kandi X-RAY | bpf Summary
kandi X-RAY | bpf Summary
bpf
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Initialize the JFrame
- Performs Kerberos authentication
- Starts the local proxy server
- Initialize data bindings
- Main method
- Initialize proxy context
- Initialize the system
- Merge two properties
- Initialize this instance
- Closes the context
bpf Key Features
bpf Examples and Code Snippets
Community Discussions
Trending Discussions on bpf
QUESTION
I see for python BCC implementation the syscall __x64_sys_openat is used to attach a kprobe, however in libbpf implementation a kprobe is attached to sys_enter_openat. It seems both capture openat() syscall, I tested it with cat file.txt.
What is the difference between them? And which one is more reliable to use?
...ANSWER
Answered 2022-Mar-30 at 09:05__x64_sys_openat is the name of some function in the Linux kernel, to which BCC attaches a kprobe.
sys_enter_openat is the name of a tracepoint in Linux, meaning that this is a (more or less) stable interface to which you can hook for tracing, including with an eBPF program. You can see the available tracepoints on your system by listing the entries under /sys/kernel/debug/tracing/events/. I think BCC also has a utility called tplist to help with it.
When given the choice, I would recommend hooking at tracepoints if possible, because they tend to be more stable than kernel internals: The parameters for __x64_sys_openat, or the name of that function, could change between different kernel versions for example; or the name would change on an other architecture, et cætera. However, the tracepoint is unlikely to change. Note that the instability of kernel's internals is somewhat mitigated for eBPF with CO-RE.
Then it is not always possible to hook to a tracepoint: You can only use one of the existing tracepoints from the kernel. If you want to hook to another random function where no tracepoint is present (and assuming this function was not inlined at compilation time - check this by looking for it in /proc/kallsyms), then you want to use a kprobe.
Sometimes you also need to pay extra attention to where you hook. For example, for security use cases (i.e. blocking a syscall), syscall tracepoints (or the corresponding kernel functions, obviously) are not always the best hooking points because they might leave you open to TOCTOU attacks. LSM hooks could be a good solution for that use case.
QUESTION
I have a docker container with an XDP program loaded on it. I also have a batch file for the bpftool to run. When I run bpftool batch file tmp_bpftool.txt, I get Error: reading batch file failed: Operation not permitted. I am the root in the container. So, what could possibly be the problem?
The batch file is as below: (512 updates on map 59 and 1 update on map 58)
...ANSWER
Answered 2022-Mar-29 at 00:11TL;DR: Your map update works fine. The message is a bug in bpftool.
Bpftool updates the maps just as you would expect; and then, after processing all the batch file, it checks errno. If errno is 0, it supposes that everything went fine, and it's good. If not, it prints strerror(errno) so you can see what went wrong when processing the file.
errno being set is not due to your map updates. I'm not entirely sure of what's happening to it. The bug was seemingly introduced with commit cf9bf714523d ("tools: bpftool: Allow unprivileged users to probe features"), where we manipulate process capabilities with libcap. Having a call to cap_get_proc() in feature.c is apparently enough for the executable to pick it up and to run some checks on capabilities that are supported, or not, on the system even if we're not doing any probing. I'm observing the following calls with strace:
QUESTION
I am learning loopback TCP acceleration technique based on the eBPF sockmap / redirection.
I've found that in all the relevant articles and examples, it seems that we just need to add entries to the sockmap table via the bpf_sock_hash_update method, then look up the table and redirect via the bpf_msg_redirect_hash method. For example: here, here, and here.
I didn't find any code to delete entries from the sockmap table (eg: call bpf_map_delete_elem etc). At the same time, I also haven't found any code in the kernel that automatically deletes entries for the closed tcp connections, for example: here.
So I'm curious, why is there no need to delete sockmap entries for closed connections in these articles and code?
And do we need to detect TCP FIN events in our ebpf code and then explicitly delete the corresponding entry in the sockmap?
Thanks :-)
...ANSWER
Answered 2022-Mar-17 at 04:15After some testing, I realized that there is no need to manually delete the entries in the sockmap table.
By observing the entries in the sockmap table using bpftool map dump id | grep "key:" | wc -l command, you can see that the table size is always equal to twice the number of concurrent TCP connections on the loopback device.
So obviously closed TCP connections are automatically removed from the sockmap table.
QUESTION
Here's how I'm trying to initialize a BPF_MAP_TYPE_PERCPU_ARRAY of structs to a default value. The array contains counters the user space program will read.
ANSWER
Answered 2022-Mar-16 at 19:52This specific part is triggering this error:
QUESTION
Up until Linux 5.8 CAP_SYSADMIN was required to load any but the most basic BPF program. The recently introduced CAP_BPF is a welcome addition as it allows to run software leveraging BPF with less privileges.
Certain types of BPF programs can access packet data. The pre-4.7 way of doing it is via bpf_skb_load_bytes() helper. As the verifier got smarter, it became possible to perform "direct packet access", i.e. to access packet bytes by following pointers in the context structure. E.g:
ANSWER
Answered 2022-Mar-09 at 10:00To make direct packet accesses in your program, you will need CAP_PERFMON in addition to CAP_BPF. I'm not aware of any way around it.
Why?
Because of Spectre vulnerabilities, someone able to perform arithmetic on unbounded pointers (i.e., all except stack and map value pointers) can read arbitrary memory via speculative out-of-bounds loads.
Such operations thus need to be forbidden for unprivileged users. Allowing CAP_BPF users to perform those operations would essentially give read access to arbitrary memory to CAP_BPF. For those reasons, I doubt this limitation will be lifted in the future.
QUESTION
I am trying to understand the solana/example-helloworld by re-writing the rust lib myself. I have done this and from the package.json file, to generate the .so file, following is what is run:
ANSWER
Answered 2022-Feb-28 at 11:09.so file are signifies solana files, right?
so stand for shared object, also known as a dynamically relocatable library or dylib in Cargo.toml.
What do we mean by cargo build-bpf?
BPF is a virtual machine inside the kernel, so this should instruct cargo to build for that target.
Is there any reason, why 2021 edition didn't work for the solana example?
I don't know, but I suspect it's a simple fix.
Finally, why does the above command not output my .so file?
Could it be that you are missing the lib section in Cargo.toml:
QUESTION
I am trying to run anchor build and am receiving the following response:
...ANSWER
Answered 2022-Jan-13 at 17:27It looks like your solana install is quite out of date. I would install either 1.8.11 or just run solana-install update
QUESTION
I captured some packets with pcapplusplus on our Ubuntu server, and wrote to .pcap files, then I read the .pcap files, it just worked fine; but when I set the filter with BPF Syntax,it could not read from the .pcap files, the filter is just a tcp string, and it worked well with the example input.pcap, but not work with my pcap files,
...ANSWER
Answered 2022-Feb-24 at 22:18@pchaigno is correct; you need to do vlan and tcp or, to catch both VLAN-encapsulated and non-VLAN-encapsulated TCP packets, tcp or (vlan and tcp).
QUESTION
When I try to attach a BPF program in XDP offload mode, I get Invalid argument. I get the same error if attach through code or by using bpftool. Here's how I'm attaching using netlink:
ANSWER
Answered 2022-Feb-10 at 21:09Mellanox cards support some hardware offload (e.g., flow control rules), but not the offload of BPF programs as far as I know. The only Ethernet adapters out there that support BPF offloading are Netronome's cards.
One way to check this is to grep for the XDP_SETUP_PROG_HW BPF netdev command in the Linux source code:
QUESTION
I am unable to unload a BPF program from code. I am using the Cilium eBPF library to load the program and netlink to add the BPF function to an interface. Here's what I'm doing:
...ANSWER
Answered 2022-Feb-09 at 08:31eBPF programs only unload when there are no more references to it(File descriptors, pins), but network links also hold their own references. So to unload the program, you first have to detach it from your network link.
You can do so by setting the program fd to -1:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install bpf
You can use bpf like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the bpf component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
