allow to customize ebpf options

Allow to customize:

 - EventsWorkers: number of goroutines to handle kernel events.
   Default 8.

 - QueueEventsSize: max number of events in the queue.
   By default 0, meaning that it'll relay on the available goroutines to
   process the events. If it's > 0, and the daemon can't process the
   events fast enough, they'll be queued. Once the queue is full, it'll
   behave as it was of size 0.

If there're lost events, a message will be logged: "Lost ebpf events..."

Author: gustavo-iniguez-goya

daemon/main.go

@@ -614,7 +614,7 @@ func main() {
 	// overwrite monitor method from configuration if the user has passed
 	// the option via command line.
 	if procmonMethod != "" {
-		if err := monitor.ReconfigureMonitorMethod(procmonMethod, cfg.Ebpf.ModulesPath); err != nil {
+		if err := monitor.ReconfigureMonitorMethod(procmonMethod, cfg.Ebpf); err != nil {
 			msg := fmt.Sprintf("Unable to set process monitor method via parameter: %v", err)
 			uiClient.SendWarningAlert(msg)
 			log.Warning(msg)

daemon/procmon/ebpf/config.go

@@ -0,0 +1,41 @@
+package ebpf
+
+import "github.com/evilsocket/opensnitch/daemon/log"
+
+// Config holds the configuration to customize ebpf module behaviour.
+type Config struct {
+	ModulesPath string `json:"ModulesPath"`
+
+	// system default value is 8, but it's not enough to handle "high" loads such
+	// http downloads, torrent traffic, etc. (just regular desktop usage)
+	// We set it to 64 by default (* PAGE_SIZE, which is usually 4a).
+	RingBuffSize int `json:"RingBuffSize"`
+
+	// number of workers to handle events from kernel
+	EventsWorkers int `json:"EventsWorkers"`
+
+	// max number of events in the queue received from the kernel.
+	// 0 - Default behaviour. Each goroutine will wait for incoming messages, to
+	//     dispatch them one at a time.
+	// > 0 - same as above, but if the daemon is not fast enough to dispatch the
+	// events, they'll be queued. Once the daemon queue is full, kernel ebpf program
+	// will have to wait/discard new events. (XXX: citation/testing needed).
+	QueueEventsSize int `json:"QueueEventsSize"`
+}
+
+func setConfig(ebpfOpts Config) {
+	ebpfCfg = ebpfOpts
+
+	// ModulesPath defined in core.ebpf
+	// QueueEventsSize defaults to 0
+
+	if ebpfCfg.EventsWorkers == 0 {
+		ebpfCfg.EventsWorkers = 8
+	}
+
+	if ebpfCfg.RingBuffSize == 0 {
+		ebpfCfg.RingBuffSize = 64
+	}
+
+	log.Debug("[eBPF] config loaded: %v", ebpfCfg)
+}

daemon/procmon/ebpf/ebpf.go

@@ -16,15 +16,15 @@ import (
 	"github.com/vishvananda/netlink"
 )
 
-//contains pointers to ebpf maps for a given protocol (tcp/udp/v6)
+// contains pointers to ebpf maps for a given protocol (tcp/udp/v6)
 type ebpfMapsForProto struct {
 	bpfmap *elf.Map
 }
 
 //Not in use, ~4usec faster lookup compared to m.LookupElement()
 
-//mimics union bpf_attr's anonymous struct used by BPF_MAP_*_ELEM commands
-//from <linux_headers>/include/uapi/linux/bpf.h
+// mimics union bpf_attr's anonymous struct used by BPF_MAP_*_ELEM commands
+// from <linux_headers>/include/uapi/linux/bpf.h
 type bpf_lookup_elem_t struct {
 	map_fd uint64 //even though in bpf.h its type is __u32, we must make it 8 bytes long
 	//because "key" is of type __aligned_u64, i.e. "key" must be aligned on an 8-byte boundary
@@ -52,11 +52,11 @@ type Error struct {
 }
 
 var (
-	m, perfMod  *elf.Module
-	lock        = sync.RWMutex{}
-	mapSize     = uint(12000)
-	ebpfMaps    map[string]*ebpfMapsForProto
-	modulesPath string
+	m, perfMod *elf.Module
+	ebpfCfg    Config
+	lock       = sync.RWMutex{}
+	mapSize    = uint(12000)
+	ebpfMaps   map[string]*ebpfMapsForProto
 
 	//connections which were established at the time when opensnitch started
 	alreadyEstablished = alreadyEstablishedConns{
@@ -76,9 +76,9 @@ var (
 	hostByteOrder binary.ByteOrder
 )
 
-//Start installs ebpf kprobes
-func Start(modPath string) *Error {
-	modulesPath = modPath
+// Start installs ebpf kprobes
+func Start(ebpfOpts Config) *Error {
+	setConfig(ebpfOpts)
 
 	setRunning(false)
 	if err := mountDebugFS(); err != nil {
@@ -88,7 +88,7 @@ func Start(modPath string) *Error {
 		}
 	}
 	var err error
-	m, err = core.LoadEbpfModule("opensnitch.o", modulesPath)
+	m, err = core.LoadEbpfModule("opensnitch.o", ebpfCfg.ModulesPath)
 	if err != nil {
 		dispatchErrorEvent(fmt.Sprint("[eBPF]: ", err.Error()))
 		return &Error{NotAvailable, fmt.Errorf("[eBPF] Error loading opensnitch.o: %s", err.Error())}
@@ -180,10 +180,6 @@ func Stop() {
 	cancelTasks()
 	ebpfCache.clear()
 
-	if m != nil {
-		m.Close()
-	}
-
 	for pm := range perfMapList {
 		if pm != nil {
 			pm.PollStop()
@@ -195,12 +191,16 @@ func Stop() {
 			delete(perfMapList, k)
 		}
 	}
+	if m != nil {
+		m.Close()
+	}
+
 	if perfMod != nil {
 		perfMod.Close()
 	}
 }
 
-//make bpf() syscall with bpf_lookup prepared by the caller
+// make bpf() syscall with bpf_lookup prepared by the caller
 func makeBpfSyscall(bpf_lookup *bpf_lookup_elem_t) uintptr {
 	BPF_MAP_LOOKUP_ELEM := 1 //cmd number
 	syscall_BPF := 321       //syscall number

daemon/procmon/ebpf/events.go

@@ -64,21 +64,14 @@ const (
 
 var (
 	perfMapList = make(map[*elf.PerfMap]*elf.Module)
-	// total workers spawned by the different events PerfMaps
-	eventWorkers = 0
-	perfMapName  = "proc-events"
-
-	// default value is 8.
-	// Not enough to handle high loads such http downloads, torent traffic, etc.
-	// (regular desktop usage)
-	ringBuffSize = 64 // * PAGE_SIZE (4k usually)
+	perfMapName = "proc-events"
 )
 
 func initEventsStreamer() *Error {
 	elfOpts := make(map[string]elf.SectionParams)
-	elfOpts["maps/"+perfMapName] = elf.SectionParams{PerfRingBufferPageCount: ringBuffSize}
+	elfOpts["maps/"+perfMapName] = elf.SectionParams{PerfRingBufferPageCount: ebpfCfg.RingBuffSize}
 	var err error
-	perfMod, err = core.LoadEbpfModule("opensnitch-procs.o", modulesPath)
+	perfMod, err = core.LoadEbpfModule("opensnitch-procs.o", ebpfCfg.ModulesPath)
 	if err != nil {
 		dispatchErrorEvent(fmt.Sprint("[eBPF events]: ", err))
 		return &Error{EventsNotAvailable, err}
@@ -110,6 +103,7 @@ Verify that your kernel has support for tracepoints (opensnitchd -check-requirem
 	}
 
 	if err = perfMod.EnableKprobes(0); err != nil {
+		log.Error("Error enabling kprobe: %s", err)
 		// if previous shutdown was unclean, then we must remove the dangling kprobe
 		// and install it again (close the module and load it again)
 		perfMod.Close()
@@ -128,7 +122,6 @@ Verify that your kernel has support for tracepoints (opensnitchd -check-requirem
 		<-sig
 	}(sig)
 
-	eventWorkers = 0
 	if err := initPerfMap(perfMod); err != nil {
 		return &Error{EventsNotAvailable, err}
 	}
@@ -137,7 +130,7 @@ Verify that your kernel has support for tracepoints (opensnitchd -check-requirem
 }
 
 func initPerfMap(mod *elf.Module) error {
-	perfChan := make(chan []byte)
+	perfChan := make(chan []byte, ebpfCfg.QueueEventsSize)
 	lostEvents := make(chan uint64, 1)
 	var err error
 	perfMap, err := elf.InitPerfMap(mod, perfMapName, perfChan, lostEvents)
@@ -147,8 +140,7 @@ func initPerfMap(mod *elf.Module) error {
 	}
 	perfMapList[perfMap] = mod
 
-	eventWorkers += 8
-	for i := 0; i < eventWorkers; i++ {
+	for i := 0; i < ebpfCfg.EventsWorkers; i++ {
 		go streamEventsWorker(i, perfChan, lostEvents, kernelEvents)
 	}
 	perfMap.PollStart()
@@ -174,7 +166,7 @@ func streamEventsWorker(id int, chn chan []byte, lost chan uint64, kernelEvents
 		case <-ctxTasks.Done():
 			goto Exit
 		case l := <-lost:
-			log.Debug("Lost ebpf events: %d", l)
+			log.Debug("Lost ebpf events (try increasing QueueEventsSize/EventsWorkers): %d", l)
 		case d := <-chn:
 			if err := binary.Read(bytes.NewBuffer(d), hostByteOrder, &event); err != nil {
 				log.Debug("[eBPF events #%d] error: %s", id, err)

daemon/procmon/monitor/init.go

@@ -50,7 +50,7 @@ func stopProcMonitors() {
 }
 
 // ReconfigureMonitorMethod configures a new method for parsing connections.
-func ReconfigureMonitorMethod(newMonitorMethod, ebpfModulesPath string) *Error {
+func ReconfigureMonitorMethod(newMonitorMethod string, ebpfCfg ebpf.Config) *Error {
 	oldMethod := procmon.GetMonitorMethod()
 	if oldMethod == "" {
 		oldMethod = procmon.MethodProc
@@ -60,7 +60,7 @@ func ReconfigureMonitorMethod(newMonitorMethod, ebpfModulesPath string) *Error {
 	// if the new monitor method fails to start, rollback the change and exit
 	// without saving the configuration. Otherwise we can end up with the wrong
 	// monitor method configured and saved to file.
-	err := Init(ebpfModulesPath)
+	err := Init(ebpfCfg)
 	if err.What > NoError {
 		log.Error("Reconf() -> Init() error: %v", err)
 		procmon.SetMonitorMethod(oldMethod)
@@ -72,6 +72,7 @@ func ReconfigureMonitorMethod(newMonitorMethod, ebpfModulesPath string) *Error {
 
 // End stops the way of parsing new connections.
 func End() {
+	log.Debug("monitor.End()")
 	stopProcMonitors()
 	if procmon.MethodIsAudit() {
 		audit.Stop()
@@ -81,7 +82,7 @@ func End() {
 }
 
 // Init starts parsing connections using the method specified.
-func Init(ebpfModulesPath string) (errm *Error) {
+func Init(ebpfCfg ebpf.Config) (errm *Error) {
 	errm = &Error{}
 
 	if cacheMonitorsRunning == false {
@@ -90,7 +91,7 @@ func Init(ebpfModulesPath string) (errm *Error) {
 	}
 
 	if procmon.MethodIsEbpf() {
-		err := ebpf.Start(ebpfModulesPath)
+		err := ebpf.Start(ebpfCfg)
 		if err == nil {
 			log.Info("Process monitor method ebpf")
 			return errm

daemon/ui/config/config.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/evilsocket/opensnitch/daemon/log"
 	"github.com/evilsocket/opensnitch/daemon/log/loggers"
+	"github.com/evilsocket/opensnitch/daemon/procmon/ebpf"
 	"github.com/evilsocket/opensnitch/daemon/statistics"
 )
 
@@ -61,11 +62,6 @@ type (
 		QueueNum        uint16 `json:"QueueNum"`
 	}
 
-	// EbpfOptions struct
-	EbpfOptions struct {
-		ModulesPath string `json:"ModulesPath"`
-	}
-
 	// InternalOptions struct
 	InternalOptions struct {
 		GCPercent         int  `json:"GCPercent"`
@@ -81,7 +77,7 @@ type Config struct {
 	DefaultDuration   string                 `json:"DefaultDuration"`
 	ProcMonitorMethod string                 `json:"ProcMonitorMethod"`
 	FwOptions         FwOptions              `json:"FwOptions"`
-	Ebpf              EbpfOptions            `json:"Ebpf"`
+	Ebpf              ebpf.Config            `json:"Ebpf"`
 	Server            ServerConfig           `json:"Server"`
 	Rules             RulesOptions           `json:"Rules"`
 	Internal          InternalOptions        `json:"Internal"`

daemon/ui/config_utils.go

@@ -197,14 +197,15 @@ func (c *Client) reloadConfiguration(reload bool, newConfig config.Config) *moni
 		log.Debug("[config] config.ProcMonMethod not changed")
 	}
 
-	if reload && procmon.MethodIsEbpf() && newConfig.Ebpf.ModulesPath != "" && c.config.Ebpf.ModulesPath != newConfig.Ebpf.ModulesPath {
-		log.Debug("[config] reloading config.Ebpf.ModulesPath: %s", newConfig.Ebpf.ModulesPath)
+	if reload && procmon.MethodIsEbpf() &&
+		!reflect.DeepEqual(newConfig.Ebpf, c.config.Ebpf) {
+		log.Debug("[config] reloading config.Ebpf: %v", newConfig.Ebpf)
 		reloadProc = true
 	} else {
 		log.Debug("[config] config.Ebpf.ModulesPath not changed")
 	}
 	if reloadProc {
-		err := monitor.ReconfigureMonitorMethod(newConfig.ProcMonitorMethod, newConfig.Ebpf.ModulesPath)
+		err := monitor.ReconfigureMonitorMethod(newConfig.ProcMonitorMethod, newConfig.Ebpf)
 		if err != nil && err.What > monitor.NoError {
 			return err
 		}

daemon/ui/notifications.go

@@ -202,7 +202,7 @@ func (c *Client) handleActionStopMonitorProcess(stream protocol.UI_Notifications
 
 func (c *Client) handleActionEnableInterception(stream protocol.UI_NotificationsClient, notification *protocol.Notification) {
 	log.Info("[notification] starting interception")
-	if err := monitor.ReconfigureMonitorMethod(c.config.ProcMonitorMethod, c.config.Ebpf.ModulesPath); err != nil && err.What > monitor.NoError {
+	if err := monitor.ReconfigureMonitorMethod(c.config.ProcMonitorMethod, c.config.Ebpf); err != nil && err.What > monitor.NoError {
 		log.Warning("[notification] error enabling monitor (%s): %s", c.config.ProcMonitorMethod, err.Msg)
 		c.sendNotificationReply(stream, notification.Id, "", err.Msg)
 		return