bpf: classify postgres in ebpf, add large buffers and errors support (#369)

Author: mmat11

bpf/bpfcore/utils.h

@@ -59,4 +59,8 @@
                  : "+r"(VAR)                                                                       \
                  : [max] "i"(UMAX))
 
+static __always_inline bool is_pow2(u32 n) {
+    return n != 0UL && (n & (n - 1)) == 0UL;
+}
+
 #endif /* __UTILS_H__ */

bpf/common/common.h

@@ -39,13 +39,7 @@
 #define HTTP_CONTENT_TYPE_MAX_LEN 16
 
 volatile const u32 mysql_buffer_size = 0;
-
-enum {
-    k_mysql_query_max = 8192,
-    k_mysql_query_max_mask = k_mysql_query_max - 1,
-    k_mysql_error_message_max = 512,
-    k_mysql_error_message_max_mask = k_mysql_error_message_max - 1
-};
+volatile const u32 postgres_buffer_size = 0;
 
 enum large_buf_action : u8 {
     k_large_buf_action_init = 0,

bpf/common/connection_info.h

@@ -14,6 +14,7 @@ enum protocol_type : u8 {
     // in userspace.
     k_protocol_type_unknown = 0,
     k_protocol_type_mysql = 1,
+    k_protocol_type_postgres = 2,
 };
 
 // Struct to keep information on the connections in flight

bpf/generictracer/k_tracer.c

@@ -18,6 +18,7 @@
 #include <generictracer/protocol_http.h>
 #include <generictracer/protocol_http2.h>
 #include <generictracer/protocol_mysql.h>
+#include <generictracer/protocol_postgres.h>
 #include <generictracer/protocol_tcp.h>
 #include <generictracer/ssl_defs.h>
 
@@ -953,10 +954,15 @@ int obi_handle_buf_with_args(void *ctx) {
     } else if (is_mysql(&args->pid_conn.conn,
                         (const unsigned char *)args->u_buf,
                         args->bytes_len,
-                        &args->packet_type,
                         &args->protocol_type)) {
         bpf_dbg_printk("Found mysql connection");
         bpf_tail_call(ctx, &jump_table, k_tail_protocol_tcp);
+    } else if (is_postgres(&args->pid_conn.conn,
+                           (const unsigned char *)args->u_buf,
+                           args->bytes_len,
+                           &args->protocol_type)) {
+        bpf_dbg_printk("Found postgres connection");
+        bpf_tail_call(ctx, &jump_table, k_tail_protocol_tcp);
     } else { // large request tracking and generic TCP
         http_info_t *info = bpf_map_lookup_elem(&ongoing_http, &args->pid_conn);
 

bpf/generictracer/protocol_mysql.h

@@ -2,6 +2,7 @@
 
 #include <bpfcore/vmlinux.h>
 #include <bpfcore/bpf_helpers.h>
+#include <bpfcore/utils.h>
 
 #include <common/common.h>
 #include <common/connection_info.h>
@@ -54,8 +55,8 @@ enum {
     k_mysql_com_stmt_execute = 0x17,
 
     // Large buffer
-    k_large_buf_max_size = 1 << 14, // 16K
-    k_large_buf_max_size_mask = k_large_buf_max_size - 1,
+    k_mysql_large_buf_max_size = 1 << 14, // 16K
+    k_mysql_large_buf_max_size_mask = k_mysql_large_buf_max_size - 1,
 
     // Sanity checks
     k_mysql_payload_length_max = 1 << 13, // 8K
@@ -68,7 +69,7 @@ struct {
     __uint(max_entries, MAX_CONCURRENT_REQUESTS);
 } mysql_state SEC(".maps");
 
-SCRATCH_MEM_SIZED(mysql_large_buffers, k_large_buf_max_size);
+SCRATCH_MEM_SIZED(mysql_large_buffers, k_mysql_large_buf_max_size);
 
 // This function is used to store the MySQL header if it comes in split packets
 // from double send.
@@ -124,8 +125,12 @@ static __always_inline int mysql_read_fixup_buffer(const connection_info_t *conn
                                                    const unsigned char *data,
                                                    u32 data_len) {
     u8 offset = 0;
-    const u8 buf_len_mask =
-        mysql_buffer_size - 1; // mysql_buffer_size is guaranteed to be a power of 2
+
+    if (!is_pow2(mysql_buffer_size)) {
+        bpf_dbg_printk("mysql_read_fixup_buffer: bug: mysql_buffer_size is not a power of 2");
+        return -1;
+    }
+    const u8 buf_len_mask = mysql_buffer_size - 1;
 
     struct mysql_state_data *state_data = bpf_map_lookup_elem(&mysql_state, conn_info);
     if (state_data != NULL) {
@@ -185,7 +190,7 @@ static __always_inline int mysql_send_large_buffer(tcp_req_t *req,
     req->has_large_buffers = true;
     bpf_ringbuf_output(&events,
                        large_buf,
-                       (sizeof(tcp_large_buffer_t) + written) & k_large_buf_max_size_mask,
+                       (sizeof(tcp_large_buffer_t) + written) & k_mysql_large_buf_max_size_mask,
                        get_flags());
     return 0;
 }
@@ -202,8 +207,12 @@ static __always_inline u32 mysql_command_offset(struct mysql_hdr *hdr) {
 static __always_inline u8 is_mysql(connection_info_t *conn_info,
                                    const unsigned char *data,
                                    u32 data_len,
-                                   u8 *packet_type,
                                    enum protocol_type *protocol_type) {
+    if (*protocol_type != k_protocol_type_mysql && *protocol_type != k_protocol_type_unknown) {
+        // Already classified, not mysql.
+        return 0;
+    }
+
     if (mysql_store_state_data(conn_info, data, (size_t)data_len) < 0) {
         bpf_dbg_printk("is_mysql: 4 bytes packet, storing state data");
         return 0;
@@ -246,7 +255,6 @@ static __always_inline u8 is_mysql(connection_info_t *conn_info,
                 "is_mysql: COM_QUERY or COM_PREPARE found, but buf doesn't contain a sql query");
             return 0;
         }
-        *packet_type = PACKET_TYPE_REQUEST;
         break;
     case k_mysql_com_stmt_execute:
         // COM_STMT_EXECUTE packet structure:
@@ -259,7 +267,6 @@ static __always_inline u8 is_mysql(connection_info_t *conn_info,
             // Already identified, mark this as a request.
             // NOTE: Trying to classify the connection based on this command
             // would be unreliable, as the check is too shallow.
-            *packet_type = PACKET_TYPE_REQUEST;
             break;
         }
         return 0;
@@ -270,7 +277,6 @@ static __always_inline u8 is_mysql(connection_info_t *conn_info,
             // If the request came in split packets, the sequence ID will be 2 (hdr->hdr_arrived == false) or 3 (hdr->hdr_arrived == true).
             bpf_dbg_printk("is_mysql: already identified as MySQL protocol");
             if ((hdr.sequence_id == 1 && !hdr.hdr_arrived) || hdr.sequence_id > 1) {
-                *packet_type = PACKET_TYPE_RESPONSE;
                 break;
             }
             bpf_dbg_printk(
@@ -285,6 +291,6 @@ static __always_inline u8 is_mysql(connection_info_t *conn_info,
     *protocol_type = k_protocol_type_mysql;
     bpf_map_update_elem(&protocol_cache, conn_info, protocol_type, BPF_ANY);
 
-    bpf_dbg_printk("is_mysql: mysql! command_id=%d packet_type=%d", hdr.command_id, *packet_type);
+    bpf_dbg_printk("is_mysql: mysql! command_id=%d", hdr.command_id);
     return 1;
 }

bpf/generictracer/protocol_postgres.h

@@ -0,0 +1,167 @@
+#pragma once
+
+#include <bpfcore/vmlinux.h>
+#include <bpfcore/bpf_endian.h>
+#include <bpfcore/bpf_helpers.h>
+#include <bpfcore/utils.h>
+
+#include <common/common.h>
+#include <common/connection_info.h>
+#include <common/http_types.h>
+#include <common/pin_internal.h>
+#include <common/ringbuf.h>
+#include <common/runtime.h>
+#include <common/scratch_mem.h>
+#include <common/sql.h>
+#include <common/tp_info.h>
+#include <common/trace_common.h>
+
+#include <generictracer/protocol_common.h>
+#include <generictracer/k_tracer_tailcall.h>
+
+#include <generictracer/maps/protocol_cache.h>
+
+#include <maps/active_ssl_connections.h>
+
+struct postgres_hdr {
+    u32 message_len;
+    u8 message_type;
+    u8 _pad[3];
+};
+
+enum {
+    // Postgres header
+    k_pg_hdr_size = 5,
+    k_pg_messages_in_packet_max = 10,
+
+    // Postgres frontend message types
+    k_pg_msg_bind = 'B',    // Bind a named portal to a prepared statement
+    k_pg_msg_execute = 'E', // Execute a portal
+    k_pg_msg_parse = 'P',   // Parses a query and creates a prepared statement
+    k_pg_msg_query = 'Q',   // Executes a simple SQL query
+
+    // Large buffer
+    k_pg_large_buf_max_size = 1 << 14, // 16K
+    k_pg_large_buf_max_size_mask = k_pg_large_buf_max_size - 1,
+};
+
+SCRATCH_MEM_SIZED(postgres_large_buffers, k_pg_large_buf_max_size);
+
+// Emit a large buffer event for Postgres protocol.
+// The return value is used to control the flow for this specific protocol.
+// -1: wait additional data; 0: continue, regardless of errors.
+static __always_inline int postgres_send_large_buffer(tcp_req_t *req,
+                                                      pid_connection_info_t *pid_conn,
+                                                      const void *u_buf,
+                                                      u32 bytes_len,
+                                                      u8 direction,
+                                                      enum large_buf_action action) {
+    if (!is_pow2(postgres_buffer_size)) {
+        bpf_dbg_printk("postgres_send_large_buffer: bug: postgres_buffer_size is not a power of 2");
+        return -1;
+    }
+    const u8 buf_len_mask = postgres_buffer_size - 1;
+
+    tcp_large_buffer_t *large_buf = (tcp_large_buffer_t *)postgres_large_buffers_mem();
+    if (!large_buf) {
+        bpf_dbg_printk(
+            "postgres_send_large_buffer: failed to reserve space for Postgres large buffer");
+        return 0;
+    }
+
+    large_buf->type = EVENT_TCP_LARGE_BUFFER;
+    large_buf->direction = direction;
+    large_buf->action = action;
+    __builtin_memcpy((void *)&large_buf->tp, (void *)&req->tp, sizeof(tp_info_t));
+
+    large_buf->len = bytes_len;
+    if (large_buf->len >= postgres_buffer_size) {
+        large_buf->len = postgres_buffer_size;
+        bpf_dbg_printk("WARN: postgres_send_large_buffer: buffer is full, truncating data");
+    }
+    bpf_probe_read(large_buf->buf, large_buf->len & buf_len_mask, u_buf);
+
+    req->has_large_buffers = true;
+    bpf_ringbuf_output(&events,
+                       large_buf,
+                       (sizeof(tcp_large_buffer_t) + large_buf->len) & k_pg_large_buf_max_size_mask,
+                       get_flags());
+    return 0;
+}
+
+static __always_inline struct postgres_hdr postgres_parse_hdr(const unsigned char *data) {
+    struct postgres_hdr hdr = {};
+
+    u8 header[k_pg_hdr_size] = {};
+    bpf_probe_read(header, k_pg_hdr_size, data);
+
+    u32 message_len_le;
+    __builtin_memcpy(&message_len_le, header + 1, sizeof(message_len_le));
+
+    hdr.message_type = header[0];
+    hdr.message_len = bpf_ntohl(message_len_le);
+
+    return hdr;
+}
+
+static __always_inline u8 is_postgres(connection_info_t *conn_info,
+                                      const unsigned char *data,
+                                      u32 data_len,
+                                      enum protocol_type *protocol_type) {
+    if (*protocol_type != k_protocol_type_postgres && *protocol_type != k_protocol_type_unknown) {
+        // Already classified, not postgres.
+        return 0;
+    }
+
+    if (data_len < k_pg_hdr_size) {
+        bpf_dbg_printk("is_postgres: data_len is too short: %d", data_len);
+        return 0;
+    }
+
+    size_t message_size = 0;
+    struct postgres_hdr hdr;
+    bool includes_known_command = false;
+
+    for (u8 i = 0; i < k_pg_messages_in_packet_max; i++) {
+        if (message_size + k_pg_hdr_size > data_len) {
+            break;
+        }
+
+        hdr = postgres_parse_hdr(data + message_size);
+
+        message_size += hdr.message_len + 1;
+        if (hdr.message_len == 0) {
+            break;
+        }
+
+        switch (hdr.message_type) {
+        case k_pg_msg_query:
+        case k_pg_msg_parse:
+        case k_pg_msg_bind:
+        case k_pg_msg_execute:
+            includes_known_command = true;
+            break;
+        default:
+            bpf_dbg_printk("postgres_detect: unhandled message type 0x%x", hdr.message_type);
+            return 0;
+        }
+    }
+
+    if (message_size != data_len) {
+        bpf_dbg_printk("is_postgres: message length mismatch: message_size=%d data_len=%u",
+                       message_size,
+                       data_len);
+        return 0;
+    }
+
+    if (!includes_known_command) {
+        bpf_dbg_printk("is_postgres: no known command found");
+        return 0;
+    }
+
+    *protocol_type = k_protocol_type_postgres;
+    bpf_map_update_elem(&protocol_cache, conn_info, protocol_type, BPF_ANY);
+
+    bpf_dbg_printk("is_postgres: postgres! message_type=%u", hdr.message_type);
+    return 1;
+}

bpf/generictracer/protocol_tcp.h

@@ -11,6 +11,7 @@
 
 #include <generictracer/protocol_common.h>
 #include <generictracer/protocol_mysql.h>
+#include <generictracer/protocol_postgres.h>
 
 #include <generictracer/maps/ongoing_tcp_req.h>
 #include <generictracer/maps/tcp_req_mem.h>
@@ -111,6 +112,11 @@ static __always_inline int tcp_send_large_buffer(tcp_req_t *req,
             ret = mysql_send_large_buffer(req, pid_conn, u_buf, bytes_len, direction, action);
         }
         break;
+    case k_protocol_type_postgres:
+        if (postgres_buffer_size > 0) {
+            ret = postgres_send_large_buffer(req, pid_conn, u_buf, bytes_len, direction, action);
+        }
+        break;
     case k_protocol_type_unknown:
         break;
     }

pkg/app/request/span.go

@@ -291,16 +291,23 @@ func (s *Span) SQLErrorDescription() string {
 		return ""
 	}
 
+	var codeString string
+	if s.SQLError.Code == 0 {
+		codeString = "NA"
+	} else {
+		codeString = strconv.FormatUint(uint64(s.SQLError.Code), 10)
+	}
+
 	if s.SQLCommand == "" {
 		return fmt.Sprintf(
-			"SQL Server errored: error_code=%d sql_state=%s message=%s",
-			s.SQLError.Code, s.SQLError.SQLState, s.SQLError.Message,
+			"SQL Server errored: error_code=%s sql_state=%s message=%s",
+			codeString, s.SQLError.SQLState, s.SQLError.Message,
 		)
 	}
 
 	return fmt.Sprintf(
-		"SQL Server errored for command 'COM_%s': error_code=%d sql_state=%s message=%s",
-		s.SQLCommand, s.SQLError.Code, s.SQLError.SQLState, s.SQLError.Message,
+		"SQL Server errored for command 'COM_%s': error_code=%s sql_state=%s message=%s",
+		s.SQLCommand, codeString, s.SQLError.SQLState, s.SQLError.Message,
 	)
 }
 

pkg/components/ebpf/common/common.go

@@ -63,6 +63,7 @@ const (
 const (
 	ProtocolTypeUnknown uint8 = iota
 	ProtocolTypeMySQL
+	ProtocolTypePostgres
 )
 
 var IntegrityModeOverride = false

pkg/components/ebpf/common/sql_detect_mysql.go

@@ -100,11 +100,7 @@ func handleMySQL(parseCtx *EBPFParseContext, event *TCPRequestInfo, requestBuffe
 	}
 
 	sqlCommand := sqlprune.SQLParseCommandID(request.DBMySQL, requestBuffer)
-	if sqlCommand == "" {
-		return span, errIgnore
-	}
-
-	sqlError := sqlprune.SQLParseError(responseBuffer)
+	sqlError := sqlprune.SQLParseError(request.DBMySQL, responseBuffer)
 
 	switch sqlCommand {
 	case "STMT_PREPARE":