improve xdp log

Signed-off-by: weli-l <[email protected]>
kmesh-net · Jan 7, 2025 · 8cbdc2a · 8cbdc2a
1 parent 21d1139
commit 8cbdc2a
Showing 1 changed file with 12 additions and 43 deletions.
diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h
@@ -31,6 +31,7 @@ struct {
 
 struct match_context {
     __u32 action;
+    char *policy_name;
     __u8 policy_index;
     bool need_tailcall_to_userspace;
     __u8 n_rules;
@@ -161,20 +162,17 @@ static int match_dst_ports(Istio__Security__Match *match, struct xdp_info *info,
             }
             if (info->iph->version == IPV4_VERSION) {
                 if (bpf_htons(notPorts[i]) == tuple_info->ipv4.dport) {
-                    BPF_LOG(DEBUG, AUTH, "port %u in not_destination_ports, unmatched", notPorts[i]);
                     return UNMATCHED;
                 }
             } else {
                 if (bpf_htons(notPorts[i]) == tuple_info->ipv6.dport) {
-                    BPF_LOG(DEBUG, AUTH, "port %u in not_destination_ports, unmatched", notPorts[i]);
                     return UNMATCHED;
                 }
             }
         }
     }
     // if not match not_destination_ports && has no destination_ports, return MATCHED
     if (match->n_destination_ports == 0) {
-        BPF_LOG(DEBUG, AUTH, "no destination_ports configured, matching by default");
         return MATCHED;
     }
 
@@ -190,17 +188,14 @@ static int match_dst_ports(Istio__Security__Match *match, struct xdp_info *info,
         }
         if (info->iph->version == IPV4_VERSION) {
             if (bpf_htons(ports[i]) == tuple_info->ipv4.dport) {
-                BPF_LOG(DEBUG, AUTH, "port %u in destination_ports, matched", ports[i]);
                 return MATCHED;
             }
         } else {
             if (bpf_htons(ports[i]) == tuple_info->ipv6.dport) {
-                BPF_LOG(DEBUG, AUTH, "port %u in destination_ports, matched", ports[i]);
                 return MATCHED;
             }
         }
     }
-    BPF_LOG(DEBUG, AUTH, "no matching ports found, unmatched");
     return UNMATCHED;
 }
 
@@ -303,23 +298,6 @@ match_ip_rule(struct ProtobufCBinaryData *addrInfo, __u32 preFixLen, struct bpf_
 
     if (addrInfo->len == IPV4_BYTE_LEN) {
         __u32 rule_ip = convert_ipv4_to_u32(addrInfo, false);
-        if (type & TYPE_SRCIP) {
-            BPF_LOG(
-                DEBUG,
-                AUTH,
-                "IPv4 match srcip: Rule IP: %x, Prefix Length: %u, Target IP: %x\n",
-                rule_ip,
-                preFixLen,
-                bpf_ntohl(tuple_info->ipv4.saddr));
-        } else if (type & TYPE_DSTIP) {
-            BPF_LOG(
-                DEBUG,
-                AUTH,
-                "IPv4 match dstip: Rule IP: %x, Prefix Length: %u, Target IP: %x\n",
-                rule_ip,
-                preFixLen,
-                bpf_ntohl(tuple_info->ipv4.daddr));
-        }
         return match_ipv4_rule(rule_ip, preFixLen, tuple_info, type);
     } else if (addrInfo->len == IPV6_BYTE_LEN) {
         struct ip_addr rule_addr = {0};
@@ -332,23 +310,6 @@ match_ip_rule(struct ProtobufCBinaryData *addrInfo, __u32 preFixLen, struct bpf_
             }
             if (is_ipv4_mapped_addr(rule_addr.ip6)) {
                 __u32 rule_ip = convert_ipv4_to_u32(addrInfo, true);
-                if (type & TYPE_SRCIP) {
-                    BPF_LOG(
-                        DEBUG,
-                        AUTH,
-                        "IPv4_in_IPv6 match srcip: Rule IP: %x, Prefix Length: %u, Target IP: %x\n",
-                        rule_ip,
-                        preFixLen,
-                        bpf_ntohl(tuple_info->ipv4.saddr));
-                } else if (type & TYPE_DSTIP) {
-                    BPF_LOG(
-                        DEBUG,
-                        AUTH,
-                        "IPv4_in_IPv6 match dstip: Rule IP: %x, Prefix Length: %u, Target IP: %x\n",
-                        rule_ip,
-                        preFixLen,
-                        bpf_ntohl(tuple_info->ipv4.daddr));
-                }
                 return match_ipv4_rule(rule_ip, preFixLen, tuple_info, type);
             } else {
                 if (type & TYPE_SRCIP) {
@@ -621,6 +582,11 @@ int policies_check(struct xdp_md *ctx)
         match_ctx->rulesPtr = rulesPtr;
         match_ctx->n_rules = policy->n_rules;
         match_ctx->action = policy->action;
+        char *policy_name = (char *)KMESH_GET_PTR_VAL(policy->name, char *);
+        if (!policy_name) {
+            return XDP_PASS;
+        }
+        match_ctx->policy_name = policy_name;
         ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY);
         if (ret < 0) {
             return XDP_PASS;
@@ -672,11 +638,14 @@ int policy_check(struct xdp_md *ctx)
             continue;
         }
         if (rule_match_check(rule, &info, &tuple_key, match_ctx) == MATCHED) {
+            BPF_LOG(INFO, AUTH, "policy %s matched", match_ctx->policy_name);
             BPF_LOG(
-                DEBUG,
+                INFO,
                 AUTH,
-                "rule matched, action: %s",
-                match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? "DENY" : "ALLOW");
+                "src ip: %u, dst ip %u, dst port: %u\n",
+                tuple_key.ipv4.saddr,
+                tuple_key.ipv4.daddr,
+                bpf_ntohs(tuple_key.ipv4.dport));
             if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) {
                 BPF_LOG(ERR, AUTH, "failed to delete tail call context from map");
             }