fluent · cosmo0920 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
@@ -24,7 +24,9 @@
 #include "traces/traces.h"
 
 int trace_register(struct flb_in_ebpf_context *ctx, const char *name,
-                   struct bpf_object *obj, trace_event_handler_t handler) {
+                   void *skel, struct bpf_object *obj,
+                   trace_skel_destroy_func_t skel_destroy,
+                   trace_event_handler_t handler) {
     struct trace_context *trace;
     struct bpf_map *map, *events_map;
     int map_fd;
@@ -38,7 +40,9 @@ int trace_register(struct flb_in_ebpf_context *ctx, const char *name,
 
     trace = &ctx->traces[ctx->trace_count];
     trace->name = name;
+    trace->skel = skel;
     trace->obj = obj;
+    trace->skel_destroy = skel_destroy;
     trace->handler = handler;
 
     bpf_object__for_each_map(map, obj) {
@@ -102,7 +106,8 @@ int trace_setup(struct flb_in_ebpf_context *ctx, const char *trace_name) {
             return -1;
         }
 
-        if (trace_register(ctx, trace_name, obj, reg->handler) != 0) {
+        if (trace_register(ctx, trace_name, skel, obj,
+                           reg->skel_destroy, reg->handler) != 0) {
             flb_plg_error(ctx->ins, "failed to register trace handler for: %s", trace_name);
             reg->skel_destroy(skel);
             return -1;
@@ -137,6 +142,7 @@ static int in_ebpf_collect(struct flb_input_instance *ins, struct flb_config *co
 }
 
 static int in_ebpf_init(struct flb_input_instance *ins, struct flb_config *config, void *data) {
+    int i;
     struct flb_in_ebpf_context *ctx;
     struct mk_list *head;
     struct flb_kv *kv;
@@ -170,6 +176,14 @@ static int in_ebpf_init(struct flb_input_instance *ins, struct flb_config *confi
             flb_plg_debug(ctx->ins, "processing trace: %s", trace_name);
             if (trace_setup(ctx, trace_name) != 0) {
                 flb_plg_error(ctx->ins, "failed to configure trace: %s", trace_name);
+                for (i = 0; i < ctx->trace_count; i++) {
+                    ring_buffer__free(ctx->traces[i].rb);
+                    if (ctx->traces[i].skel_destroy) {
+                        ctx->traces[i].skel_destroy(ctx->traces[i].skel);
+                    }
+                }
+                flb_log_event_encoder_destroy(ctx->log_encoder);
+                flb_free(ctx->traces);
                 flb_free(ctx);
                 return -1;
             }
@@ -185,7 +199,9 @@ static int in_ebpf_init(struct flb_input_instance *ins, struct flb_config *confi
         flb_plg_error(ctx->ins, "failed to set up collector");
         for (int i = 0; i < ctx->trace_count; i++) {
             ring_buffer__free(ctx->traces[i].rb);
-            bpf_object__close(ctx->traces[i].obj);
+            if (ctx->traces[i].skel_destroy) {
+                ctx->traces[i].skel_destroy(ctx->traces[i].skel);
+            }
         }
         flb_log_event_encoder_destroy(ctx->log_encoder);
         flb_free(ctx);
@@ -217,7 +233,9 @@ static int in_ebpf_exit(void *in_context, struct flb_config *config) {
 
     for (int i = 0; i < ctx->trace_count; i++) {
         ring_buffer__free(ctx->traces[i].rb);
-        bpf_object__close(ctx->traces[i].obj);
+        if (ctx->traces[i].skel_destroy) {
+            ctx->traces[i].skel_destroy(ctx->traces[i].skel);
+        }
     }
 
     if (ctx->log_encoder) {
@@ -244,7 +262,7 @@ static struct flb_config_map config_map[] = {
     {
      FLB_CONFIG_MAP_STR, "Trace", NULL,
      FLB_CONFIG_MAP_MULT, FLB_FALSE, 0,
-     "Set the eBPF trace to enable (for example, bind, malloc, signal, vfs). Can be set multiple times"
+     "Set the eBPF trace to enable (for example, bind, malloc, signal, vfs, tcp). Can be set multiple times"
     },
     /* EOF */
     {0}

@@ -19,6 +19,12 @@ static inline char *event_type_to_string(enum event_type type) {
             return "bind";
         case EVENT_TYPE_VFS:
             return "vfs";
+        case EVENT_TYPE_LISTEN:
+            return "listen";
+        case EVENT_TYPE_ACCEPT:
+            return "accept";
+        case EVENT_TYPE_CONNECT:
+            return "connect";
         default:
             return "unknown";
     }

@@ -13,6 +13,9 @@ enum event_type {
     EVENT_TYPE_MEM,   // For memory operations
     EVENT_TYPE_BIND,  // Added event type for bind operations
     EVENT_TYPE_VFS,
+    EVENT_TYPE_LISTEN,
+    EVENT_TYPE_ACCEPT,
+    EVENT_TYPE_CONNECT,
 };
 
 enum vfs_op {
@@ -35,40 +38,35 @@ enum memop {
     MEMOP_PVALLOC,
 };
 
-/* Common fields for all events */
 struct event_common {
-    __u64 timestamp_raw;           // Event timestamp in nanoseconds
-    __u32 pid;                     // Process ID
-    __u32 tid;                     // Thread ID
-    __u32 uid;                     // User ID
-    __u32 gid;                     // Group ID
-    __u64 mntns_id;                // Mount namespace ID
-    char comm[TASK_COMM_LEN];      // Command name (process name)
+    __u64 timestamp_raw;
+    __u32 pid;
+    __u32 tid;
+    __u32 uid;
+    __u32 gid;
+    __u64 mntns_id;
+    char comm[TASK_COMM_LEN];
 };
 
-/* Specific fields for execve events */
 struct execve_event {
-    __u32 tpid;                    // Target Process ID (for execve)
-    char filename[PATH_MAX];       // Filename being executed
-    char argv[256];                // Arguments (simplified for example)
-    __u32 argc;                    // Argument count
+    __u32 tpid;
+    char filename[PATH_MAX];
+    char argv[256];
+    __u32 argc;
 };
 
-/* Specific fields for signal events */
 struct signal_event {
-    __u32 tpid;                    // Target Process ID (for signal)
-    int sig_raw;                   // Signal number
-    int error_raw;                 // Error code (for failed syscalls)
+    __u32 tpid;
+    int sig_raw;
+    int error_raw;
 };
 
-/* Specific fields for memory operations */
 struct mem_event {
-    enum memop operation;          // Memory operation type (malloc, free, etc.)
-    __u64 addr;                    // Address of the operation
-    __u64 size;                    // Size of the memory operation (for malloc)
+    enum memop operation;
+    __u64 addr;
+    __u64 size;
 };
 
-/* Specific fields for bind events */
 struct bind_event {
     struct {
         __u16 port;
@@ -93,17 +91,48 @@ struct vfs_event {
     int error_raw;
 };
 
-/* The main event structure */
+struct tcp_addr {
+    __u16 port;
+    __u8 version;
+    __u8 proto_raw;
+    union {
+        __u32 v4;
+        __u32 v6[4];
+    } addr_raw;
+};
+
+struct listen_event {
+    int fd;
+    int backlog;
+    int error_raw;
+};
+
+struct accept_event {
+    int fd;
+    int new_fd;
+    struct tcp_addr peer;
+    int error_raw;
+};
+
+struct connect_event {
+    int fd;
+    struct tcp_addr remote;
+    int error_raw;
+};
+
 struct event {
     enum event_type type;           // Type of event (execve, signal, mem, bind)
     struct event_common common;     // Common fields for all events
     union {
         struct execve_event execve;
         struct signal_event signal;
-        struct mem_event mem;       // Memory event details
-        struct bind_event bind;     // Bind event details
-        struct vfs_event vfs;       // VFS event details
-    } details;                      // Event-specific details
+        struct mem_event mem;
+        struct bind_event bind;
+        struct vfs_event vfs;
+        struct listen_event listen;
+        struct accept_event accept;
+        struct connect_event connect;
+    } details;
 };
 
 #endif // TRACE_EVENTS_H