pping: Do both timestamping and matching on ingress and egress

Perform both timestamping and matching on both ingress and egress
hooks. This makes it more similar to Kathie's pping, allowing the tool
to capture RTTs in both directions when deployed on just a single
interface.

Like Kathie's pping, by default filter out RTTs for packets going to
the local machine (will only include local processing delays). This
behavior can be disabled by passing the -l/--include-local option.

As packets that are timestamped on ingress and matched on egress will
include the local machines processing delay, add the "match_on_egress"
member to the JSON output that can be used to differentiate between
RTTs that include the local processing delay, and those which don't.

Finally, report the source and destination addresses from the perspective
of the reply packet, rather than the timestamped packet, to be
consistent with Kathie's pping.

Overall, refactor large parts of pping_kern to allow both timestamping
and matching, as well as updating both the flow and reverse flow and
handle flow-events related to them, in one go. Also update README to
reflect changes.

Signed-off-by: Simon Sundberg <simon.sundberg@kau.se>

pping/pping.c

@@ -15,11 +15,8 @@ static const char *__doc__ =
 #include <unistd.h>
 #include <getopt.h>
 #include <stdbool.h>
-#include <limits.h>
 #include <signal.h> // For detecting Ctrl-C
 #include <sys/resource.h> // For setting rlmit
-#include <sys/wait.h>
-#include <sys/stat.h>
 #include <time.h>
 #include <pthread.h>
 
@@ -108,6 +105,7 @@ static const struct option long_options[] = {
 	{ "ingress-hook",     required_argument, NULL, 'I' }, // Use tc or XDP as ingress hook
 	{ "tcp",              no_argument,       NULL, 'T' }, // Calculate and report RTTs for TCP traffic (with TCP timestamps)
 	{ "icmp",             no_argument,       NULL, 'C' }, // Calculate and report RTTs for ICMP echo-reply traffic
+	{ "include-local",    no_argument,       NULL, 'l' }, // Also report "internal" RTTs
 	{ 0, 0, NULL, 0 }
 };
 
@@ -172,11 +170,12 @@ static int parse_arguments(int argc, char *argv[], struct pping_config *config)
 	double rate_limit_ms, cleanup_interval_s, rtt_rate;
 
 	config->ifindex = 0;
+	config->bpf_config.localfilt = true;
 	config->force = false;
 	config->bpf_config.track_tcp = false;
 	config->bpf_config.track_icmp = false;
 
-	while ((opt = getopt_long(argc, argv, "hfTCi:r:R:t:c:F:I:", long_options,
+	while ((opt = getopt_long(argc, argv, "hflTCi:r:R:t:c:F:I:", long_options,
 				  NULL)) != -1) {
 		switch (opt) {
 		case 'i':
@@ -257,6 +256,9 @@ static int parse_arguments(int argc, char *argv[], struct pping_config *config)
 				return -EINVAL;
 			}
 			break;
+		case 'l':
+			config->bpf_config.localfilt = false;
+			break;
 		case 'f':
 			config->force = true;
 			config->xdp_flags &= ~XDP_FLAGS_UPDATE_IF_NOEXIST;
@@ -504,9 +506,9 @@ static bool flow_timeout(void *key_ptr, void *val_ptr, __u64 now)
 		if (print_event_func) {
 			fe.event_type = EVENT_TYPE_FLOW;
 			fe.timestamp = now;
-			fe.flow = *(struct network_tuple *)key_ptr;
-			fe.event_info.event = FLOW_EVENT_CLOSING;
-			fe.event_info.reason = EVENT_REASON_FLOW_TIMEOUT;
+			reverse_flow(&fe.flow, key_ptr);
+			fe.flow_event_type = FLOW_EVENT_CLOSING;
+			fe.reason = EVENT_REASON_FLOW_TIMEOUT;
 			fe.source = EVENT_SOURCE_USERSPACE;
 			print_event_func(NULL, 0, &fe, sizeof(fe));
 		}
@@ -657,6 +659,7 @@ static const char *flowevent_to_str(enum flow_event_type fe)
 	case FLOW_EVENT_OPENING:
 		return "opening";
 	case FLOW_EVENT_CLOSING:
+	case FLOW_EVENT_CLOSING_BOTH:
 		return "closing";
 	default:
 		return "unknown";
@@ -674,8 +677,6 @@ static const char *eventreason_to_str(enum flow_event_reason er)
 		return "first observed packet";
 	case EVENT_REASON_FIN:
 		return "FIN";
-	case EVENT_REASON_FIN_ACK:
-		return "FIN-ACK";
 	case EVENT_REASON_RST:
 		return "RST";
 	case EVENT_REASON_FLOW_TIMEOUT:
@@ -688,9 +689,9 @@ static const char *eventreason_to_str(enum flow_event_reason er)
 static const char *eventsource_to_str(enum flow_event_source es)
 {
 	switch (es) {
-	case EVENT_SOURCE_EGRESS:
+	case EVENT_SOURCE_PKT_SRC:
 		return "src";
-	case EVENT_SOURCE_INGRESS:
+	case EVENT_SOURCE_PKT_DEST:
 		return "dest";
 	case EVENT_SOURCE_USERSPACE:
 		return "userspace-cleanup";
@@ -740,8 +741,8 @@ static void print_event_standard(void *ctx, int cpu, void *data,
 		printf(" %s ", proto_to_str(e->rtt_event.flow.proto));
 		print_flow_ppvizformat(stdout, &e->flow_event.flow);
 		printf(" %s due to %s from %s\n",
-		       flowevent_to_str(e->flow_event.event_info.event),
-		       eventreason_to_str(e->flow_event.event_info.reason),
+		       flowevent_to_str(e->flow_event.flow_event_type),
+		       eventreason_to_str(e->flow_event.reason),
 		       eventsource_to_str(e->flow_event.source));
 	}
 }
@@ -790,15 +791,16 @@ static void print_rttevent_fields_json(json_writer_t *ctx,
 	jsonw_u64_field(ctx, "sent_bytes", re->sent_bytes);
 	jsonw_u64_field(ctx, "rec_packets", re->rec_pkts);
 	jsonw_u64_field(ctx, "rec_bytes", re->rec_bytes);
+	jsonw_bool_field(ctx, "match_on_egress", re->match_on_egress);
 }
 
 static void print_flowevent_fields_json(json_writer_t *ctx,
 					const struct flow_event *fe)
 {
 	jsonw_string_field(ctx, "flow_event",
-			   flowevent_to_str(fe->event_info.event));
+			   flowevent_to_str(fe->flow_event_type));
 	jsonw_string_field(ctx, "reason",
-			   eventreason_to_str(fe->event_info.reason));
+			   eventreason_to_str(fe->reason));
 	jsonw_string_field(ctx, "triggered_by", eventsource_to_str(fe->source));
 }