ebpf | eBPF package for Go | Monitoring library

 by   acln0 Go Version: Current License: ISC

kandi X-RAY | ebpf Summary

kandi X-RAY | ebpf Summary

ebpf is a Go library typically used in Performance Management, Monitoring applications. ebpf has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can download it from GitHub.

eBPF package for Go
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              ebpf has a low active ecosystem.
              It has 23 star(s) with 1 fork(s). There are 4 watchers for this library.
              OutlinedDot
              It had no major release in the last 6 months.
              ebpf has no issues reported. There are no pull requests.
              It has a neutral sentiment in the developer community.
              The latest version of ebpf is current.

            kandi-Quality Quality

              ebpf has 0 bugs and 0 code smells.

            kandi-Security Security

              ebpf has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              ebpf code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              ebpf is licensed under the ISC License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              ebpf releases are not available. You will need to build from source code and install.
              It has 2350 lines of code, 168 functions and 11 files.
              It has medium code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi has reviewed ebpf and discovered the below as its top functions. This is intended to give you an instant insight into ebpf implemented functionality, and help decide if they suit your requirements.
            • bpF calls syscall . bpf .
            • init initializes host byte order .
            • unwrap tries to unwrap the given error if any .
            • newObjectName returns an object name .
            • IsTooBig returns true if the error is due to an E2BI error .
            • Iter calls the map s Iter function .
            • wrapMapOpError wraps an error in a MapOpError
            • bptr converts a byte slice to a uintptr .
            • NullTerminatedString returns a copy of s .
            • wrapCmdError wraps sycall error
            Get all kandi verified functions for this library.

            ebpf Key Features

            No Key Features are available at this moment for ebpf.

            ebpf Examples and Code Snippets

            No Code Snippets are available at this moment for ebpf.

            Community Discussions

            QUESTION

            Test that an integer is different from two other integers in eBPF without branch opcodes
            Asked 2022-Mar-30 at 14:22

            I'm writing an eBPF kprobe that checks task UIDs, namely that the only permitted UID changes between calls to execve are those allowed by setuid(), seteuid() and setreuid() calls.

            Since the probe checks all tasks, it uses an unrolled loop that iterates starting from init_task, and it has to use at most 1024 or 8192 branches, depending on kernel version.

            My question is, how to implement a check that returns nonzero if there is an illegal change, defined by:

            ...

            ANSWER

            Answered 2022-Mar-30 at 14:22

            You should be able to do this using bitwise OR, XOR, shifts and integer multiplication. I assume your variables are all __s32 or __u32, cast them to __u64 before proceeding to avoid problems (otherwise cast every operand of the multiplications below to __u64).

            Clearly a != b can become a ^ b. The && is a bit trickier, but can be translated into a multiplication (where if any operand is 0 the result is 0). The first part of your condition then becomes:

            Source https://stackoverflow.com/questions/71267267

            QUESTION

            eBPF: 'bpf_map_update()' returns the 'invalid indirect read from stack' error
            Asked 2022-Mar-22 at 22:28

            I have an eBPF program with the following map definitions:

            ...

            ANSWER

            Answered 2022-Mar-22 at 22:28

            The verifier complains because your code is trying to read uninitialised data from the stack, in particular in your variable val.

            If we look at your code:

            Source https://stackoverflow.com/questions/71529801

            QUESTION

            eBPF sockops + redirection: Why we don't need DELETE elements from the sockmap?
            Asked 2022-Mar-17 at 04:15

            I am learning loopback TCP acceleration technique based on the eBPF sockmap / redirection.

            I've found that in all the relevant articles and examples, it seems that we just need to add entries to the sockmap table via the bpf_sock_hash_update method, then look up the table and redirect via the bpf_msg_redirect_hash method. For example: here, here, and here.

            I didn't find any code to delete entries from the sockmap table (eg: call bpf_map_delete_elem etc). At the same time, I also haven't found any code in the kernel that automatically deletes entries for the closed tcp connections, for example: here.

            So I'm curious, why is there no need to delete sockmap entries for closed connections in these articles and code?

            And do we need to detect TCP FIN events in our ebpf code and then explicitly delete the corresponding entry in the sockmap?

            Thanks :-)

            ...

            ANSWER

            Answered 2022-Mar-17 at 04:15

            After some testing, I realized that there is no need to manually delete the entries in the sockmap table.

            By observing the entries in the sockmap table using bpftool map dump id | grep "key:" | wc -l command, you can see that the table size is always equal to twice the number of concurrent TCP connections on the loopback device.

            So obviously closed TCP connections are automatically removed from the sockmap table.

            Source https://stackoverflow.com/questions/71475126

            QUESTION

            how to read all parameters from a function - ebpf
            Asked 2022-Mar-04 at 04:04

            So I have these macros

            ...

            ANSWER

            Answered 2022-Jan-29 at 23:36
            Use the PT_REGS_PARM*(x) macros

            PARM in PT_REGS_PARM1(x) stands for “parameter”. These macros give you access to the parameters of the function on which your kprobe or tracepoint is hooking to. So for example, PT_REGS_PARM1(ctx), where ctx is the struct pt_regs *ctx context passed as an argument to your eBPF program, will give you access to the first parameter, which is the file descriptor fd. Similarly, PT_REGS_PARM3(ctx) will give you the count, as you can confirm by looking at this kernel sample (write_size).

            ... But use bpf_probe_read_*() to stay safe with kernel memory

            Similarly, you can point to the buffer buf with PT_REGS_PARM2(ctx). However, this one is a pointer; if you want to manipulate the data contained in this buffer, you need another step, or the kernel may reject your program as unsafe. To read and copy some or all of the data from this buffer, you should use one of the eBPF helpers bpf_probe_read_*(void *dst, u32 size, const void *unsafe_ptr) (see relevant documentation). In your case, the data contained in that buffer comes from user space, so you want bpf_probe_read_user().

            Notes on CO-RE

            This does not really apply to your example, because your pointer is just a buffer. But if one of your arguments were a pointer to a struct, you would need similar precautions to dereference it and access its fields.

            And in such case you might want to leverage CO-RE, to make sure that you would access the correct offsets when reading the fields. If you have CO-RE support, libbpf also provides bpf_core_read*() wrappers around the eBPF helpers, which make access relocatable. See the BPF CO-RE reference guide for more information.

            Also with CO-RE (technically, just BTF this time), certain types for tracing programs, in particular BPF_PROG_TYPE_TRACING, allow you to access struct fields without any helper (See the initial CO-RE article).

            Source https://stackoverflow.com/questions/70905815

            QUESTION

            Can I access the intermediate C code generated by BCC (BPF Compiler Collection)?
            Asked 2022-Feb-24 at 15:19

            I'm developing eBPF programs for kernel tracing using BCC. Once I got the following error message when running my code:

            ...

            ANSWER

            Answered 2022-Feb-24 at 08:55

            You can tell bcc to dump the rewritten C code by passing DEBUG_PREPROCESSOR to the BPF() call.

            Source https://stackoverflow.com/questions/71248878

            QUESTION

            Unable to unload BPF program
            Asked 2022-Feb-09 at 10:03

            I am unable to unload a BPF program from code. I am using the Cilium eBPF library to load the program and netlink to add the BPF function to an interface. Here's what I'm doing:

            ...

            ANSWER

            Answered 2022-Feb-09 at 08:31

            eBPF programs only unload when there are no more references to it(File descriptors, pins), but network links also hold their own references. So to unload the program, you first have to detach it from your network link.

            You can do so by setting the program fd to -1:

            Source https://stackoverflow.com/questions/71043359

            QUESTION

            Socket Buffer for bpf, __sk_buff
            Asked 2022-Feb-08 at 10:12

            I am playing ebpf code and got a sample like so:

            ...

            ANSWER

            Answered 2022-Feb-08 at 09:09
            struct ethhdr *eth = data, eth_copy;
            

            Source https://stackoverflow.com/questions/71028557

            QUESTION

            Invalid access to packet even though check made before access
            Asked 2022-Jan-27 at 10:19

            I get invalid access to packet from the eBPF verifier even though I'm performing a check before accessing a byte from a packet. The offset is stored in a BPF_MAP_TYPE_ARRAY. The number of loop iterations don't matter because this problem happens even I do one iteration.

            ...

            ANSWER

            Answered 2022-Jan-27 at 09:57

            I believe that because your offset comes from a map, the verifier cannot use it directly to estimate a boundary (R1's range) for accessing the packet.

            Try adding a check to bound your offset before your loop:

            Source https://stackoverflow.com/questions/70873332

            QUESTION

            In "xdp ebpf SEC("tracepoint/xdp/xdp_devmap_xmit")" what is xdp_devmap_xmit -- is this trace means trap handler code start for some kernel function
            Asked 2022-Jan-19 at 18:09

            I have ebpf xdp program with a function with elf section

            ...

            ANSWER

            Answered 2022-Jan-19 at 16:48
            What does the section name refer to?

            and what is tracepoint/xdp/xdp_devmap_xmit

            tracepoint/xdp/xdp_devmap_xmit is the name of the ELF section for this BPF program. The loader (here libbpf) will use this section name to know which BPF program type it is, and in this case, where to attach it.

            The section name for BPF programs of type tracepoint takes the format:

            Source https://stackoverflow.com/questions/70769922

            QUESTION

            reading updated value of ebpf's BPF_MAP_TYPE_HASH in userspace | Can read() linux function be used to get current value of object shared through map
            Asked 2022-Jan-16 at 12:10

            So I have a kernel ebpf program that attach xdp hook to interface eno1, and in it I have a map ip_map that is of type BPF_MAP_TYPE_HASH that I am sharing with userspace. So in my userspace I am getting map's file descriptor, But now I like to get updated values of struct share_me which I am sharing with the help of BPF_MAP_TYPE_HASH type map in my userspace loader program.

            Any anyone please help me explain a bit, as to how I can do this,

            So I am assuming if my map_fd is pointing to BPF_MAP_TYPE_HASH is pointing to my MAP then I can just do this int sizeof_share_me_read=read(map_fd,&share_me,sizeof(struct share_me)); so this way I can read current updated value of my map_fd(BPF_MAP_TYPE_HASH) shared from kernel ebpf program and that will contain current packet's ip header in struct iphdr dest_ip member of share_me object. Can any one please help me sort this out

            user.c

            ...

            ANSWER

            Answered 2022-Jan-16 at 12:10

            Now that you have the map fd, you need to use libbpf's bpf_map_lookup_elem function to read the values:

            Source https://stackoverflow.com/questions/70729426

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install ebpf

            You can download it from GitHub.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/acln0/ebpf.git

          • CLI

            gh repo clone acln0/ebpf

          • sshUrl

            git@github.com:acln0/ebpf.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Monitoring Libraries

            netdata

            by netdata

            sentry

            by getsentry

            skywalking

            by apache

            osquery

            by osquery

            cat

            by dianping

            Try Top Libraries by acln0

            zerocopy

            by acln0Go

            perf

            by acln0Go

            linuxkernel

            by acln0Go

            mem

            by acln0Go

            ioctl

            by acln0Go