fix: Only handle tcp socket when probe connect and accept

It's unnecessary to record excluding-tcp sockets' info. So, when probe connect and accept, we only handle tcp socket by filtering `sk->sk_protocol`. Signed-off-by: Leon Hwang <[email protected]>
gojue · Dec 13, 2024 · ff0807c · ff0807c
1 parent 19b9bb6
commit ff0807c
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/kern/openssl.h b/kern/openssl.h
@@ -514,6 +514,7 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
     u64 current_uid_gid = bpf_get_current_uid_gid();
     u32 uid = current_uid_gid;
     u16 address_family = 0;
+    u16 protocol;
     u64 addrs;
     u32 ports;
 
@@ -532,6 +533,11 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
         return 0;
     }
 
+    bpf_probe_read_kernel(&protocol, sizeof(protocol), &sk->sk_protocol);
+    if (protocol != IPPROTO_TCP) {
+        return 0;
+    }
+
     // if the connection hasn't been established yet, the ports or addrs are 0.
     bpf_probe_read_kernel(&addrs, sizeof(addrs), &sk->__sk_common.skc_addrpair);
     bpf_probe_read_kernel(&ports, sizeof(ports), &sk->__sk_common.skc_portpair);