diff --git a/libs/execution_context/ebpf_maps.c b/libs/execution_context/ebpf_maps.c index 3a2555dd92..3e4a3a067a 100644 --- a/libs/execution_context/ebpf_maps.c +++ b/libs/execution_context/ebpf_maps.c @@ -140,6 +140,18 @@ typedef uint8_t* ebpf_lru_entry_t; #define EBPF_LRU_ENTRY_KEY_PTR(map, entry) \ ((uint8_t*)(((uint8_t*)entry) + EBPF_LRU_ENTRY_KEY_OFFSET(map->partition_count))) +#define EBPF_LOG_MAP_OPERATION(flags, operation, map, key) \ + if (((flags) & EBPF_MAP_FLAG_HELPER) && (map)->ebpf_map_definition.key_size != 0) { \ + EBPF_LOG_MESSAGE_UTF8_STRING( \ + EBPF_TRACELOG_LEVEL_VERBOSE, EBPF_TRACELOG_KEYWORD_MAP, "Map "##operation, &(map)->name); \ + EBPF_LOG_MESSAGE_BINARY( \ + EBPF_TRACELOG_LEVEL_VERBOSE, \ + EBPF_TRACELOG_KEYWORD_MAP, \ + "Key", \ + (key), \ + (map)->ebpf_map_definition.key_size); \ + } + /** * @brief The partition of the LRU map key history. */ @@ -2450,6 +2462,7 @@ ebpf_map_find_entry( { // High volume call - Skip entry/exit logging. uint8_t* return_value = NULL; + if (!(flags & EBPF_MAP_FLAG_HELPER) && (key_size != map->ebpf_map_definition.key_size)) { EBPF_LOG_MESSAGE_UINT64_UINT64( EBPF_TRACELOG_LEVEL_ERROR, @@ -2489,6 +2502,8 @@ ebpf_map_find_entry( return EBPF_INVALID_ARGUMENT; } + EBPF_LOG_MAP_OPERATION(flags, "lookup", map, key); + ebpf_core_object_t* object = ebpf_map_metadata_tables[type].get_object_from_entry(map, key); if (object) { return_value = (uint8_t*)object; @@ -2608,6 +2623,8 @@ ebpf_map_update_entry( return EBPF_OPERATION_NOT_SUPPORTED; } + EBPF_LOG_MAP_OPERATION(flags, "update", map, key); + if ((flags & EBPF_MAP_FLAG_HELPER) && ebpf_map_metadata_tables[map->ebpf_map_definition.type].update_entry_per_cpu) { result = ebpf_map_metadata_tables[map->ebpf_map_definition.type].update_entry_per_cpu(map, key, value, option); @@ -2671,6 +2688,8 @@ ebpf_map_delete_entry(_In_ ebpf_map_t* map, size_t key_size, _In_reads_(key_size return EBPF_OPERATION_NOT_SUPPORTED; } + EBPF_LOG_MAP_OPERATION(flags, "delete", map, key); + ebpf_result_t result = ebpf_map_metadata_tables[map->ebpf_map_definition.type].delete_entry(map, key); return result; } diff --git a/libs/execution_context/ebpf_program.c b/libs/execution_context/ebpf_program.c index 2f633d9046..8900149611 100644 --- a/libs/execution_context/ebpf_program.c +++ b/libs/execution_context/ebpf_program.c @@ -1556,6 +1556,11 @@ ebpf_program_invoke( if (current_program->parameters.code_type == EBPF_CODE_JIT || current_program->parameters.code_type == EBPF_CODE_NATIVE) { + EBPF_LOG_MESSAGE_UTF8_STRING( + EBPF_TRACELOG_LEVEL_VERBOSE, + EBPF_TRACELOG_KEYWORD_PROGRAM, + "Tail call program", + ¤t_program->parameters.program_name); ebpf_program_entry_point_t function_pointer; function_pointer = (ebpf_program_entry_point_t)(current_program->code_or_vm.code.code_pointer); *result = (function_pointer)(context); diff --git a/libs/shared/ebpf_tracelog.h b/libs/shared/ebpf_tracelog.h index 776e2f5ec6..1db9c8f339 100644 --- a/libs/shared/ebpf_tracelog.h +++ b/libs/shared/ebpf_tracelog.h @@ -303,6 +303,18 @@ extern "C" ebpf_log_message_uint64_uint64(_##trace_level##, _##keyword##, message, value1, value2); \ } + void + ebpf_log_message_binary( + ebpf_tracelog_level_t trace_level, + ebpf_tracelog_keyword_t keyword, + _In_z_ const char* message, + _In_reads_bytes_(data_size) const void* data, + uint32_t data_size); +#define EBPF_LOG_MESSAGE_BINARY(trace_level, keyword, message, data, data_size) \ + if (TraceLoggingProviderEnabled(ebpf_tracelog_provider, trace_level, keyword)) { \ + ebpf_log_message_binary(_##trace_level##, _##keyword##, message, data, data_size); \ + } + void ebpf_log_message_error( ebpf_tracelog_level_t trace_level, diff --git a/libs/shared/tracelog.c b/libs/shared/tracelog.c index 470e1420c5..3813bdfe7d 100644 --- a/libs/shared/tracelog.c +++ b/libs/shared/tracelog.c @@ -976,6 +976,85 @@ __declspec(noinline) void ebpf_log_message_uint64_uint64( } } +#define _EBPF_LOG_MESSAGE_BINARY(trace_level, keyword, message, data, data_size) \ + TraceLoggingWrite( \ + ebpf_tracelog_provider, \ + EBPF_TRACELOG_EVENT_GENERIC_MESSAGE, \ + TraceLoggingLevel((trace_level)), \ + TraceLoggingKeyword((keyword)), \ + TraceLoggingString((message), "Message"), \ + TraceLoggingBinary((data), (data_size))); +#define EBPF_LOG_MESSAGE_BINARY_KEYWORD_SWITCH(trace_level, message, data, data_size) \ + switch (keyword) { \ + CASE_FUNCTION_ENTRY_EXIT: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_FUNCTION_ENTRY_EXIT, message, data, data_size); \ + break; \ + CASE_BASE: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_BASE, message, data, data_size); \ + break; \ + CASE_ERROR: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_ERROR, message, data, data_size); \ + break; \ + CASE_EPOCH: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_EPOCH, message, data, data_size); \ + break; \ + CASE_CORE: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_CORE, message, data, data_size); \ + break; \ + CASE_LINK: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_LINK, message, data, data_size); \ + break; \ + CASE_MAP: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_MAP, message, data, data_size); \ + break; \ + CASE_PROGRAM: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_PROGRAM, message, data, data_size); \ + break; \ + CASE_API: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_API, message, data, data_size); \ + break; \ + CASE_PRINTK: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_PRINTK, message, data, data_size); \ + break; \ + CASE_NATIVE: \ + _EBPF_LOG_MESSAGE_BINARY(trace_level, KEYWORD_NATIVE, message, data, data_size); \ + break; \ + default: \ + ebpf_assert(!"Invalid keyword"); \ + break; \ + } +__declspec(noinline) void ebpf_log_message_binary( + ebpf_tracelog_level_t trace_level, + ebpf_tracelog_keyword_t keyword, + _In_z_ const char* message, + _In_reads_bytes_(data_size) const void* data, + uint32_t data_size) +{ + switch (trace_level) { + CASE_LOG_ALWAYS: + EBPF_LOG_MESSAGE_BINARY_KEYWORD_SWITCH(LEVEL_LOG_ALWAYS, message, data, data_size); + break; + CASE_CRITICAL: + EBPF_LOG_MESSAGE_BINARY_KEYWORD_SWITCH(LEVEL_CRITICAL, message, data, data_size); + break; + CASE_LEVEL_ERROR: + EBPF_LOG_MESSAGE_BINARY_KEYWORD_SWITCH(LEVEL_ERROR, message, data, data_size); + break; + CASE_WARNING: + EBPF_LOG_MESSAGE_BINARY_KEYWORD_SWITCH(LEVEL_WARNING, message, data, data_size); + break; + CASE_INFO: + EBPF_LOG_MESSAGE_BINARY_KEYWORD_SWITCH(LEVEL_INFO, message, data, data_size); + break; + CASE_VERBOSE: + EBPF_LOG_MESSAGE_BINARY_KEYWORD_SWITCH(LEVEL_VERBOSE, message, data, data_size); + break; + default: + ebpf_assert(!"Invalid trace level"); + break; + } +} + #define _EBPF_LOG_MESSAGE_ERROR(trace_level, keyword, message, error) \ TraceLoggingWrite( \ ebpf_tracelog_provider, \ diff --git a/netebpfext/net_ebpf_ext_hook_provider.c b/netebpfext/net_ebpf_ext_hook_provider.c index 3cf4502dea..9a73c4a2b1 100644 --- a/netebpfext/net_ebpf_ext_hook_provider.c +++ b/netebpfext/net_ebpf_ext_hook_provider.c @@ -4,7 +4,11 @@ #include "ebpf_extension_uuids.h" #include "net_ebpf_ext_hook_provider.h" -#define NET_EBPF_EXT_STACK_EXPANSION_SIZE 1024 * 10 +#ifdef _DEBUG +#define NET_EBPF_EXT_STACK_EXPANSION_SIZE 1024 * 32 +#else +#define NET_EBPF_EXT_STACK_EXPANSION_SIZE 1024 * 16 +#endif // _DEBUG typedef struct _net_ebpf_ext_hook_client_rundown {