[NPM-3378] Adding eBPF-less network tracer POC (#27100)

Co-authored-by: Bryce Kahle <bryce.kahle@datadoghq.com>

Author: hmahmood

cmd/system-probe/config/adjust_npm.go

@@ -25,6 +25,8 @@ const (
 )
 
 func adjustNetwork(cfg config.Config) {
+	ebpflessEnabled := cfg.GetBool(netNS("enable_ebpfless"))
+
 	limitMaxInt(cfg, spNS("max_conns_per_message"), maxConnsMessageBatchSize)
 
 	if cfg.GetBool(spNS("disable_tcp")) {
@@ -99,4 +101,24 @@ func adjustNetwork(cfg config.Config) {
 		log.Warn("disabling NPM connection rollups since USM connection rollups are not enabled")
 		cfg.Set(netNS("enable_connection_rollup"), false, model.SourceAgentRuntime)
 	}
+
+	// disable features that are not supported on certain
+	// configs/platforms
+	var disableConfigs []struct {
+		key, reason string
+	}
+	if ebpflessEnabled {
+		const notSupportedEbpfless = "not supported when ebpf-less is enabled"
+		disableConfigs = append(disableConfigs, []struct{ key, reason string }{
+			{netNS("enable_protocol_classification"), notSupportedEbpfless},
+			{evNS("network_process", "enabled"), notSupportedEbpfless}}...,
+		)
+	}
+
+	for _, c := range disableConfigs {
+		if cfg.GetBool(c.key) {
+			log.Warnf("disabling %s: %s", c.key, c.reason)
+			cfg.Set(c.key, false, model.SourceAgentRuntime)
+		}
+	}
 }

cmd/system-probe/modules/network_tracer_linux.go

@@ -10,14 +10,13 @@ package modules
 import (
 	"github.com/DataDog/datadog-agent/cmd/system-probe/api/module"
 	"github.com/DataDog/datadog-agent/cmd/system-probe/config"
+	"github.com/DataDog/datadog-agent/pkg/network/tracer"
 )
 
 // NetworkTracer is a factory for NPM's tracer
 var NetworkTracer = module.Factory{
 	Name:             config.NetworkTracerModule,
 	ConfigNamespaces: networkTracerModuleConfigNamespaces,
 	Fn:               createNetworkTracerModule,
-	NeedsEBPF: func() bool {
-		return true
-	},
+	NeedsEBPF:        tracer.NeedsEBPF,
 }

go.mod

@@ -1075,3 +1075,5 @@ replace (
 
 // Prevent a false-positive detection by the Google and Ikarus security vendors on VirusTotal
 exclude go.opentelemetry.io/proto/otlp v1.1.0
+
+replace github.com/google/gopacket v1.1.19 => github.com/DataDog/gopacket v0.0.0-20240626205202-4ac4cee31f14

go.sum

@@ -299,6 +299,8 @@ func InitSystemProbeConfig(cfg pkgconfigmodel.Config) {
 	// connection aggregation with port rollups
 	cfg.BindEnvAndSetDefault(join(netNS, "enable_connection_rollup"), false)
 
+	cfg.BindEnvAndSetDefault(join(netNS, "enable_ebpfless"), false)
+
 	// windows config
 	cfg.BindEnvAndSetDefault(join(spNS, "windows.enable_monotonic_count"), false)
 

pkg/config/setup/system_probe.go

@@ -16,13 +16,15 @@ var (
 	RuntimeCompiled BuildMode
 	CORE            BuildMode
 	Fentry          BuildMode
+	Ebpfless        BuildMode
 )
 
 func init() {
 	Prebuilt = prebuilt{}
 	RuntimeCompiled = runtimeCompiled{}
 	CORE = core{}
 	Fentry = fentry{}
+	Ebpfless = ebpfless{}
 }
 
 // BuildMode is an eBPF build mode
@@ -95,6 +97,23 @@ func (f fentry) Env() map[string]string {
 	}
 }
 
+type ebpfless struct{}
+
+func (e ebpfless) String() string {
+	return "eBPFless"
+}
+
+func (e ebpfless) Env() map[string]string {
+	return map[string]string{
+		"NETWORK_TRACER_FENTRY_TESTS":        "false",
+		"DD_ENABLE_RUNTIME_COMPILER":         "false",
+		"DD_ENABLE_CO_RE":                    "false",
+		"DD_ALLOW_RUNTIME_COMPILED_FALLBACK": "false",
+		"DD_ALLOW_PRECOMPILED_FALLBACK":      "false",
+		"DD_NETWORK_CONFIG_ENABLE_EBPFLESS":  "true",
+	}
+}
+
 // GetBuildMode returns which build mode the current environment matches, if any
 func GetBuildMode() BuildMode {
 	for _, mode := range []BuildMode{Prebuilt, RuntimeCompiled, CORE, Fentry} {

pkg/ebpf/ebpftest/buildmode.go

@@ -30,6 +30,10 @@ func SupportedBuildModes() []BuildMode {
 		(runtime.GOARCH == "amd64" && (hostPlatform == "amazon" || hostPlatform == "amzn") && kv.Major() == 5 && kv.Minor() == 10) {
 		modes = append(modes, Fentry)
 	}
+	if os.Getenv("TEST_EBPFLESS_OVERRIDE") == "true" {
+		modes = append(modes, Ebpfless)
+	}
+
 	return modes
 }
 

pkg/ebpf/ebpftest/buildmode_linux.go

@@ -302,6 +302,8 @@ type Config struct {
 	// buffers (>=5.8) will result in forcing the use of Perf Maps instead.
 	EnableUSMRingBuffers bool
 
+	EnableEbpfless bool
+
 	// EnableUSMEventStream enables USM to use the event stream instead
 	// of netlink for receiving process events.
 	EnableUSMEventStream bool
@@ -406,6 +408,8 @@ func New() *Config {
 
 		EnableNPMConnectionRollup: cfg.GetBool(join(netNS, "enable_connection_rollup")),
 
+		EnableEbpfless: cfg.GetBool(join(netNS, "enable_ebpfless")),
+
 		// Service Monitoring
 		EnableJavaTLSSupport:        cfg.GetBool(join(smjtNS, "enabled")),
 		JavaAgentDebug:              cfg.GetBool(join(smjtNS, "debug")),

pkg/network/config/config.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/DataDog/datadog-agent/comp/core/telemetry"
 	"github.com/DataDog/datadog-agent/pkg/network/driver"
+	"github.com/DataDog/datadog-agent/pkg/network/filter"
 )
 
 const (
@@ -99,7 +100,7 @@ func (d *dnsDriver) SetDataFilters(filters []driver.FilterDefinition) error {
 }
 
 // ReadDNSPacket visits a raw DNS packet if one is available.
-func (d *dnsDriver) ReadDNSPacket(visit func([]byte, time.Time) error) (didRead bool, err error) {
+func (d *dnsDriver) ReadDNSPacket(visit func(data []byte, info filter.PacketInfo, t time.Time) error) (didRead bool, err error) {
 	var bytesRead uint32
 	var key uintptr // returned by GetQueuedCompletionStatus, then ignored
 	var ol *windows.Overlapped
@@ -125,7 +126,7 @@ func (d *dnsDriver) ReadDNSPacket(visit func([]byte, time.Time) error) (didRead
 
 	start := driver.FilterPacketHeaderSize
 
-	if err := visit(buf.data[start:], captureTime); err != nil {
+	if err := visit(buf.data[start:], nil, captureTime); err != nil {
 		return false, err
 	}
 

pkg/network/dns/driver_windows.go

@@ -11,17 +11,14 @@ import (
 	"fmt"
 	"math"
 
-	"golang.org/x/net/bpf"
-
-	"github.com/vishvananda/netns"
-
 	manager "github.com/DataDog/ebpf-manager"
+	"github.com/vishvananda/netns"
 
 	"github.com/DataDog/datadog-agent/comp/core/telemetry"
 	ddebpf "github.com/DataDog/datadog-agent/pkg/ebpf"
 	"github.com/DataDog/datadog-agent/pkg/network/config"
 	"github.com/DataDog/datadog-agent/pkg/network/ebpf/probes"
-	filterpkg "github.com/DataDog/datadog-agent/pkg/network/filter"
+	"github.com/DataDog/datadog-agent/pkg/network/filter"
 	"github.com/DataDog/datadog-agent/pkg/util/kernel"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
@@ -33,6 +30,26 @@ type dnsMonitor struct {
 
 // NewReverseDNS starts snooping on DNS traffic to allow IP -> domain reverse resolution
 func NewReverseDNS(cfg *config.Config, _ telemetry.Component) (ReverseDNS, error) {
+	// Create the RAW_SOCKET inside the root network namespace
+	var (
+		packetSrc *filter.AFPacketSource
+		srcErr    error
+		ns        netns.NsHandle
+	)
+	ns, err := cfg.GetRootNetNs()
+	if err != nil {
+		return nil, err
+	}
+	defer ns.Close()
+
+	err = kernel.WithNS(ns, func() error {
+		packetSrc, srcErr = filter.NewAFPacketSource(4 << 20) // 4 MB total
+		return srcErr
+	})
+	if err != nil {
+		return nil, err
+	}
+
 	currKernelVersion, err := kernel.HostVersion()
 	if err != nil {
 		// if the platform couldn't be determined, treat it as new kernel case
@@ -42,12 +59,11 @@ func NewReverseDNS(cfg *config.Config, _ telemetry.Component) (ReverseDNS, error
 	pre410Kernel := currKernelVersion < kernel.VersionCode(4, 1, 0)
 
 	var p *ebpfProgram
-	var filter *manager.Probe
-	var bpfFilter []bpf.RawInstruction
-	if pre410Kernel {
-		bpfFilter, err = generateBPFFilter(cfg)
-		if err != nil {
+	if pre410Kernel || cfg.EnableEbpfless {
+		if bpfFilter, err := generateBPFFilter(cfg); err != nil {
 			return nil, fmt.Errorf("error creating bpf classic filter: %w", err)
+		} else if err = packetSrc.SetBPF(bpfFilter); err != nil {
+			return nil, fmt.Errorf("could not set BPF filter on packet source: %w", err)
 		}
 	} else {
 		p, err = newEBPFProgram(cfg)
@@ -59,35 +75,21 @@ func NewReverseDNS(cfg *config.Config, _ telemetry.Component) (ReverseDNS, error
 			return nil, fmt.Errorf("error initializing ebpf programs: %w", err)
 		}
 
-		filter, _ = p.GetProbe(manager.ProbeIdentificationPair{EBPFFuncName: probes.SocketDNSFilter, UID: probeUID})
+		filter, _ := p.GetProbe(manager.ProbeIdentificationPair{EBPFFuncName: probes.SocketDNSFilter, UID: probeUID})
 		if filter == nil {
 			return nil, fmt.Errorf("error retrieving socket filter")
 		}
-	}
 
-	// Create the RAW_SOCKET inside the root network namespace
-	var (
-		packetSrc *filterpkg.AFPacketSource
-		srcErr    error
-		ns        netns.NsHandle
-	)
-	if ns, err = cfg.GetRootNetNs(); err != nil {
-		return nil, err
-	}
-	defer ns.Close()
-
-	err = kernel.WithNS(ns, func() error {
-		packetSrc, srcErr = filterpkg.NewPacketSource(filter, bpfFilter)
-		return srcErr
-	})
-	if err != nil {
-		return nil, err
+		if err = packetSrc.SetEbpf(filter); err != nil {
+			return nil, fmt.Errorf("could not set file descriptor for eBPF program: %w", err)
+		}
 	}
 
 	snoop, err := newSocketFilterSnooper(cfg, packetSrc)
 	if err != nil {
 		return nil, err
 	}
+
 	return &dnsMonitor{
 		snoop,
 		p,