mmat11
commented
2 years ago I don't know if it will cause issues here or not, but in the past I had trouble with programs that attempted to connect using a non blocking socket. The connect syscall would return with
-EINPROGRESS, which would later succeed.I'm pretty sure curl uses that style.
I tried to reproduce this way:
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('localhost', 1234))
sock.setblocking(0) // O_NONBLOCK
sock.send(b'hello\n')and
nc -lvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:56718.
hellowhich triggered this event from v4_connect
{"event_type":"NETWORK_CONNECTION_ATTEMPTED","pids":{"tid":109704,"tgid":109704,"ppid":74299,"pgid":109704,"sid":74299,"start_time_ns":21219042657261},"net":{"family":"AF_INET","source_address":"127.0.0.1","source_port":56714,"destination_address":"127.0.0.1","destination_port":1234,"network_namespace":4026532008},"comm":"python"}I also didn't see any event missing during other tests with curl, so I think it should be fine
edit: the python poc was incorrect, I retested with asyncio and it worked anyway
rhysre
To do / discuss:
[x] clarify what "disconnect received" means: tcp_close or tcp_disconnect ? rename event?
[x] clarify what "connection attempted" means: only successful attempts? rename event?
[x] test ipv6
[x] check if any func signature has changed from 5.x to 5.16
[x] doing stuff in a container generates 2 events (host netns and container netns), eg:
Why it happened: we debugged this with @fntlnz and discovered that the second event was being triggered by slirp4netns because I was using Podman in rootless mode. This doesn't happen using Docker
[x] add
bytes_sentandbytes_receivedontcp_close[x] add transport field
Closes https://github.com/elastic/ebpf/issues/61 Closes https://github.com/elastic/ebpf/issues/62 Closes https://github.com/elastic/ebpf/issues/63