patchpanel/counters_service.cc

// Copyright 2020 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "patchpanel/counters_service.h"

#include <set>
#include <string>
#include <utility>
#include <vector>

#include <base/strings/strcat.h>
#include <base/strings/string_split.h>
#include <re2/re2.h>

namespace patchpanel {

namespace {

using Counter = CountersService::Counter;
using SourceDevice = CountersService::SourceDevice;

constexpr char kMangleTable[] = "mangle";

// The following regexs and code is written and tested for iptables v1.6.2.
// Output code of iptables can be found at:
//   https://git.netfilter.org/iptables/tree/iptables/iptables.c?h=v1.6.2

// The chain line looks like:
//   "Chain tx_fwd_eth0 (1 references)".
// This regex extracts "tx" (direction), "eth0" (ifname) from this example, and
// "fwd" (prebuilt chain) is matched but not captured because it is not required
// for counters.
constexpr LazyRE2 kChainLine = {
    R"(Chain (rx|tx)_(?:input|fwd|postrt)_(\w+).*)"};

// The counter line looks like (some spaces are deleted to make it fit in one
// line):
//   "    6511 68041668    all  --  any    any     anywhere   anywhere"
// The first two counters are captured for pkts and bytes.
constexpr LazyRE2 kCounterLine = {R"( *(\d+) +(\d+).*)"};

// Parses the output of `iptables -L -x -v` (or `ip6tables`) and adds the parsed
// values into the corresponding counters in |counters|. An example of |output|
// can be found in the test file. This function will try to find the pattern of:
//   <one chain line for an accounting chain>
//   <one header line>
//   <one counter line for an accounting rule>
// The interface name and direction (rx or tx) will be extracted from the chain
// line, and then the values extracted from the counter line will be added into
// the counter for that interface. Note that this function will not fully
// validate if |output| is an output from iptables.
bool ParseOutput(const std::string& output,
                 const std::set<std::string>& devices,
                 std::map<SourceDevice, Counter>* counters) {
  DCHECK(counters);
  const std::vector<std::string> lines = base::SplitString(
      output, "\n", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL);

  // Finds the chain line for an accounting chain first, and then parse the
  // following line(s) to get the counters for this chain. Repeats this process
  // until we reach the end of |output|.
  for (auto it = lines.cbegin(); it != lines.cend(); it++) {
    // Finds the chain name line.
    std::string direction, ifname;
    while (it != lines.cend() &&
           !RE2::FullMatch(*it, *kChainLine, &direction, &ifname))
      it++;

    if (it == lines.cend())
      break;

    // Skips this group if this ifname is not requested.
    if (!devices.empty() && devices.find(ifname) == devices.end())
      continue;

    // Skips the chain name line and the header line.
    if (lines.cend() - it <= 2) {
      LOG(ERROR) << "Invalid iptables output";
      return false;
    }
    it += 2;

    // The current line should be the accounting rule containing the counters.
    // Currently we only have one accounting rule (UNKNOWN source) for each
    // chain.
    // TODO(jiejiang): The following part will be extended to a loop when we
    // have more accounting rules.
    uint64_t pkts, bytes;
    if (!RE2::FullMatch(*it, *kCounterLine, &pkts, &bytes)) {
      LOG(ERROR) << "Cannot parse \"" << *it << "\"";
      return false;
    }

    TrafficCounter::Source source = TrafficCounter::UNKNOWN;
    auto& counter = (*counters)[std::make_pair(source, ifname)];
    if (direction == "rx") {
      counter.rx_packets += pkts;
      counter.rx_bytes += bytes;
    } else {
      counter.tx_packets += pkts;
      counter.tx_bytes += bytes;
    }
  }
  return true;
}

}  // namespace

Counter::Counter(uint64_t rx_bytes,
                 uint64_t rx_packets,
                 uint64_t tx_bytes,
                 uint64_t tx_packets)
    : rx_bytes(rx_bytes),
      rx_packets(rx_packets),
      tx_bytes(tx_bytes),
      tx_packets(tx_packets) {}

CountersService::CountersService(ShillClient* shill_client,
                                 MinijailedProcessRunner* runner)
    : shill_client_(shill_client), runner_(runner) {
  // Triggers the callback manually to make sure no device is missed.
  OnDeviceChanged(shill_client_->get_devices(), {});
  shill_client_->RegisterDevicesChangedHandler(base::BindRepeating(
      &CountersService::OnDeviceChanged, weak_factory_.GetWeakPtr()));
}

std::map<SourceDevice, Counter> CountersService::GetCounters(
    const std::set<std::string>& devices) {
  std::map<SourceDevice, Counter> counters;

  // Handles counters for IPv4 and IPv6 separately and returns failure if either
  // of the procession fails, since counters for only IPv4 or IPv6 are biased.
  std::string iptables_result;
  int ret = runner_->iptables(kMangleTable, {"-L", "-x", "-v", "-w"},
                              true /*log_failures*/, &iptables_result);
  if (ret != 0 || iptables_result.empty()) {
    LOG(ERROR) << "Failed to query IPv4 counters";
    return {};
  }
  if (!ParseOutput(iptables_result, devices, &counters)) {
    LOG(ERROR) << "Failed to parse IPv4 counters";
    return {};
  }

  std::string ip6tables_result;
  ret = runner_->ip6tables(kMangleTable, {"-L", "-x", "-v", "-w"},
                           true /*log_failures*/, &ip6tables_result);
  if (ret != 0 || ip6tables_result.empty()) {
    LOG(ERROR) << "Failed to query IPv6 counters";
    return {};
  }
  if (!ParseOutput(ip6tables_result, devices, &counters)) {
    LOG(ERROR) << "Failed to parse IPv6 counters";
    return {};
  }

  return counters;
}

void CountersService::OnDeviceChanged(const std::set<std::string>& added,
                                      const std::set<std::string>& removed) {
  for (const auto& ifname : added)
    SetupChainsAndRules(ifname);
}

void CountersService::IptablesNewChain(const std::string& chain_name) {
  // There is no straightforward way to check if a chain exists or not.
  runner_->iptables(kMangleTable, {"-N", chain_name, "-w"},
                    false /*log_failures*/);
  runner_->ip6tables(kMangleTable, {"-N", chain_name, "-w"},
                     false /*log_failures*/);
}

void CountersService::IptablesNewRule(std::vector<std::string> params) {
  DCHECK_GT(params.size(), 0);
  const std::string action = params[0];
  DCHECK(action == "-I" || action == "-A");
  params.emplace_back("-w");

  params[0] = "-C";
  if (runner_->iptables(kMangleTable, params, false /*log_failures*/) != 0) {
    params[0] = action;
    runner_->iptables(kMangleTable, params);
  }

  params[0] = "-C";
  if (runner_->ip6tables(kMangleTable, params, false /*log_failures*/) != 0) {
    params[0] = action;
    runner_->ip6tables(kMangleTable, params);
  }
}

void CountersService::SetupChainsAndRules(const std::string& ifname) {
  // For each group, we need to create 1) an accounting chain, 2) a jumping rule
  // matching |ifname|, and 3) accounting rule(s) in the chain.
  // Note that the length of a chain name must less than 29 chars and IFNAMSIZ
  // is 16 so we can only use at most 12 chars for the prefix.

  // Egress traffic in FORWARD chain. Only traffic for interface-type sources
  // will be counted by these rules.
  const std::string egress_forward_chain = "tx_fwd_" + ifname;
  IptablesNewChain(egress_forward_chain);
  IptablesNewRule({"-A", "FORWARD", "-o", ifname, "-j", egress_forward_chain});
  SetupAccountingRules(egress_forward_chain);

  // Egress traffic in POSTROUTING chain. Only traffic for host-type sources
  // will be counted by these rules, by having a "-m owner --socket-exists" in
  // the jumping rule. Traffic via "FORWARD -> POSTROUTING" does not have a
  // socket so will only be counted in FORWARD, while traffic from OUTPUT will
  // always have an associated socket.
  const std::string egress_postrouting_chain = "tx_postrt_" + ifname;
  IptablesNewChain(egress_postrouting_chain);
  IptablesNewRule({"-A", "POSTROUTING", "-o", ifname, "-m", "owner",
                   "--socket-exists", "-j", egress_postrouting_chain});
  SetupAccountingRules(egress_postrouting_chain);

  // Ingress traffic in FORWARD chain. Only traffic for interface-type sources
  // will be counted by these rules.
  const std::string ingress_forward_chain = "rx_fwd_" + ifname;
  IptablesNewChain(ingress_forward_chain);
  IptablesNewRule({"-A", "FORWARD", "-i", ifname, "-j", ingress_forward_chain});
  SetupAccountingRules(ingress_forward_chain);

  // Ingress traffic in INPUT chain. Only traffic for host-type sources will be
  // counted by these rules.
  const std::string ingress_input_chain = "rx_input_" + ifname;
  IptablesNewChain(ingress_input_chain);
  IptablesNewRule({"-A", "INPUT", "-i", ifname, "-j", ingress_input_chain});
  SetupAccountingRules(ingress_input_chain);
}

void CountersService::SetupAccountingRules(const std::string& chain_name) {
  // TODO(jiejiang): This function will be extended to matching on fwmark for
  // different sources.
  IptablesNewRule({"-A", chain_name});
}

}  // namespace patchpanel