From e661f2a043f8b6548e0bb3e0cc5992d7c0ff3b0f Mon Sep 17 00:00:00 2001
From: Rong Tao <rongtao@cestc.cn>
Date: Sat, 1 Oct 2022 16:15:27 +0800
Subject: [PATCH] tcpdrop: Fix: ERROR: Error attaching probe: 'kprobe:tcp_drop'

kernel commit 8fbf195798b5('tcp_drop() is no longer needed.') remove
the kprobe:tcp_drop, bcc commit 16eab39171eb('Add
tracepoint:skb:kfree_skb if no tcp_drop() kprobe.') already fix this
problem.

CI old kernel is too old and not support the 'reason' field, move the
old tools/tcpdrop.bt into tools/old/tcpdrop.bt and set the CI to use
it.

Since 5.17 support trace_kfree_skb(skb, ..., reason) 'reason' field.
Since 5.19 remove tcp_drop() function.

ERROR log:

 $ sudo ./tcpdrop.bt
 ./tcpdrop.bt:49-51: WARNING: tcp_drop is not traceable (either non-existing, inlined, or marked as "notrace"); attaching to it will likely fail
 Attaching 3 probes...
 cannot attach kprobe, probe entry may not exist
 ERROR: Error attaching probe: 'kprobe:tcp_drop'

Link: https://github.com/iovisor/bpftrace/pull/2379
Signed-off-by: Rong Tao <rongtao@cestc.cn>
---
 tools/old/tcpdrop.bt | 85 ++++++++++++++++++++++++++++++++++++++++++++
 tools/tcpdrop.bt     | 22 ++++++------
 2 files changed, 97 insertions(+), 10 deletions(-)
 create mode 100755 tools/old/tcpdrop.bt

diff --git a/tools/old/tcpdrop.bt b/tools/old/tcpdrop.bt
new file mode 100755
index 00000000..685a5f6a
--- /dev/null
+++ b/tools/old/tcpdrop.bt
@@ -0,0 +1,85 @@
+#!/usr/bin/env bpftrace
+/*
+ * tcpdrop.bt   Trace TCP kernel-dropped packets/segments.
+ *              For Linux, uses bpftrace and eBPF.
+ *
+ * USAGE: tcpdrop.bt
+ *
+ * This is a bpftrace version of the bcc tool of the same name.
+ * It is limited to ipv4 addresses, and cannot show tcp flags.
+ *
+ * This provides information such as packet details, socket state, and kernel
+ * stack trace for packets/segments that were dropped via tcp_drop().
+
+ * WARNING: this script attaches to the tcp_drop kprobe which is likely inlined
+ *          on newer kernels and not replaced by anything else, therefore
+ *          the script will stop working
+ *
+ * For Linux <= 5.18.
+ *
+ * Copyright (c) 2018 Dale Hamel.
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ *
+ * 23-Nov-2018	Dale Hamel	created this.
+ */
+
+#ifndef BPFTRACE_HAVE_BTF
+#include <linux/socket.h>
+#include <net/sock.h>
+#else
+#include <sys/socket.h>
+#endif
+
+BEGIN
+{
+  printf("Tracing tcp drops. Hit Ctrl-C to end.\n");
+  printf("%-8s %-8s %-16s %-21s %-21s %-8s\n", "TIME", "PID", "COMM", "SADDR:SPORT", "DADDR:DPORT", "STATE");
+
+  // See https://github.com/torvalds/linux/blob/master/include/net/tcp_states.h
+  @tcp_states[1] = "ESTABLISHED";
+  @tcp_states[2] = "SYN_SENT";
+  @tcp_states[3] = "SYN_RECV";
+  @tcp_states[4] = "FIN_WAIT1";
+  @tcp_states[5] = "FIN_WAIT2";
+  @tcp_states[6] = "TIME_WAIT";
+  @tcp_states[7] = "CLOSE";
+  @tcp_states[8] = "CLOSE_WAIT";
+  @tcp_states[9] = "LAST_ACK";
+  @tcp_states[10] = "LISTEN";
+  @tcp_states[11] = "CLOSING";
+  @tcp_states[12] = "NEW_SYN_RECV";
+}
+
+kprobe:tcp_drop
+{
+  $sk = ((struct sock *) arg0);
+  $inet_family = $sk->__sk_common.skc_family;
+
+  if ($inet_family == AF_INET || $inet_family == AF_INET6) {
+    if ($inet_family == AF_INET) {
+      $daddr = ntop($sk->__sk_common.skc_daddr);
+      $saddr = ntop($sk->__sk_common.skc_rcv_saddr);
+    } else {
+      $daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
+      $saddr = ntop($sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
+    }
+    $lport = $sk->__sk_common.skc_num;
+    $dport = $sk->__sk_common.skc_dport;
+
+    // Destination port is big endian, it must be flipped
+    $dport = bswap($dport);
+
+    $state = $sk->__sk_common.skc_state;
+    $statestr = @tcp_states[$state];
+
+    time("%H:%M:%S ");
+    printf("%-8d %-16s ", pid, comm);
+    printf("%39s:%-6d %39s:%-6d %-10s\n", $saddr, $lport, $daddr, $dport, $statestr);
+    printf("%s\n", kstack);
+  }
+}
+
+END
+{
+  clear(@tcp_states);
+}
diff --git a/tools/tcpdrop.bt b/tools/tcpdrop.bt
index 3450a533..bb31107f 100755
--- a/tools/tcpdrop.bt
+++ b/tools/tcpdrop.bt
@@ -9,16 +9,15 @@
  * It is limited to ipv4 addresses, and cannot show tcp flags.
  *
  * This provides information such as packet details, socket state, and kernel
- * stack trace for packets/segments that were dropped via tcp_drop().
-
- * WARNING: this script attaches to the tcp_drop kprobe which is likely inlined
- *          on newer kernels and not replaced by anything else, therefore
- *          the script will stop working
-
+ * stack trace for packets/segments that were dropped via kfree_skb.
+ *
+ * For Linux 5.17+ (see tools/old for script for lower versions).
+ *
  * Copyright (c) 2018 Dale Hamel.
  * Licensed under the Apache License, Version 2.0 (the "License")
-
+ *
  * 23-Nov-2018	Dale Hamel	created this.
+ * 01-Oct-2022	Rong Tao	use tracepoint:skb:kfree_skb
  */
 
 #ifndef BPFTRACE_HAVE_BTF
@@ -48,12 +47,15 @@ BEGIN
   @tcp_states[12] = "NEW_SYN_RECV";
 }
 
-kprobe:tcp_drop
+tracepoint:skb:kfree_skb
 {
-  $sk = ((struct sock *) arg0);
+  $reason = args->reason;
+  $skb = (struct sk_buff *)args->skbaddr;
+  $sk = ((struct sock *) $skb->sk);
   $inet_family = $sk->__sk_common.skc_family;
 
-  if ($inet_family == AF_INET || $inet_family == AF_INET6) {
+  if ($reason > SKB_DROP_REASON_NOT_SPECIFIED &&
+      ($inet_family == AF_INET || $inet_family == AF_INET6)) {
     if ($inet_family == AF_INET) {
       $daddr = ntop($sk->__sk_common.skc_daddr);
       $saddr = ntop($sk->__sk_common.skc_rcv_saddr);
-- 
2.38.1