NETOBSERV-1245: fix TCP DNS query

Signed-off-by: msherif1234 <[email protected]>
netobserv · Aug 14, 2023 · 18dce71 · 18dce71
1 parent 6d9d2e7
commit 18dce71
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/bpf/dns_tracker.h b/bpf/dns_tracker.h
@@ -22,8 +22,6 @@ struct dns_header {
 static inline void find_or_create_dns_flow(flow_id *id, struct dns_header *dns, int len, u16 flags, u64 latency) {
     flow_metrics *aggregate_flow = bpf_map_lookup_elem(&aggregated_flows, id);
     u64 current_time = bpf_ktime_get_ns();
-    // net_dev_queue trace point hook will run before TC hooks, so the flow shouldn't exists, if it does
-    // that indicates we have a stale DNS query/response or in the middle of TCP flow so we will do nothing
     if (aggregate_flow == NULL) {
         // there is no matching flows so lets create new one and dns info
          flow_metrics new_flow;
@@ -37,6 +35,15 @@ static inline void find_or_create_dns_flow(flow_id *id, struct dns_header *dns,
          new_flow.dns_record.flags = bpf_ntohs(dns->flags);
          new_flow.dns_record.latency = latency;
         bpf_map_update_elem(&aggregated_flows, id, &new_flow, BPF_ANY);
+    } else {
+        aggregate_flow->packets += 1;
+        aggregate_flow->bytes += len;
+        aggregate_flow->end_mono_time_ts = current_time;
+        aggregate_flow->flags |= flags;
+        aggregate_flow->dns_record.id = bpf_ntohs(dns->id);
+        aggregate_flow->dns_record.flags = bpf_ntohs(dns->flags);
+        aggregate_flow->dns_record.latency = latency;
+        bpf_map_update_elem(&aggregated_flows, id, aggregate_flow, BPF_ANY);
     }
 }
 
@@ -73,7 +80,7 @@ static inline int trace_dns(struct sk_buff *skb) {
 
     switch (protocol) {
     case IPPROTO_UDP:
-        len = set_key_with_udp_info(skb, &id, IPPROTO_UDP);
+        len = set_key_with_udp_info(skb, &id, protocol);
         // make sure udp payload doesn't exceed max msg size
         if (len - sizeof(struct udphdr) > UDP_MAXMSG) {
             return -1;
@@ -82,7 +89,8 @@ static inline int trace_dns(struct sk_buff *skb) {
         len = sizeof(struct udphdr);
         break;
     case IPPROTO_TCP:
-        len = set_key_with_tcp_info(skb, &id, IPPROTO_TCP, &flags);
+        len = set_key_with_tcp_info(skb, &id, protocol, &flags);
+        len += 2; // for DNS over TCP there are two bytes of length before DNS header
         break;
     default:
         return -1;

diff --git a/pkg/ebpf/bpf_bpfeb.o b/pkg/ebpf/bpf_bpfeb.o
diff --git a/pkg/ebpf/bpf_bpfel.o b/pkg/ebpf/bpf_bpfel.o