0

Hi I'm doing some experiments with eBPF. I need to iterate through all the values in the BPF map and check if such value exists in the map from the kernel space. However, to my understanding eBPF verifier wouldn't load programs into the kernel if it has a loop inside. So I think iterating through all the keys and looking up the values for every key is out of option (Maybe I could try to hard-code it but I wish to avoid it if possible?). Is there a method you guys would suggest? Thanks!

Rosè
  • 345
  • 2
  • 13
  • 1
    Why do you need to do that? Could you describe your use case in more details? Couldn't you have a second map with values as keys? – pchaigno Jan 20 '20 at 08:07
  • 1
    Recent kernels have support for bounded loops, so iterating might actually work. But as pchaigno says, you may have more efficient workarounds. – Qeole Jan 20 '20 at 08:46
  • @pchaigno My intention is to keep the IP addresses that I want to block in the blacklist and have my XDP compare the incoming packet's source IP address with the addresses in my blacklist. So in this case, even if I use values as map keys, I would still have to iterate through all the values in the blacklist I think? – Rosè Jan 20 '20 at 09:00
  • @Qeole I didn't know it was added! I will try to iterate through the map. I will have to do more research about how to more efficiently get the job done though! :D – Rosè Jan 20 '20 at 09:01
  • 2
    Why don't you create a hashmap with source IP address as keys and whatever as values? If the entry for a given IP address is present in the hashmap, then it's blocked; otherwise, it's not. Then you just need to add and remove IP addresses from the hashmap from userspace. I don't understand why you need IP addresses as values...? – pchaigno Jan 20 '20 at 09:06
  • @pchaigno My initial thought was to use a BPF array map and add all the IP addresses I want to block in there. The reason for using a BPF array map was just simply because I got used to it. I should have given more thought about it! If you were in my situation, would you use hashmap like you suggested? Maybe because array maps have values preallocated and use up the memory that I don't necessarily need at the moment, or are there any other reason? – Rosè Jan 20 '20 at 09:21
  • 1
    In your situation we would go (and have done so multiple times in the past) with hash maps, just like pchaigno explained. The reason is exactly the issue you are facing: with hash maps, no need to iterate, just look for the IP as a key. It is much more efficient (and way easier to implement). – Qeole Jan 20 '20 at 14:19
  • @Qeole Oh I understand now. I didn't really think of it in a way that an iteration wouldn't be necessary if I use hash maps. Thanks a lot for the help! – Rosè Jan 21 '20 at 01:15

0 Answers0