skb | simple keyboard indicator | Keyboard library

The socket field is NULL if the packet wasn't demultiplexed to a socket yet. For TCP, that happens in tcp_v4_early_demux().

So yes, that will depend on where you attach your BPF program. You'd need to attach it before the packet is demultiplexed to a socket.

This is no implicit or explicit mode. Those instructions simply take several arguments, some of which are implicit, some of which are explicit.

• The context is implicit because, as you explain, it must be referenced in r6, which means that it is not passed explicitly to the instruction by the user: You don't see r6 in BPF_LD_ABS(BPF_B, offsetof(struct iphdr, protocol)). It is an implicit convention that the instruction will expect the context from that register.

• By contrast, the source register and immediate value, also used by the instruction, are part of the instruction itself in the bytecode, making them explicit arguments.

The kernel documentation confirms it somewhat:

eBPF has two non-generic instructions: (BPF_ABS | | BPF_LD) and (BPF_IND | | BPF_LD) which are used to access packet data.

They had to be carried over from classic to have strong performance of socket filters running in eBPF interpreter. These instructions can only be used when interpreter context is a pointer to struct sk_buff and have seven implicit operands. Register R6 is an implicit input that must contain pointer to sk_buff. Register R0 is an implicit output which contains the data fetched from the packet. Registers R1-R5 are scratch registers and must not be used to store the data across BPF_ABS | BPF_LD or BPF_IND | BPF_LD instructions.

As a reminder:

• LD_ABS loads data from an absolute address, starting from the beginning of the context (stored in r6) and adding the offset contained in the imm field. The data is stored into r0 (implicit output). It does not use the src register.

• LD_IND performs an indirect load, it first offsets the context with the (variable) value from the src register, and then adds the (fixed) imm value as a second offset to reach the bytes to load into r0.

The error is not caused by bpf_trace_prink(), but by the skb accesses that are present in your bytecode only when you call bpf_trace_printk().

Accessing skb->local_ip4 and skb->remote_ip4 is not allowed for programs of types BPF_PROG_TYPE_LWT_OUT, that you use.

See kernel code: The function that checks for valid access for this type returns false for certain offsets or range in skb:

Thanks to @stark i found a solution i free the buffer now with the __kfree_skb() methode because like that the refcount will not be checked.

You need to do skb_reserve() up front on the allocated buffer, before doing any skb_put() calls for user data or skb_push() for eth/IP headers. You were segfaulting trying to skb_push() first, on a buffer without proper reservations. I also had a few other suggestions for you:

1. Include your complete source next time!
2. Rearrange the order of your pushed headers to make a legit UDP/IP packet
3. dev_get_by_name() may fail; should check before trying to memcpy to its buffer
4. Push the user data before any eth/IP header(s)
5. Return 0 rather than 1 from a module's init() to indicate success

A tutorial page like this may help to put it all together: http://vger.kernel.org/~davem/skb_data.html The code below does not segfault on my Debian 10 system with a 4.19 Linux kernel.

If this answer helps you, please mark as the accepted one - thanks.

Seems that in your hook you want to make a decision on packet based on conntrack(CT) info about the connection state - to block (drop) all the TCP packets which are in the middle of connection, i.e. packets both without SYN flag and without connection entry in CT.

So if you want to reap the benefits of CT, you have to let him work a bit.
Now your hook is in NF_INET_PRE_ROUTING with NF_IP_PRI_FIRST priority. Just look at the picture of Linux kernel packet flow. If we talk about pre-routing chain CT-handling is somewhere after RAW table (i.e. with a lower priority).
The list of priorities you can see here:

The highlighted line (the one with skb_copy_to_linear_data()) indeed copies entire packet data from the buffer in the driver-internal Rx ring (rx_buf) to the data buffer of the skb.

I would strongly recommend doing this sort of post processing in userspace; bpf_trace_printk isn't meant for production environment anyway (see the large warnings it leaves in syslogs). It will also be difficult and inefficient to print the UDP payload with bpf_trace_printk.

To post-process in userspace, you can rely on bpf_skb_output, or its higher-level counterpart in bcc, perf_submit_skb(). That will allow you to pass the packet to userspace, which can then display its UDP payload.

You can find a tutorial and an example on the bcc repository.

What you can do on the BPF side:

• Printing src_ip in the IP address format is fairly easy. You can follow this StackOverflow answer.
• You can't print the full, variable-length UDP payload, but you could print the first N bytes by passing them to bpf_trace_printk as follows.

See the table below, within the scope of also, this.currentPosition is fullscreen_video.currentPosition, instead of your var currentPosition

Kotlin's scope operators are like a swiss army knife with a method for every scenario.

https://kotlinlang.org/docs/reference/scope-functions.html

Function Object reference Return value Is extension function let it Lambda result Yes run this Lambda result Yes run - Lambda result No: called without the context object with this Lambda result No: takes the context object as an argument. apply this Context object Yes also it Context object Yes

It can be really useful for DSL APIs and also calling multiple setters after creating a simple Java object.