport = m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport; + if(evt_type == SCAP_FD_IPV4_SOCK) + { + nport = m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport; + } + else + { + nport = m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport; + } } else { - nport = m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport; - } - } + if(evt_type == SCAP_FD_IPV4_SOCK) + { + nport = m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport; + } + else + { + nport = m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport; + } - string port = ""; - if(evt_type == SCAP_FD_IPV4_SOCK) - { - port = port_to_string(nport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); - } - else if(evt_type == SCAP_FD_IPV6_SOCK) - { - port = port_to_string(nport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); - } - else - { - ASSERT(false); + } } - RETURN_EXTRACT_STRING(port); + m_tstr = port_to_string(nport, this->m_fdinfo->get_l4proto(), m_inspector->m_hostname_and_port_resolution_enabled); + RETURN_EXTRACT_STRING(m_tstr); } case TYPE_L4PROTO: @@ -979,6 +1099,11 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool m_tbool = m_inspector->get_ifaddr_list()->is_ipv4addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip, m_tinfo); } + else if(m_fdinfo->m_type == SCAP_FD_IPV6_SOCK) + { + m_tbool = + m_inspector->get_ifaddr_list()->is_ipv6addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip, m_tinfo); + } else { m_tbool = false; @@ -1095,6 +1220,40 @@ bool sinsp_filter_check_fd::compare_ip(sinsp_evt *evt) throw sinsp_exception("filter error: IP filter only supports '=' and '!=' operators"); } } + else if(evt_type == SCAP_FD_IPV6_SOCK) + { + if(m_cmpop == CO_EQ || m_cmpop == CO_IN) + { + if(flt_compare(m_cmpop, PT_IPV6ADDR, &m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip) || + flt_compare(m_cmpop, PT_IPV6ADDR, &m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip)) + { + return true; + } + } + else if(m_cmpop == CO_NE) + { + if(flt_compare(m_cmpop, PT_IPV6ADDR, &m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip) && + flt_compare(m_cmpop, PT_IPV6ADDR, &m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip)) + { + return true; + } + } + else + { + throw sinsp_exception("filter error: IP filter only supports '=' and '!=' operators"); + } + } + else if(evt_type == SCAP_FD_IPV6_SERVSOCK) + { + if(m_cmpop == CO_EQ || m_cmpop == CO_NE || m_cmpop == CO_IN) + { + return flt_compare(m_cmpop, PT_IPV6ADDR, &m_fdinfo->m_sockinfo.m_ipv6serverinfo.m_ip); + } + else + { + throw sinsp_exception("filter error: IP filter only supports '=' and '!=' operators"); + } + } } return false; @@ -1142,6 +1301,36 @@ bool sinsp_filter_check_fd::compare_net(sinsp_evt *evt) return true; } } + else if(evt_type == SCAP_FD_IPV6_SOCK) + { + if(m_cmpop == CO_EQ || m_cmpop == CO_IN) + { + if(flt_compare_ipv6net(m_cmpop, &m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip, (ipv6addr*)filter_value_p()) || + flt_compare_ipv6net(m_cmpop, &m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip, (ipv6addr*)filter_value_p())) + { + return true; + } + } + else if(m_cmpop == CO_NE) + { + if(flt_compare_ipv6net(m_cmpop, &m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip, (ipv6addr*)filter_value_p()) && + flt_compare_ipv6net(m_cmpop, &m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip, (ipv6addr*)filter_value_p())) + { + return true; + } + } + else + { + throw sinsp_exception("filter error: IP filter only supports '=' and '!=' operators"); + } + } + else if(evt_type == SCAP_FD_IPV6_SERVSOCK) + { + if(flt_compare_ipv6net(m_cmpop, &m_fdinfo->m_sockinfo.m_ipv6serverinfo.m_ip, (ipv6addr*)filter_value_p())) + { + return true; + } + } } return false; @@ -6229,7 +6418,7 @@ char* sinsp_filter_check_reference::tostring_nice(sinsp_evt* evt, } else { - return rawval_to_string(rawval, m_field, len); + return rawval_to_string(rawval, m_field->m_type, m_field->m_print_format, len); } } @@ -6274,7 +6463,7 @@ Json::Value sinsp_filter_check_reference::tojson(sinsp_evt* evt, } else { - return rawval_to_json(rawval, m_field, len); + return rawval_to_json(rawval, m_field->m_type, m_field->m_print_format, len); } } @@ -6416,7 +6605,7 @@ uint8_t* sinsp_filter_check_fdlist::extract(sinsp_evt *evt, OUT uint32_t* len, b } else if(fdinfo->m_type == SCAP_FD_IPV6_SOCK) { - inet_ntop(AF_INET6, fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip, m_addrbuff, sizeof(m_addrbuff)); + inet_ntop(AF_INET6, fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip.m_b, m_addrbuff, sizeof(m_addrbuff)); m_strval += m_addrbuff; break; } @@ -6437,7 +6626,7 @@ uint8_t* sinsp_filter_check_fdlist::extract(sinsp_evt *evt, OUT uint32_t* len, b } else if(fdinfo->m_type == SCAP_FD_IPV6_SOCK) { - inet_ntop(AF_INET6, fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip, m_addrbuff, sizeof(m_addrbuff)); + inet_ntop(AF_INET6, fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip.m_b, m_addrbuff, sizeof(m_addrbuff)); m_strval += m_addrbuff; break; } @@ -6449,7 +6638,7 @@ uint8_t* sinsp_filter_check_fdlist::extract(sinsp_evt *evt, OUT uint32_t* len, b } else if(fdinfo->m_type == SCAP_FD_IPV6_SERVSOCK) { - inet_ntop(AF_INET, &fdinfo->m_sockinfo.m_ipv6serverinfo.m_ip, m_addrbuff, sizeof(m_addrbuff)); + inet_ntop(AF_INET, &fdinfo->m_sockinfo.m_ipv6serverinfo.m_ip.m_b, m_addrbuff, sizeof(m_addrbuff)); m_strval += m_addrbuff; break; } diff --git a/userspace/libsinsp/filterchecks.h b/userspace/libsinsp/filterchecks.h index 5ece1555c2..46b3f88218 100644 --- a/userspace/libsinsp/filterchecks.h +++ b/userspace/libsinsp/filterchecks.h @@ -32,6 +32,7 @@ class sinsp_filter_check_reference; bool flt_compare(cmpop op, ppm_param_type type, void* operand1, void* operand2, uint32_t op1_len = 0, uint32_t op2_len = 0); bool flt_compare_avg(cmpop op, ppm_param_type type, void* operand1, void* operand2, uint32_t op1_len, uint32_t op2_len, uint32_t cnt1, uint32_t cnt2); bool flt_compare_ipv4net(cmpop op, uint64_t operand1, ipv4net* operand2); +bool flt_compare_ipv6net(cmpop op, ipv6addr *operand1, ipv6addr* operand2); char* flt_to_string(uint8_t* rawval, filtercheck_field_info* finfo); int32_t gmt2local(time_t t); @@ -145,8 +146,11 @@ class sinsp_filter_check protected: bool flt_compare(cmpop op, ppm_param_type type, void* operand1, uint32_t op1_len = 0, uint32_t op2_len = 0); - char* rawval_to_string(uint8_t* rawval, const filtercheck_field_info* finfo, uint32_t len); - Json::Value rawval_to_json(uint8_t* rawval, const filtercheck_field_info* finfo, uint32_t len); + char* rawval_to_string(uint8_t* rawval, + ppm_param_type ptype, + ppm_print_format print_format, + uint32_t len); + Json::Value rawval_to_json(uint8_t* rawval, ppm_param_type ptype, ppm_print_format print_format, uint32_t len); void string_to_rawval(const char* str, uint32_t len, ppm_param_type ptype); char m_getpropertystr_storage[1024]; diff --git a/userspace/libsinsp/ifinfo.cpp b/userspace/libsinsp/ifinfo.cpp index 978cc2a1a5..bd0d88789d 100644 --- a/userspace/libsinsp/ifinfo.cpp +++ b/userspace/libsinsp/ifinfo.cpp @@ -19,6 +19,15 @@ along with sysdig. If not, see . #include "sinsp.h" #include "sinsp_int.h" +sinsp_network_interfaces::sinsp_network_interfaces(sinsp* inspector) + : m_inspector(inspector) +{ + if(inet_pton(AF_INET6, "::1", m_ipv6_loopback_addr.m_b) != 1) + { + throw sinsp_exception("Could not convert ipv6 loopback address ::1 to ipv6addr struct"); + } +} + sinsp_ipv4_ifinfo::sinsp_ipv4_ifinfo(uint32_t addr, uint32_t netmask, uint32_t bcast, const char* name) { m_addr = addr; @@ -95,48 +104,93 @@ uint32_t sinsp_network_interfaces::infer_ipv4_address(uint32_t destination_addre void sinsp_network_interfaces::update_fd(sinsp_fdinfo_t *fd) { ipv4tuple *pipv4info = &(fd->m_sockinfo.m_ipv4info); + ipv6tuple *pipv6info = &(fd->m_sockinfo.m_ipv6info); // - // only handle ipv4 udp sockets + // only handle ipv4/ipv6 udp sockets // - if(fd->m_type != SCAP_FD_IPV4_SOCK) + if(fd->m_type != SCAP_FD_IPV4_SOCK && + fd->m_type != SCAP_FD_IPV6_SOCK) { return; } - if(0 != pipv4info->m_fields.m_sip && 0 != pipv4info->m_fields.m_dip) + if(fd->m_type == SCAP_FD_IPV4_SOCK) { - return; - } - if(0 == pipv4info->m_fields.m_sip) - { - uint32_t newaddr; - newaddr = infer_ipv4_address(pipv4info->m_fields.m_dip); - if(newaddr == pipv4info->m_fields.m_dip) + if(0 != pipv4info->m_fields.m_sip && 0 != pipv4info->m_fields.m_dip) + { + return; + } + if(0 == pipv4info->m_fields.m_sip) { - if(pipv4info->m_fields.m_sport == pipv4info->m_fields.m_dport) + uint32_t newaddr; + newaddr = infer_ipv4_address(pipv4info->m_fields.m_dip); + + if(newaddr == pipv4info->m_fields.m_dip) { - return; + if(pipv4info->m_fields.m_sport == pipv4info->m_fields.m_dport) + { + return; + } } + + pipv4info->m_fields.m_sip = newaddr; } + else + { + uint32_t newaddr; + newaddr = infer_ipv4_address(pipv4info->m_fields.m_sip); + + if(newaddr == pipv4info->m_fields.m_sip) + { + if(pipv4info->m_fields.m_sport == pipv4info->m_fields.m_dport) + { + return; + } + } - pipv4info->m_fields.m_sip = newaddr; + pipv4info->m_fields.m_dip = newaddr; + } } - else + else if(fd->m_type == SCAP_FD_IPV6_SOCK) { - uint32_t newaddr; - newaddr = infer_ipv4_address(pipv4info->m_fields.m_sip); - if(newaddr == pipv4info->m_fields.m_sip) + if(ipv6addr::empty_address != pipv6info->m_fields.m_sip && + ipv6addr::empty_address != pipv6info->m_fields.m_dip) + { + return; + } + if(ipv6addr::empty_address == pipv6info->m_fields.m_sip) { - if(pipv4info->m_fields.m_sport == pipv4info->m_fields.m_dport) + ipv6addr newaddr; + newaddr = infer_ipv6_address(pipv6info->m_fields.m_dip); + + if(newaddr == pipv6info->m_fields.m_dip) { - return; + if(pipv6info->m_fields.m_sport == pipv6info->m_fields.m_dport) + { + return; + } } + + pipv6info->m_fields.m_sip = newaddr; } + else + { + ipv6addr newaddr; + newaddr = infer_ipv6_address(pipv6info->m_fields.m_sip); - pipv4info->m_fields.m_dip = newaddr; + if(newaddr == pipv6info->m_fields.m_sip) + { + if(pipv6info->m_fields.m_sport == pipv6info->m_fields.m_dport) + { + return; + } + } + + pipv6info->m_fields.m_dip = newaddr; + } } } @@ -242,6 +296,62 @@ void sinsp_network_interfaces::import_ipv4_ifaddr_list(uint32_t count, scap_ifin } } +ipv6addr sinsp_network_interfaces::infer_ipv6_address(ipv6addr &destination_address) +{ + vector::iterator it; + + // first try to find exact match + for(it = m_ipv6_interfaces.begin(); it != m_ipv6_interfaces.end(); it++) + { + if(destination_address == it->m_net) + { + return it->m_net; + } + } + + // try to find an interface for the same subnet + for(it = m_ipv6_interfaces.begin(); it != m_ipv6_interfaces.end(); it++) + { + if(it->m_net.in_subnet(destination_address)) + { + return it->m_net; + } + } + + // otherwise take the first non loopback interface + for(it = m_ipv6_interfaces.begin(); it != m_ipv6_interfaces.end(); it++) + { + if(it->m_net != m_ipv6_loopback_addr) + { + return it->m_net; + } + } + + return ipv6addr::empty_address; +} + +bool sinsp_network_interfaces::is_ipv6addr_in_local_machine(ipv6addr &addr, sinsp_threadinfo* tinfo) +{ + if(!tinfo->m_container_id.empty()) + { + // For now, not supporting ipv6 networking for containers. So always return false; + return false; + } + + vector::iterator it; + + // try to find an interface that has the given IP as address + for(it = m_ipv6_interfaces.begin(); it != m_ipv6_interfaces.end(); it++) + { + if(addr.in_subnet(it->m_net)) + { + return true; + } + } + + return false; +} + void sinsp_network_interfaces::import_ipv6_ifaddr_list(uint32_t count, scap_ifinfo_ipv6* plist) { if (count == 0) @@ -251,9 +361,12 @@ void sinsp_network_interfaces::import_ipv6_ifaddr_list(uint32_t count, scap_ifin for(uint32_t j = 0; j < count; j++) { sinsp_ipv6_ifinfo info; - memcpy(info.m_addr, plist->addr, SCAP_IPV6_ADDR_LEN); - memcpy(info.m_netmask, plist->netmask, SCAP_IPV6_ADDR_LEN); - memcpy(info.m_bcast, plist->bcast, SCAP_IPV6_ADDR_LEN); + + // Only saving the address portion. (Assumes + // convention of first 48 bits for network, next 16 + // bits for subnet). + memcpy(info.m_net.m_b, plist->addr, SCAP_IPV6_ADDR_LEN); + info.m_name = plist->ifname; m_ipv6_interfaces.push_back(info); plist++; @@ -275,6 +388,11 @@ void sinsp_network_interfaces::import_ipv4_interface(const sinsp_ipv4_ifinfo& if m_ipv4_interfaces.push_back(ifinfo); } +void sinsp_network_interfaces::import_ipv6_interface(const sinsp_ipv6_ifinfo& ifinfo) +{ + m_ipv6_interfaces.push_back(ifinfo); +} + vector* sinsp_network_interfaces::get_ipv4_list() { return &m_ipv4_interfaces; diff --git a/userspace/libsinsp/ifinfo.h b/userspace/libsinsp/ifinfo.h index e9d0043bce..60bded40ec 100644 --- a/userspace/libsinsp/ifinfo.h +++ b/userspace/libsinsp/ifinfo.h @@ -18,6 +18,8 @@ along with sysdig. If not, see . #pragma once +#include "tuples.h" + #define LOOPBACK_ADDR 0x0100007f #ifndef VISIBILITY_PRIVATE @@ -53,9 +55,7 @@ class SINSP_PUBLIC sinsp_ipv6_ifinfo public: sinsp_ipv6_ifinfo() {}; - char m_addr[SCAP_IPV6_ADDR_LEN]; - char m_netmask[SCAP_IPV6_ADDR_LEN]; - char m_bcast[SCAP_IPV6_ADDR_LEN]; + ipv6addr m_net; string m_name; }; @@ -63,22 +63,25 @@ class SINSP_PUBLIC sinsp_ipv6_ifinfo class SINSP_PUBLIC sinsp_network_interfaces { public: - sinsp_network_interfaces(sinsp* inspector): m_inspector(inspector) - { - } + sinsp_network_interfaces(sinsp* inspector); void import_interfaces(scap_addrlist* paddrlist); void import_ipv4_interface(const sinsp_ipv4_ifinfo& ifinfo); void update_fd(sinsp_fdinfo_t *fd); bool is_ipv4addr_in_subnet(uint32_t addr); bool is_ipv4addr_in_local_machine(uint32_t addr, sinsp_threadinfo* tinfo); + void import_ipv6_interface(const sinsp_ipv6_ifinfo& ifinfo); + bool is_ipv6addr_in_local_machine(ipv6addr &addr, sinsp_threadinfo* tinfo); vector* get_ipv4_list(); vector* get_ipv6_list(); inline void clear(); + ipv6addr m_ipv6_loopback_addr; + VISIBILITY_PRIVATE uint32_t infer_ipv4_address(uint32_t destination_address); void import_ipv4_ifaddr_list(uint32_t count, scap_ifinfo_ipv4* plist); + ipv6addr infer_ipv6_address(ipv6addr &destination_address); void import_ipv6_ifaddr_list(uint32_t count, scap_ifinfo_ipv6* plist); vector m_ipv4_interfaces; vector m_ipv6_interfaces; diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp index 2038f0b21a..14c25634b8 100644 --- a/userspace/libsinsp/parsers.cpp +++ b/userspace/libsinsp/parsers.cpp @@ -2369,6 +2369,7 @@ void sinsp_parser::parse_bind_exit(sinsp_evt *evt) { evt->m_fdinfo->m_type = SCAP_FD_IPV6_SERVSOCK; evt->m_fdinfo->m_sockinfo.m_ipv6serverinfo.m_port = port; + memcpy(evt->m_fdinfo->m_sockinfo.m_ipv6serverinfo.m_ip.m_b, ip, sizeof(ipv6addr)); evt->m_fdinfo->m_sockinfo.m_ipv6serverinfo.m_l4proto = evt->m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_l4proto; } @@ -2446,7 +2447,7 @@ void sinsp_parser::parse_connect_exit(sinsp_evt *evt) if(family == PPM_AF_INET6) { // - // For the moment, we only support IPv4-mapped IPv6 addresses + // Check to see if it's an IPv4-mapped IPv6 address // (http://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses) // uint8_t* sip = packed_data + 1; @@ -2454,37 +2455,29 @@ void sinsp_parser::parse_connect_exit(sinsp_evt *evt) if(!(sinsp_utils::is_ipv4_mapped_ipv6(sip) && sinsp_utils::is_ipv4_mapped_ipv6(dip))) { - evt->m_fdinfo->m_name = evt->get_param_as_str(1, &parstr, sinsp_evt::PF_SIMPLE); evt->m_fdinfo->m_type = SCAP_FD_IPV6_SOCK; - return; + changed = m_inspector->m_parser->set_ipv6_addresses_and_ports(evt->m_fdinfo, packed_data); + } + else + { + evt->m_fdinfo->m_type = SCAP_FD_IPV4_SOCK; + changed = m_inspector->m_parser->set_ipv4_mapped_ipv6_addresses_and_ports(evt->m_fdinfo, packed_data); } - - evt->m_fdinfo->m_type = SCAP_FD_IPV4_SOCK; - } - - // - // This should happen only in case of a bug in our code, because I'm assuming that the OS - // causes a connect with the wrong socket type to fail. - // Assert in debug mode and just keep going in release mode. - // - ASSERT(evt->m_fdinfo->m_type == SCAP_FD_IPV4_SOCK || evt->m_fdinfo->m_type == SCAP_FD_IPV4_SERVSOCK); - - // - // Update the FD info with this tuple - // - if(family == PPM_AF_INET) - { - changed = m_inspector->m_parser->set_ipv4_addresses_and_ports(evt->m_fdinfo, packed_data); } else { - changed = m_inspector->m_parser->set_ipv4_mapped_ipv6_addresses_and_ports(evt->m_fdinfo, packed_data); + evt->m_fdinfo->m_type = SCAP_FD_IPV4_SOCK; + + // + // Update the FD info with this tuple + // + changed = m_inspector->m_parser->set_ipv4_addresses_and_ports(evt->m_fdinfo, packed_data); } if(changed && evt->m_fdinfo->is_role_server() && evt->m_fdinfo->is_udp_socket()) { // connect done by a udp server, swap the addresses - swap_ipv4_addresses(evt->m_fdinfo); + swap_addresses(evt->m_fdinfo); } // @@ -2627,8 +2620,8 @@ void sinsp_parser::parse_accept_exit(sinsp_evt *evt) else if(*packed_data == PPM_AF_INET6) { // - // We only support IPv4-mapped IPv6 addresses (http://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses) - // for the moment + // Check to see if it's an IPv4-mapped IPv6 address + // (http://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses) // uint8_t* sip = packed_data + 1; uint8_t* dip = packed_data + 19; @@ -2641,7 +2634,9 @@ void sinsp_parser::parse_accept_exit(sinsp_evt *evt) } else { + set_ipv6_addresses_and_ports(&fdi, packed_data); fdi.m_type = SCAP_FD_IPV6_SOCK; + fdi.m_sockinfo.m_ipv6info.m_fields.m_l4proto = SCAP_L4_TCP; } } else if(*packed_data == PPM_AF_UNIX) @@ -2998,6 +2993,41 @@ bool sinsp_parser::set_ipv4_mapped_ipv6_addresses_and_ports(sinsp_fdinfo_t* fdin return true; } +bool sinsp_parser::set_ipv6_addresses_and_ports(sinsp_fdinfo_t* fdinfo, uint8_t* packed_data) +{ + ipv6addr tsip, tdip; + uint16_t tsport, tdport; + + memcpy((uint8_t *) tsip.m_b, packed_data + 1, sizeof(tsip.m_b)); + tsport = *(uint16_t *)(packed_data + 17); + + memcpy((uint8_t *) tdip.m_b, packed_data + 19, sizeof(tdip.m_b)); + tdport = *(uint16_t *)(packed_data + 35); + + if(fdinfo->m_type == SCAP_FD_IPV6_SOCK) + { + if((tsip == fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip && + tsport == fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport && + tdip == fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip && + tdport == fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport) || + (tdip == fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip && + tdport == fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport && + tsip == fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip && + tsport == fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport) + ) + { + return false; + } + } + + fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip = tsip; + fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport = tsport; + fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip = tdip; + fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport = tdport; + + return true; +} + bool sinsp_parser::set_unix_info(sinsp_fdinfo_t* fdinfo, uint8_t* packed_data) { fdinfo->m_sockinfo.m_unixinfo.m_fields.m_source = *(uint64_t *)(packed_data + 1); @@ -3038,22 +3068,28 @@ bool sinsp_parser::update_fd(sinsp_evt *evt, sinsp_evt_param *parinfo) else if(family == PPM_AF_INET6) { // - // For the moment, we only support IPv4-mapped IPv6 addresses + // Check to see if it's an IPv4-mapped IPv6 address // (http://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses) // uint8_t* sip = packed_data + 1; uint8_t* dip = packed_data + 19; - if(!(sinsp_utils::is_ipv4_mapped_ipv6(sip) && sinsp_utils::is_ipv4_mapped_ipv6(dip))) + if(sinsp_utils::is_ipv4_mapped_ipv6(sip) && sinsp_utils::is_ipv4_mapped_ipv6(dip)) { - return false; - } - - evt->m_fdinfo->m_type = SCAP_FD_IPV4_SOCK; + evt->m_fdinfo->m_type = SCAP_FD_IPV4_SOCK; - if(set_ipv4_mapped_ipv6_addresses_and_ports(evt->m_fdinfo, packed_data) == false) + if(set_ipv4_mapped_ipv6_addresses_and_ports(evt->m_fdinfo, packed_data) == false) + { + return false; + } + } + else { - return false; + // It's not an ipv4-mapped ipv6 address. Extract it as a normal address. + if(set_ipv6_addresses_and_ports(evt->m_fdinfo, packed_data) == false) + { + return false; + } } } else if(family == PPM_AF_UNIX) @@ -3084,9 +3120,19 @@ bool sinsp_parser::update_fd(sinsp_evt *evt, sinsp_evt_param *parinfo) // connection is UDP, because TCP would fail if the address is changed in // the middle of a connection. // - if(evt->m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_l4proto == SCAP_L4_UNKNOWN) + if(evt->m_fdinfo->m_type == SCAP_FD_IPV4_SOCK) { - evt->m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_l4proto = SCAP_L4_UDP; + if(evt->m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_l4proto == SCAP_L4_UNKNOWN) + { + evt->m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_l4proto = SCAP_L4_UDP; + } + } + else if(evt->m_fdinfo->m_type == SCAP_FD_IPV6_SOCK) + { + if(evt->m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_l4proto == SCAP_L4_UNKNOWN) + { + evt->m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_l4proto = SCAP_L4_UDP; + } } // @@ -3107,17 +3153,34 @@ bool sinsp_parser::update_fd(sinsp_evt *evt, sinsp_evt_param *parinfo) return true; } -void sinsp_parser::swap_ipv4_addresses(sinsp_fdinfo_t* fdinfo) +void sinsp_parser::swap_addresses(sinsp_fdinfo_t* fdinfo) { - uint32_t tip; - uint16_t tport; - - tip = fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip; - tport = fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport; - fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip = fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip; - fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport = fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport; - fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip = tip; - fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport = tport; + if(fdinfo->m_type == SCAP_FD_IPV4_SOCK) + { + uint32_t tip; + uint16_t tport; + + tip = fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip; + tport = fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport; + fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip = fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip; + fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sport = fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport; + fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dip = tip; + fdinfo->m_sockinfo.m_ipv4info.m_fields.m_dport = tport; + } + else + { + ipv6addr tip; + uint16_t tport; + + tip = fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip; + tport = fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport; + + fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip = fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip;; + fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sport = fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport; + + fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dip = tip; + fdinfo->m_sockinfo.m_ipv6info.m_fields.m_dport = tport; + } } uint32_t sinsp_parser::parse_tracer(sinsp_evt *evt, int64_t retval) @@ -3362,7 +3425,8 @@ void sinsp_parser::parse_rw_exit(sinsp_evt *evt) scap_fd_type fdtype = evt->m_fdinfo->m_type; - if(fdtype == SCAP_FD_IPV4_SOCK) + if(fdtype == SCAP_FD_IPV4_SOCK || + fdtype == SCAP_FD_IPV6_SOCK) { if(evt->m_fdinfo->is_role_none()) { @@ -3374,7 +3438,7 @@ void sinsp_parser::parse_rw_exit(sinsp_evt *evt) if(evt->m_fdinfo->is_role_client()) { - swap_ipv4_addresses(evt->m_fdinfo); + swap_addresses(evt->m_fdinfo); } sinsp_utils::sockinfo_to_str(&evt->m_fdinfo->m_sockinfo, @@ -3457,7 +3521,8 @@ void sinsp_parser::parse_rw_exit(sinsp_evt *evt) scap_fd_type fdtype = evt->m_fdinfo->m_type; - if(fdtype == SCAP_FD_IPV4_SOCK) + if(fdtype == SCAP_FD_IPV4_SOCK || + fdtype == SCAP_FD_IPV6_SOCK) { if(evt->m_fdinfo->is_role_none()) { @@ -3469,7 +3534,7 @@ void sinsp_parser::parse_rw_exit(sinsp_evt *evt) if(evt->m_fdinfo->is_role_server()) { - swap_ipv4_addresses(evt->m_fdinfo); + swap_addresses(evt->m_fdinfo); } sinsp_utils::sockinfo_to_str(&evt->m_fdinfo->m_sockinfo, diff --git a/userspace/libsinsp/parsers.h b/userspace/libsinsp/parsers.h index e9929ccc69..479b46b923 100644 --- a/userspace/libsinsp/parsers.h +++ b/userspace/libsinsp/parsers.h @@ -146,13 +146,14 @@ class sinsp_parser inline void add_pipe(sinsp_evt *evt, int64_t tid, int64_t fd, uint64_t ino); // Return false if the update didn't happen (for example because the tuple is NULL) bool update_fd(sinsp_evt *evt, sinsp_evt_param* parinfo); - // Return false if the update didn't happen because the tuple is identical to the given address + + // Next 4 return false if the update didn't happen because the tuple is identical to the given address bool set_ipv4_addresses_and_ports(sinsp_fdinfo_t* fdinfo, uint8_t* packed_data); - // Return false if the update didn't happen because the tuple is identical to the given address bool set_ipv4_mapped_ipv6_addresses_and_ports(sinsp_fdinfo_t* fdinfo, uint8_t* packed_data); - // Return false if the update didn't happen because the tuple is identical to the given address + bool set_ipv6_addresses_and_ports(sinsp_fdinfo_t* fdinfo, uint8_t* packed_data); bool set_unix_info(sinsp_fdinfo_t* fdinfo, uint8_t* packed_data); - void swap_ipv4_addresses(sinsp_fdinfo_t* fdinfo); + + void swap_addresses(sinsp_fdinfo_t* fdinfo); uint8_t* reserve_event_buffer(); void free_event_buffer(uint8_t*); diff --git a/userspace/libsinsp/table.cpp b/userspace/libsinsp/table.cpp index a06eb99bb2..20b27ecf36 100644 --- a/userspace/libsinsp/table.cpp +++ b/userspace/libsinsp/table.cpp @@ -740,6 +740,7 @@ void sinsp_table::filter_sample() if(type == PT_CHARBUF || type == PT_BYTEBUF || type == PT_SYSCALLID || type == PT_PORT || type == PT_L4PROTO || type == PT_SOCKFAMILY || type == PT_IPV4ADDR || + type == PT_IPV6ADDR || type == PT_UID || type == PT_GID) { m_printer->set_val(type, @@ -786,6 +787,7 @@ sinsp_table_field* sinsp_table::search_in_sample(string text) if(type == PT_CHARBUF || type == PT_BYTEBUF || type == PT_SYSCALLID || type == PT_PORT || type == PT_L4PROTO || type == PT_SOCKFAMILY || type == PT_IPV4ADDR || + type == PT_IPV6ADDR || type == PT_UID || type == PT_GID) { m_printer->set_val(type, @@ -1435,6 +1437,18 @@ uint32_t sinsp_table::get_field_len(uint32_t id) return fld->m_len; case PT_DOUBLE: return sizeof(double); + case PT_IPV6ADDR: + return sizeof(ipv6addr); + case PT_IPADDR: + case PT_IPNET: + if(fld->m_len == sizeof(struct in_addr)) + { + return 4; + } + else + { + return sizeof(ipv6addr); + } case PT_SOCKADDR: case PT_SOCKTUPLE: case PT_FDLIST: @@ -1474,6 +1488,7 @@ uint8_t* sinsp_table::get_default_val(filtercheck_field_info* fld) return (uint8_t*)&m_zero_u64; case PT_PORT: case PT_IPV4ADDR: + case PT_IPV6ADDR: return NULL; default: ASSERT(false); diff --git a/userspace/libsinsp/threadinfo.cpp b/userspace/libsinsp/threadinfo.cpp index 823ed241a6..4aed0dbf04 100644 --- a/userspace/libsinsp/threadinfo.cpp +++ b/userspace/libsinsp/threadinfo.cpp @@ -282,8 +282,8 @@ void sinsp_threadinfo::add_fd_from_scap(scap_fdinfo *fdi, OUT sinsp_fdinfo_t *re } else { - copy_ipv6_address(newfdi->m_sockinfo.m_ipv6info.m_fields.m_sip, fdi->info.ipv6info.sip); - copy_ipv6_address(newfdi->m_sockinfo.m_ipv6info.m_fields.m_dip, fdi->info.ipv6info.dip); + copy_ipv6_address(newfdi->m_sockinfo.m_ipv6info.m_fields.m_sip.m_b, fdi->info.ipv6info.sip); + copy_ipv6_address(newfdi->m_sockinfo.m_ipv6info.m_fields.m_dip.m_b, fdi->info.ipv6info.dip); newfdi->m_sockinfo.m_ipv6info.m_fields.m_sport = fdi->info.ipv6info.sport; newfdi->m_sockinfo.m_ipv6info.m_fields.m_dport = fdi->info.ipv6info.dport; newfdi->m_sockinfo.m_ipv6info.m_fields.m_l4proto = fdi->info.ipv6info.l4proto; @@ -295,7 +295,7 @@ void sinsp_threadinfo::add_fd_from_scap(scap_fdinfo *fdi, OUT sinsp_fdinfo_t *re } break; case SCAP_FD_IPV6_SERVSOCK: - copy_ipv6_address(newfdi->m_sockinfo.m_ipv6serverinfo.m_ip, fdi->info.ipv6serverinfo.ip); + copy_ipv6_address(newfdi->m_sockinfo.m_ipv6serverinfo.m_ip.m_b, fdi->info.ipv6serverinfo.ip); newfdi->m_sockinfo.m_ipv6serverinfo.m_port = fdi->info.ipv6serverinfo.port; newfdi->m_sockinfo.m_ipv6serverinfo.m_l4proto = fdi->info.ipv6serverinfo.l4proto; newfdi->m_name = ipv6serveraddr_to_string(&newfdi->m_sockinfo.m_ipv6serverinfo, m_inspector->m_hostname_and_port_resolution_enabled); @@ -1130,14 +1130,14 @@ void sinsp_threadinfo::fd_to_scap(scap_fdinfo *dst, sinsp_fdinfo_t* src) dst->info.ipv4serverinfo.l4proto = src->m_sockinfo.m_ipv4serverinfo.m_l4proto; break; case SCAP_FD_IPV6_SOCK: - copy_ipv6_address(dst->info.ipv6info.sip, src->m_sockinfo.m_ipv6info.m_fields.m_sip); - copy_ipv6_address(dst->info.ipv6info.dip, src->m_sockinfo.m_ipv6info.m_fields.m_dip); + copy_ipv6_address(dst->info.ipv6info.sip, src->m_sockinfo.m_ipv6info.m_fields.m_sip.m_b); + copy_ipv6_address(dst->info.ipv6info.dip, src->m_sockinfo.m_ipv6info.m_fields.m_dip.m_b); dst->info.ipv6info.sport = src->m_sockinfo.m_ipv6info.m_fields.m_sport; dst->info.ipv6info.dport = src->m_sockinfo.m_ipv6info.m_fields.m_dport; dst->info.ipv6info.l4proto = src->m_sockinfo.m_ipv6info.m_fields.m_l4proto; break; case SCAP_FD_IPV6_SERVSOCK: - copy_ipv6_address(dst->info.ipv6serverinfo.ip, src->m_sockinfo.m_ipv6serverinfo.m_ip); + copy_ipv6_address(dst->info.ipv6serverinfo.ip, src->m_sockinfo.m_ipv6serverinfo.m_ip.m_b); dst->info.ipv6serverinfo.port = src->m_sockinfo.m_ipv6serverinfo.m_port; dst->info.ipv6serverinfo.l4proto = src->m_sockinfo.m_ipv6serverinfo.m_l4proto; break; diff --git a/userspace/libsinsp/tuples.cpp b/userspace/libsinsp/tuples.cpp new file mode 100644 index 0000000000..f8ff45b66a --- /dev/null +++ b/userspace/libsinsp/tuples.cpp @@ -0,0 +1,43 @@ +/* +Copyright (C) 2013-2018 Draios inc. + +This file is part of sysdig. + +sysdig is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License version 2 as +published by the Free Software Foundation. + +sysdig is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with sysdig. If not, see . +*/ + +#include + +ipv6addr ipv6addr::empty_address = {0x00000000, 0x00000000, 0x00000000, 0x00000000}; + +bool ipv6addr::operator==(const ipv6addr &other) +{ + return (m_b[0] == other.m_b[0] && + m_b[1] == other.m_b[1] && + m_b[2] == other.m_b[2] && + m_b[3] == other.m_b[3]); +} + +bool ipv6addr::operator!=(const ipv6addr &other) +{ + return !operator==(other); +} + +bool ipv6addr::in_subnet(const ipv6addr &other) +{ + // They're in the same subnet if the first 64 bits match + // (Assumes convention of first 48 bits for network, next 16 + // bits for subnet). + return (m_b[0] == other.m_b[0] && + m_b[1] == other.m_b[1]); +} diff --git a/userspace/libsinsp/tuples.h b/userspace/libsinsp/tuples.h index e46b8eac7e..e441771f60 100644 --- a/userspace/libsinsp/tuples.h +++ b/userspace/libsinsp/tuples.h @@ -18,7 +18,9 @@ along with sysdig. If not, see . #pragma once -/** @defgroup state State management +#include + +/** @defgroup state State management * @{ */ @@ -47,15 +49,27 @@ typedef struct ipv4net uint32_t m_netmask; ///< Subnet mask }ipv4net; +typedef struct _ipv6addr +{ + uint32_t m_b[4]; + + bool operator==(const _ipv6addr &other); + bool operator!=(const _ipv6addr &other); + bool in_subnet(const _ipv6addr &other); + + static struct _ipv6addr empty_address; +}ipv6addr; + + /*! \brief An IPv6 tuple. */ typedef union _ipv6tuple { - struct - { - uint32_t m_sip[4]; ///< source (i.e. client) address. - uint32_t m_dip[4]; ///< destination (i.e. server) address. + struct { + + ipv6addr m_sip; ///< source (i.e. client) address. + ipv6addr m_dip; ///< destination (i.e. server) address. uint16_t m_sport; ///< source (i.e. client) port. uint16_t m_dport; ///< destination (i.e. server) port. uint8_t m_l4proto; ///< Layer 4 protocol (e.g. TCP, UDP...) @@ -78,7 +92,7 @@ typedef struct ipv4serverinfo */ typedef struct ipv6serverinfo { - uint32_t m_ip[4]; ///< address + ipv6addr m_ip; ///< address uint16_t m_port; ///< port uint8_t m_l4proto; ///< IP protocol } ipv6serverinfo; diff --git a/userspace/libsinsp/utils.cpp b/userspace/libsinsp/utils.cpp index c0ab765d9e..f9232379df 100644 --- a/userspace/libsinsp/utils.cpp +++ b/userspace/libsinsp/utils.cpp @@ -436,10 +436,10 @@ bool sinsp_utils::sockinfo_to_str(sinsp_sockinfo* sinfo, scap_fd_type stype, cha } else if(stype == SCAP_FD_IPV6_SOCK) { - uint8_t* sip6 = (uint8_t*)sinfo->m_ipv6info.m_fields.m_sip; - uint8_t* dip6 = (uint8_t*)sinfo->m_ipv6info.m_fields.m_dip; - uint8_t* sip = ((uint8_t*)(sinfo->m_ipv6info.m_fields.m_sip)) + 12; - uint8_t* dip = ((uint8_t*)(sinfo->m_ipv6info.m_fields.m_dip)) + 12; + uint8_t* sip6 = (uint8_t*)sinfo->m_ipv6info.m_fields.m_sip.m_b; + uint8_t* dip6 = (uint8_t*)sinfo->m_ipv6info.m_fields.m_dip.m_b; + uint8_t* sip = ((uint8_t*)(sinfo->m_ipv6info.m_fields.m_sip.m_b)) + 12; + uint8_t* dip = ((uint8_t*)(sinfo->m_ipv6info.m_fields.m_dip.m_b)) + 12; if(sinfo->m_ipv6info.m_fields.m_l4proto == SCAP_L4_TCP || sinfo->m_ipv6info.m_fields.m_l4proto == SCAP_L4_UDP) @@ -470,9 +470,9 @@ bool sinsp_utils::sockinfo_to_str(sinsp_sockinfo* sinfo, scap_fd_type stype, cha targetbuf_size, "%s:%s->%s:%s", srcstr, - port_to_string(sinfo->m_ipv4info.m_fields.m_sport, sinfo->m_ipv6info.m_fields.m_l4proto, resolve).c_str(), + port_to_string(sinfo->m_ipv6info.m_fields.m_sport, sinfo->m_ipv6info.m_fields.m_l4proto, resolve).c_str(), dststr, - port_to_string(sinfo->m_ipv4info.m_fields.m_dport, sinfo->m_ipv6info.m_fields.m_l4proto, resolve).c_str()); + port_to_string(sinfo->m_ipv6info.m_fields.m_dport, sinfo->m_ipv6info.m_fields.m_l4proto, resolve).c_str()); return true; } } @@ -1079,7 +1079,7 @@ string ipv6serveraddr_to_string(ipv6serverinfo* addr, bool resolve) char address[100]; char buf[200]; - if(NULL == inet_ntop(AF_INET6, addr->m_ip, address, 100)) + if(NULL == inet_ntop(AF_INET6, addr->m_ip.m_b, address, 100)) { return string(); } @@ -1097,12 +1097,12 @@ string ipv6tuple_to_string(_ipv6tuple* tuple, bool resolve) char destination_address[100]; char buf[200]; - if(NULL == inet_ntop(AF_INET6, tuple->m_fields.m_sip, source_address, 100)) + if(NULL == inet_ntop(AF_INET6, tuple->m_fields.m_sip.m_b, source_address, 100)) { return string(); } - if(NULL == inet_ntop(AF_INET6, tuple->m_fields.m_dip, destination_address, 100)) + if(NULL == inet_ntop(AF_INET6, tuple->m_fields.m_dip.m_b, destination_address, 100)) { return string(); } diff --git a/userspace/libsinsp/utils.h b/userspace/libsinsp/utils.h index 07e3653379..893bf3921c 100644 --- a/userspace/libsinsp/utils.h +++ b/userspace/libsinsp/utils.h @@ -26,15 +26,12 @@ along with sysdig. If not, see . #include #include +#include #include #include "json/json.h" class sinsp_evttables; typedef union _sinsp_sockinfo sinsp_sockinfo; -typedef union _ipv4tuple ipv4tuple; -typedef union _ipv6tuple ipv6tuple; -typedef struct ipv4serverinfo ipv4serverinfo; -typedef struct ipv6serverinfo ipv6serverinfo; class filter_check_info; extern sinsp_evttables g_infotables; @@ -189,7 +186,7 @@ std::string sinsp_gethostname(); // each of these functions uses values in network byte order std::string ipv4tuple_to_string(ipv4tuple* tuple, bool resolve); -std::string ipv6tuple_to_string(_ipv6tuple* tuple, bool resolve); +std::string ipv6tuple_to_string(ipv6tuple* tuple, bool resolve); std::string ipv4serveraddr_to_string(ipv4serverinfo* addr, bool resolve); std::string ipv6serveraddr_to_string(ipv6serverinfo* addr, bool resolve); diff --git a/userspace/libsinsp/value_parser.cpp b/userspace/libsinsp/value_parser.cpp index a9688b784a..f2439ac3b9 100644 --- a/userspace/libsinsp/value_parser.cpp +++ b/userspace/libsinsp/value_parser.cpp @@ -122,12 +122,45 @@ size_t sinsp_filter_value_parser::string_to_rawval(const char* str, uint32_t len } break; - case PT_IPV4ADDR: + case PT_IPADDR: + if(memchr(str, '.', len) != NULL) + { + return string_to_rawval(str, len, storage, max_len, PT_IPV4ADDR); + } + else + { + return string_to_rawval(str, len, storage, max_len, PT_IPV6ADDR); + } + + break; + case PT_IPV4ADDR: if(inet_pton(AF_INET, str, storage) != 1) { - throw sinsp_exception("unrecognized IP address " + string(str)); + throw sinsp_exception("unrecognized IPv4 address " + string(str)); } parsed_len = sizeof(struct in_addr); + break; + case PT_IPV6ADDR: + case PT_IPV6NET: + { + ipv6addr *addr = (ipv6addr*) storage; + if(inet_pton(AF_INET6, str, addr->m_b) != 1) + { + throw sinsp_exception("unrecognized IPv6 address " + string(str)); + } + parsed_len = sizeof(ipv6addr); + break; + } + case PT_IPNET: + if(memchr(str, '.', len) != NULL) + { + return string_to_rawval(str, len, storage, max_len, PT_IPV4NET); + } + else + { + return string_to_rawval(str, len, storage, max_len, PT_IPV6NET); + } + break; case PT_IPV4NET: { diff --git a/userspace/sysdig/chisels/netstat.lua b/userspace/sysdig/chisels/netstat.lua index e3a35085de..7e43ed8b2f 100644 --- a/userspace/sysdig/chisels/netstat.lua +++ b/userspace/sysdig/chisels/netstat.lua @@ -45,7 +45,7 @@ end require "common" local dctable = {} local capturing = false -local filter = "(fd.type=ipv4)" +local filter = "(fd.type=ipv4 or fd.type=ipv6)" local match = false -- Argument notification callback diff --git a/userspace/sysdig/chisels/spy_ip.lua b/userspace/sysdig/chisels/spy_ip.lua index 99f0030c0f..79bd3e8a5b 100644 --- a/userspace/sysdig/chisels/spy_ip.lua +++ b/userspace/sysdig/chisels/spy_ip.lua @@ -66,8 +66,8 @@ function on_init() sysdig.set_snaplen(1000) -- set the filter - chisel.set_filter("evt.is_io=true and fd.type=ipv4 and fd.ip=" .. addr) - + chisel.set_filter("evt.is_io=true and (fd.type=ipv4 or fd.type=ipv6) and fd.ip=" .. addr) + return true end diff --git a/userspace/sysdig/chisels/spy_port.lua b/userspace/sysdig/chisels/spy_port.lua index 1b143d88ee..eb3412ba2e 100644 --- a/userspace/sysdig/chisels/spy_port.lua +++ b/userspace/sysdig/chisels/spy_port.lua @@ -65,7 +65,7 @@ function on_init() sysdig.set_snaplen(1000) -- set the filter - chisel.set_filter("evt.is_io=true and fd.type=ipv4 and fd.port=" .. port ) + chisel.set_filter("evt.is_io=true and (fd.type=ipv4 or fd.type=ipv6) and fd.port=" .. port ) return true end diff --git a/userspace/sysdig/chisels/v_port_bindings.lua b/userspace/sysdig/chisels/v_port_bindings.lua index b3465e19ef..c8560a3410 100644 --- a/userspace/sysdig/chisels/v_port_bindings.lua +++ b/userspace/sysdig/chisels/v_port_bindings.lua @@ -23,7 +23,7 @@ view_info = tags = {"default", "wsysdig", "nocsysdig"}, view_type = "list", applies_to = {""}, - filter = "(evt.type=bind and evt.dir=< and fd.type=ipv4) or (evt.type=close and evt.dir=> and fd.typechar=2 and fd.type=ipv4)", + filter = "(evt.type=bind and evt.dir=< and (fd.type=ipv4 or fd.type=ipv6)) or (evt.type=close and evt.dir=> and fd.typechar=2 and fd.type=ipv4)", use_defaults = true, columns = { diff --git a/userspace/sysdig/chisels/v_sports.lua b/userspace/sysdig/chisels/v_sports.lua index 7180b8a2d2..46316687d6 100644 --- a/userspace/sysdig/chisels/v_sports.lua +++ b/userspace/sysdig/chisels/v_sports.lua @@ -25,7 +25,7 @@ view_info = tags = {"wsysdig"}, view_type = "table", applies_to = {"", "container.id", "proc.pid", "thread.nametid", "thread.tid", "proc.name", "evt.res", "k8s.pod.id", "k8s.rc.id", "k8s.rs.id", "k8s.svc.id", "k8s.ns.id", "marathon.app.id", "marathon.group.name", "mesos.task.id", "mesos.framework.name"}, - filter = "fd.type=ipv4 and fd.name!=''", + filter = "(fd.type=ipv4 or fd.type=ipv6) and fd.name!=''", use_defaults = true, drilldown_target = "connections", columns = diff --git a/userspace/sysdig/chisels/wsysdig_summary.lua b/userspace/sysdig/chisels/wsysdig_summary.lua index 5ab9a0e815..57ad479b57 100644 --- a/userspace/sysdig/chisels/wsysdig_summary.lua +++ b/userspace/sysdig/chisels/wsysdig_summary.lua @@ -1162,7 +1162,7 @@ function build_output(captureDuration) category = 'performance', targetView = 'echo', targetViewTitle = 'HTTP responses', - targetViewFilter = 'fd.type=ipv4 and evt.buffer contains "HTTP/"', + targetViewFilter = '(fd.type=ipv4 or fd.type=ipv6) and evt.buffer contains "HTTP/"', drillDownKey = 'fd.directory', data = gsummary.sysReqCountHttp } @@ -1175,7 +1175,7 @@ function build_output(captureDuration) category = 'performance', targetView = 'echo', targetViewTitle = 'HTTP responses', - targetViewFilter = 'fd.type=ipv4 and evt.arg.data startswith "HTTP/" and not evt.arg.data contains "200"', + targetViewFilter = '(fd.type=ipv4 or fd.type=ipv6) and evt.arg.data startswith "HTTP/" and not evt.arg.data contains "200"', drillDownKey = 'fd.directory', data = gsummary.sysErrCountHttp }