ebpf | eBPF package for Go | Monitoring library
kandi X-RAY | ebpf Summary
kandi X-RAY | ebpf Summary
eBPF package for Go
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- bpF calls syscall . bpf .
- init initializes host byte order .
- unwrap tries to unwrap the given error if any .
- newObjectName returns an object name .
- IsTooBig returns true if the error is due to an E2BI error .
- Iter calls the map s Iter function .
- wrapMapOpError wraps an error in a MapOpError
- bptr converts a byte slice to a uintptr .
- NullTerminatedString returns a copy of s .
- wrapCmdError wraps sycall error
ebpf Key Features
ebpf Examples and Code Snippets
Community Discussions
Trending Discussions on ebpf
QUESTION
I'm writing an eBPF kprobe that checks task UIDs, namely that the only permitted UID changes between calls to execve are those allowed by setuid(), seteuid() and setreuid() calls.
Since the probe checks all tasks, it uses an unrolled loop that iterates starting from init_task, and it has to use at most 1024 or 8192 branches, depending on kernel version.
My question is, how to implement a check that returns nonzero if there is an illegal change, defined by:
...ANSWER
Answered 2022-Mar-30 at 14:22You should be able to do this using bitwise OR, XOR, shifts and integer multiplication. I assume your variables are all __s32
or __u32
, cast them to __u64
before proceeding to avoid problems (otherwise cast every operand of the multiplications below to __u64
).
Clearly a != b
can become a ^ b
. The &&
is a bit trickier, but can be translated into a multiplication (where if any operand is 0
the result is 0
). The first part of your condition then becomes:
QUESTION
I have an eBPF program with the following map definitions:
...ANSWER
Answered 2022-Mar-22 at 22:28The verifier complains because your code is trying to read uninitialised data from the stack, in particular in your variable val
.
If we look at your code:
QUESTION
I am learning loopback TCP acceleration technique based on the eBPF sockmap / redirection.
I've found that in all the relevant articles and examples, it seems that we just need to add entries to the sockmap table via the bpf_sock_hash_update
method, then look up the table and redirect via the bpf_msg_redirect_hash
method. For example: here, here, and here.
I didn't find any code to delete entries from the sockmap table (eg: call bpf_map_delete_elem etc). At the same time, I also haven't found any code in the kernel that automatically deletes entries for the closed tcp connections, for example: here.
So I'm curious, why is there no need to delete sockmap entries for closed connections in these articles and code?
And do we need to detect TCP FIN events in our ebpf code and then explicitly delete the corresponding entry in the sockmap?
Thanks :-)
...ANSWER
Answered 2022-Mar-17 at 04:15After some testing, I realized that there is no need to manually delete the entries in the sockmap table.
By observing the entries in the sockmap table using bpftool map dump id | grep "key:" | wc -l
command, you can see that the table size is always equal to twice the number of concurrent TCP connections on the loopback device.
So obviously closed TCP connections are automatically removed from the sockmap table.
QUESTION
So I have these macros
...ANSWER
Answered 2022-Jan-29 at 23:36PT_REGS_PARM*(x)
macros
PARM
in PT_REGS_PARM1(x)
stands for “parameter”. These macros give you access to the parameters of the function on which your kprobe or tracepoint is hooking to. So for example, PT_REGS_PARM1(ctx)
, where ctx
is the struct pt_regs *ctx
context passed as an argument to your eBPF program, will give you access to the first parameter, which is the file descriptor fd
. Similarly, PT_REGS_PARM3(ctx)
will give you the count
, as you can confirm by looking at this kernel sample (write_size
).
bpf_probe_read_*()
to stay safe with kernel memory
Similarly, you can point to the buffer buf
with PT_REGS_PARM2(ctx)
. However, this one is a pointer; if you want to manipulate the data contained in this buffer, you need another step, or the kernel may reject your program as unsafe. To read and copy some or all of the data from this buffer, you should use one of the eBPF helpers bpf_probe_read_*(void *dst, u32 size, const void *unsafe_ptr)
(see relevant documentation). In your case, the data contained in that buffer comes from user space, so you want bpf_probe_read_user()
.
This does not really apply to your example, because your pointer is just a buffer. But if one of your arguments were a pointer to a struct, you would need similar precautions to dereference it and access its fields.
And in such case you might want to leverage CO-RE, to make sure that you would access the correct offsets when reading the fields. If you have CO-RE support, libbpf also provides bpf_core_read*()
wrappers around the eBPF helpers, which make access relocatable. See the BPF CO-RE reference guide for more information.
Also with CO-RE (technically, just BTF this time), certain types for tracing programs, in particular BPF_PROG_TYPE_TRACING
, allow you to access struct fields without any helper (See the initial CO-RE article).
QUESTION
I'm developing eBPF programs for kernel tracing using BCC. Once I got the following error message when running my code:
...ANSWER
Answered 2022-Feb-24 at 08:55You can tell bcc to dump the rewritten C code by passing DEBUG_PREPROCESSOR
to the BPF()
call.
QUESTION
I am unable to unload a BPF program from code. I am using the Cilium eBPF library to load the program and netlink to add the BPF function to an interface. Here's what I'm doing:
...ANSWER
Answered 2022-Feb-09 at 08:31eBPF programs only unload when there are no more references to it(File descriptors, pins), but network links also hold their own references. So to unload the program, you first have to detach it from your network link.
You can do so by setting the program fd to -1:
QUESTION
I am playing ebpf code and got a sample like so:
...ANSWER
Answered 2022-Feb-08 at 09:09struct ethhdr *eth = data, eth_copy;
QUESTION
I get invalid access to packet
from the eBPF verifier even though I'm performing a check before accessing a byte from a packet. The offset is stored in a BPF_MAP_TYPE_ARRAY
. The number of loop iterations don't matter because this problem happens even I do one iteration.
ANSWER
Answered 2022-Jan-27 at 09:57I believe that because your offset comes from a map, the verifier cannot use it directly to estimate a boundary (R1's range) for accessing the packet.
Try adding a check to bound your offset before your loop:
QUESTION
I have ebpf xdp program with a function with elf section
...ANSWER
Answered 2022-Jan-19 at 16:48and what is tracepoint/xdp/xdp_devmap_xmit
tracepoint/xdp/xdp_devmap_xmit
is the name of the ELF section for this BPF program. The loader (here libbpf) will use this section name to know which BPF program type it is, and in this case, where to attach it.
The section name for BPF programs of type tracepoint
takes the format:
QUESTION
So I have a kernel ebpf program that attach xdp hook to interface eno1, and in it I have a map ip_map
that is of type BPF_MAP_TYPE_HASH that I am sharing with userspace. So in my userspace I am getting map's file descriptor, But now I like to get updated values of
struct share_me
which I am sharing with the help of BPF_MAP_TYPE_HASH type map in my userspace loader program.
Any anyone please help me explain a bit, as to how I can do this,
So I am assuming if my map_fd
is pointing to BPF_MAP_TYPE_HASH is pointing to my MAP then I can just do this int sizeof_share_me_read=read(map_fd,&share_me,sizeof(struct share_me));
so this way I can read current updated value of my map_fd(BPF_MAP_TYPE_HASH)
shared from kernel ebpf program and that will contain current packet's ip header in struct iphdr dest_ip
member of share_me object. Can any one please help me sort this out
user.c
...ANSWER
Answered 2022-Jan-16 at 12:10Now that you have the map fd, you need to use libbpf's bpf_map_lookup_elem
function to read the values:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install ebpf
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page