ebpf | Go library to read , modify and load eBPF programs | Router library

The verifier complains because your code is trying to read uninitialised data from the stack, in particular in your variable val.

If we look at your code:

After some testing, I realized that there is no need to manually delete the entries in the sockmap table.

By observing the entries in the sockmap table using bpftool map dump id | grep "key:" | wc -l command, you can see that the table size is always equal to twice the number of concurrent TCP connections on the loopback device.

So obviously closed TCP connections are automatically removed from the sockmap table.

PARM in PT_REGS_PARM1(x) stands for “parameter”. These macros give you access to the parameters of the function on which your kprobe or tracepoint is hooking to. So for example, PT_REGS_PARM1(ctx), where ctx is the struct pt_regs *ctx context passed as an argument to your eBPF program, will give you access to the first parameter, which is the file descriptor fd. Similarly, PT_REGS_PARM3(ctx) will give you the count, as you can confirm by looking at this kernel sample (write_size).

Similarly, you can point to the buffer buf with PT_REGS_PARM2(ctx). However, this one is a pointer; if you want to manipulate the data contained in this buffer, you need another step, or the kernel may reject your program as unsafe. To read and copy some or all of the data from this buffer, you should use one of the eBPF helpers bpf_probe_read_*(void *dst, u32 size, const void *unsafe_ptr) (see relevant documentation). In your case, the data contained in that buffer comes from user space, so you want bpf_probe_read_user().

This does not really apply to your example, because your pointer is just a buffer. But if one of your arguments were a pointer to a struct, you would need similar precautions to dereference it and access its fields.

And in such case you might want to leverage CO-RE, to make sure that you would access the correct offsets when reading the fields. If you have CO-RE support, libbpf also provides bpf_core_read*() wrappers around the eBPF helpers, which make access relocatable. See the BPF CO-RE reference guide for more information.

Also with CO-RE (technically, just BTF this time), certain types for tracing programs, in particular BPF_PROG_TYPE_TRACING, allow you to access struct fields without any helper (See the initial CO-RE article).

You can tell bcc to dump the rewritten C code by passing DEBUG_PREPROCESSOR to the BPF() call.

eBPF programs only unload when there are no more references to it(File descriptors, pins), but network links also hold their own references. So to unload the program, you first have to detach it from your network link.

You can do so by setting the program fd to -1:

I believe that because your offset comes from a map, the verifier cannot use it directly to estimate a boundary (R1's range) for accessing the packet.

Try adding a check to bound your offset before your loop:

and what is tracepoint/xdp/xdp_devmap_xmit

tracepoint/xdp/xdp_devmap_xmit is the name of the ELF section for this BPF program. The loader (here libbpf) will use this section name to know which BPF program type it is, and in this case, where to attach it.

The section name for BPF programs of type tracepoint takes the format:

Now that you have the map fd, you need to use libbpf's bpf_map_lookup_elem function to read the values: