trace_dns_drops traces DNS drops by ip_vs_in and ipt_do_table.

trace_dns_drops.bt

#!/usr/bin/env bpftrace
/*
 * trace_dns_drops traces DNS drops by ip_vs_in and ipt_do_table.
 * 
 * Background:
 * 1. Before 5.9, ip_vs_in can cause UDP packets drops when IPVS RS deleted
 *  and source port reused, See https://github.com/kubernetes/kubernetes/issues/71514 for more details.
 * 2. Misconfiguration of iptables can cause DNS drops.
 * 
 * Usage:
 * trace_dns_drops.bt
 */
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/udp.h>

BEGIN
{
	printf("Tracing DNS drops. Hit Ctrl-C to end.\n");
	printf("%-8s %-8s %-16s %-25s %20s %21s\n", "TIME", "PID", "SKB", "FUNC", "LADDR:LPORT", "RADDR:RPORT");
}

kprobe:ip_vs_remote_request4
{
	@skb[tid] = (struct sk_buff *)arg1;
	@func[tid] = "ip_vs_remote_request4";
}

kprobe:ip_vs_local_request4
{
	@skb[tid] = (struct sk_buff *)arg1;
	@func[tid] = "ip_vs_local_request4";
}

kprobe:ipt_do_table
{
	@skb[tid] = (struct sk_buff *)arg0;
	@func[tid] = "ipt_do_table";
}

kretprobe:ip_vs_remote_request4,
kretprobe:ip_vs_local_request4,
kretprobe:ipt_do_table
/@skb[tid]/
{
	if (retval != NF_DROP) {
		return;
	}
	$skb = @skb[tid];
	$func = @func[tid];
	$iph = (struct iphdr *)($skb->head + $skb->network_header);
	$proto = $iph->protocol;
	if ($proto != IPPROTO_UDP) {
		return;
	}
	$sip = ntop(AF_INET, $iph->saddr);
	$dip = ntop(AF_INET, $iph->daddr);
	$udphdr = (struct udphdr *)($skb->head + $skb->transport_header);
	$sport = (($udphdr->source & 0x00ff) << 8) | (($udphdr->source & 0xff00) >> 8);
	$dport = (($udphdr->dest & 0x00ff) << 8) | (($udphdr->dest & 0xff00) >> 8);
	time("%H:%M:%S ");
	printf("%-8d %-16lx %-25s %14s:%-6d %14s:%-6d\n", pid, $skb, $func, $sip, $sport, $dip, $dport);
	return;
}

END
{
	clear(@skb);
	clear(@func);
}