Add a filtercheck for when a fd name changes

Add a filtercheck fd.name_changed which is true when parsing an event changes the "name" of a fd. This mostly occurs when a bind/connect/sendto/recvfrom/etc changes the ip/port information associated with a socket fd, and is useful if you want to track when a stream of sendto/recvfroms on a single socket changes addresses. This is done by adding a m_oldname to fdinfo, which is set when threadinfo returns a fd and associates it with an event. If after parsing, the name changes, the filtercheck will return true. Whether the name changed or not is an event property and set at the end of sinsp_parser::process_event(). It does this by checking the original fd name and comparing it to the fd name that exists after parsing the event.
draios · Feb 2, 2018 · 6b35e44 · 6b35e44
1 parent 1d0d185
commit 6b35e44
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 3 deletions.
diff --git a/userspace/libsinsp/event.h b/userspace/libsinsp/event.h
@@ -238,6 +238,16 @@ class SINSP_PUBLIC sinsp_evt
 		return m_fdinfo;
 	}
 
+	inline bool fdinfo_name_changed()
+	{
+		return m_fdinfo_name_changed;
+	}
+
+	inline void set_fdinfo_name_changed(bool changed)
+	{
+		m_fdinfo_name_changed = changed;
+	}
+
 	/*!
 	  \brief Return the number of the FD associated with this event.
 
@@ -333,6 +343,7 @@ class SINSP_PUBLIC sinsp_evt
 		m_info = &(m_event_info_table[m_pevt->type]);
 		m_tinfo = NULL;
 		m_fdinfo = NULL;
+		m_fdinfo_name_changed = false;
 		m_iosize = 0;
 		m_poriginal_evt = NULL;
 	}
@@ -343,6 +354,7 @@ class SINSP_PUBLIC sinsp_evt
 		m_info = &(m_event_info_table[m_pevt->type]);
 		m_tinfo = NULL;
 		m_fdinfo = NULL;
+		m_fdinfo_name_changed = false;
 		m_iosize = 0;
 		m_cpuid = cpuid;
 		m_evtnum = 0;
@@ -396,6 +408,11 @@ VISIBILITY_PRIVATE
 
 	sinsp_threadinfo* m_tinfo;
 	sinsp_fdinfo_t* m_fdinfo;
+
+	// If true, then the associated fdinfo changed names as a part
+	// of parsing this event.
+	bool m_fdinfo_name_changed;
+
 	uint32_t m_iosize;
 	int32_t m_errorcode;
 	int32_t m_rawbuf_str_len;

diff --git a/userspace/libsinsp/fdinfo.h b/userspace/libsinsp/fdinfo.h
@@ -111,6 +111,7 @@ class SINSP_PUBLIC sinsp_fdinfo
 		m_openflags = other.m_openflags;	
 		m_sockinfo = other.m_sockinfo;
 		m_name = other.m_name;
+		m_oldname = other.m_oldname;
 		m_flags = other.m_flags;
 		m_ino = other.m_ino;
 
@@ -300,6 +301,7 @@ class SINSP_PUBLIC sinsp_fdinfo
 	sinsp_sockinfo m_sockinfo;
 
 	string m_name; ///< Human readable rendering of this FD. For files, this is the full file name. For sockets, this is the tuple. And so on.
+	string m_oldname; // The name of this fd at the beginning of event parsing. Used to detect name changes that result from parsing an event.
 
 	inline bool has_decoder_callbacks()
 	{

diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -167,7 +167,7 @@ const filtercheck_field_info sinsp_filter_check_fd_fields[] =
 	{PT_IPV4NET, EPF_NONE, PF_NA, "fd.lnet", "local IP network."},
 	{PT_IPV4NET, EPF_NONE, PF_NA, "fd.rnet", "remote IP network."},
 	{PT_BOOL, EPF_NONE, PF_NA, "fd.connected", "for TCP/UDP FDs, 'true' if the socket is connected."},
-
+	{PT_BOOL, EPF_NONE, PF_NA, "fd.name_changed", "True when an event changes the name of an fd used by this event. This can occur in some cases such as udp connections where the connection tuple changes."}
 };
 
 sinsp_filter_check_fd::sinsp_filter_check_fd()
@@ -1047,7 +1047,19 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool
 
 			m_tbool = m_fdinfo->is_socket_connected();
 
-			return (uint8_t*)&m_tbool;
+			RETURN_EXTRACT_VAR(m_tbool);
+		}
+		break;
+	case TYPE_NAME_CHANGED:
+		{
+			if(m_fdinfo == NULL)
+			{
+				return NULL;
+			}
+
+			m_tbool = evt->fdinfo_name_changed();
+
+			RETURN_EXTRACT_VAR(m_tbool);
 		}
 		break;
 	default:

diff --git a/userspace/libsinsp/filterchecks.h b/userspace/libsinsp/filterchecks.h
@@ -282,6 +282,7 @@ class sinsp_filter_check_fd : public sinsp_filter_check
 		TYPE_LNET = 30,
 		TYPE_RNET = 31,
 		TYPE_IS_CONNECTED = 32,
+		TYPE_NAME_CHANGED = 33,
 	};
 
 	enum fd_type

diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -491,6 +491,14 @@ void sinsp_parser::process_event(sinsp_evt *evt)
 			evt->m_filtered_out = true;
 		}
 	}
+
+	// Check to see if the name changed as a side-effect of
+	// parsing this event. Try to avoid the overhead of a string
+	// compare for every event.
+	if(evt->m_fdinfo)
+	{
+		evt->set_fdinfo_name_changed(evt->m_fdinfo->m_name != evt->m_fdinfo->m_oldname);
+	}
 }
 
 void sinsp_parser::event_cleanup(sinsp_evt *evt)

diff --git a/userspace/libsinsp/threadinfo.h b/userspace/libsinsp/threadinfo.h
@@ -169,7 +169,15 @@ class SINSP_PUBLIC sinsp_threadinfo
 
 		if(fdt)
 		{
-			return fdt->find(fd);
+			sinsp_fdinfo_t *fdinfo = fdt->find(fd);
+			if(fdinfo)
+			{
+				// Its current name is now its old
+				// name. The name might change as a
+				// result of parsing.
+				fdinfo->m_oldname = fdinfo->m_name;
+				return fdinfo;
+			}
 		}
 
 		return NULL;